Panic in Freebsd 4.7 (m_copydata/tcp_output)

Fri Aug 6 12:55:28 PDT 2004

Hi, 
I had a freebsd 4-7 stable system panic while i was running low on mbufs. 

Can someone provide me with some background info so I can debug this some
more?
How would I get into the situation where the socket has no mbuf allocated to
it? 
Where does this allocation usually take place?
How/why did send acknowledge count be greater then the send next count? Is
-1 a valid offset?

Saw a few similar postings where m_copy data ran in to the same args from
tcp_output
http://www.google.ca/search?q=cache:s7uT8Qeei-0J:www.geocrawler.com/mail/msg
.php3%3Fmsg_id%3D657553+freebsd+tcp_output+sb_mb&hl=en
and
an old bug 
http://www.freebsd.org/cgi/query-pr.cgi?pr=1013

Any pointers to get me going on this would be appreciated. Thanks in
advance.

(kgdb) bt
#0  dumpsys ()
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/kern/kern_shutdown
.c:492
#1  0xc01c5978 in boot (howto=256)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/kern/kern_shutdown
.c:321
#2  0xc01c5ea1 in panic (fmt=0xc034945e "%s")
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/kern/kern_shutdown
.c:607
#3  0xc02ef324 in trap_fatal (frame=0xf2eca92c, eva=0)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/i386/i386/trap.c:9
92
#4  0xc02eef4d in trap_pfault (frame=0xf2eca92c, usermode=0, eva=12)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/i386/i386/trap.c:885
#5  0xc02ee9ef in trap (frame={tf_fs = -828506088, tf_es = -828506096,
      tf_ds = 116129808, tf_edi = 1, tf_esi = 0, tf_ebp = -219371144,
      tf_isp = -219371176, tf_ebx = -307373120, tf_edx = -1,
      tf_ecx = -334664960, tf_eax = -1, tf_trapno = 12, tf_err = 0,
      tf_eip = -1071748160, tf_cs = 8, tf_eflags = 66050, tf_esp =
-307373120,
      tf_ss = 12})
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/i386/i386/trap.c:484
#6  0xc01e6bc0 in m_copydata (m=0x0, off=-1, len=1,
    cp=0xc5b30a74 "~ñ\202,\200\205R\001òP\a÷;ªïIÅ+6«d\eh\17708.172.128.222
(<a h
ref=\"http://www.footprint.net\">Footprint
3.0/FPMCP</a>)\n</BODY></HTML>\n")
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/kern/uipc_mbuf.c:1002
#7  0xc022f0ce in tcp_output (tp=0xedaddbc0)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/netinet/tcp_output.c:
608
#8  0xc022e0bf in tcp_input (m=0xc5b30a00, off0=20, proto=6)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/netinet/tcp_input.c:2
252
#9  0xc02256bf in ip_input (m=0xc5b30a00)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/netinet/ip_input.c:88
1
#10 0xc0225747 in ipintr ()
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/netinet/ip_input.c:90
2
#11 0xc02dde61 in swi_net_next ()
#12 0xc0207100 in spec_write (ap=0x37)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/miscfs/specfs/spec
_vnops.c:283
#13 0xc0292d10 in ufsspec_write (ap=0xf2ecae70)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/ufs/ufs/ufs_vnops.
c:1873
#14 0xc0293465 in ufs_vnoperatespec (ap=0x0)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/ufs/ufs/ufs_vnops.
c:2440
#15 0xc0202996 in vn_write (fp=0xd7e676c0, uio=0xf2ecaedc, cred=0xd7a32880,
    flags=0, p=0xf2c43ee0) at vnode_if.h:363
#16 0xc01d767e in dofilewrite (p=0xf2c43ee0, fp=0xd7e676c0, fd=0, buf=0x0,
    nbyte=4075597532, offset=-942185962111238144, flags=0)
    at /d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/sys/file.h:162
#17 0xc01d751b in write (p=0xf2c43ee0, uap=0xf2ecaf80)
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/kern/sys_generic.c
:329
#18 0xc02ef67d in syscall2 (frame={tf_fs = -1068957649, tf_es = 47,
      tf_ds = 136314927, tf_edi = 1, tf_esi = 1747982016,
      tf_ebp = -1079200356, tf_isp = -219369516, tf_ebx = 1748019148,
      tf_edx = 136388608, tf_ecx = 1876638720, tf_eax = 4, tf_trapno = 22,
      tf_err = 2, tf_eip = 1747725928, tf_cs = 31, tf_eflags = 646,
      tf_esp = -1079200416, tf_ss = 47})
    at
/d3/builds/swbuild_swbuild_plt_proton5_FREEBSD/src/sys/i386/i386/trap.c:1
193
#19 0xc02d9d6b in Xint0x80_syscall ()
#20 0x682b8981 in ?? ()

(kgdb) p *tp
$7 = {t_segq = {lh_first = 0x0}, t_dupacks = 0, unused = 0x0,
  tt_rexmt = 0xedaddca4, tt_persist = 0xedaddcbc, tt_keep = 0xedaddcd4,
  tt_2msl = 0xedaddcec, tt_delack = 0xedaddd04, t_inpcb = 0xedaddb00,
  t_state = 4, t_flags = 33249, t_force = 0, snd_una = 1726825387,
  snd_max = 1726825387, snd_nxt = 1726825386, snd_up = 1726825386,
  snd_wl1 = 3607398008, snd_wl2 = 1726825387, iss = 1726825386,
  irs = 3607398007, rcv_nxt = 3607398008, rcv_adv = 3607455928,
  rcv_wnd = 57920, rcv_up = 3607398008, snd_wnd = 65535, snd_cwnd = 1448,
  snd_bwnd = 1073725440, snd_ssthresh = 2904, snd_bandwidth = 0,
  snd_recover = 1726825387, t_maxopd = 1460, t_rcvtime = 280063744,
  t_starttime = 280063744, t_rtttime = 0, t_rtseq = 1726825386,
  t_bw_rtttime = 280054231, t_bw_rtseq = 1726825386, t_rxtcur = 24464,
  t_maxseg = 1448, t_srtt = 255616, t_rttvar = 63904, t_rxtshift = 0,
  t_rttmin = 2500, t_rttbest = 319520, t_rttupdated = 1, max_sndwnd = 65535,
  t_softerror = 0, t_oobflags = 0 '\000', t_iobc = 0 '\000',
  snd_scale = 1 '\001', rcv_scale = 0 '\000', request_r_scale = 0 '\000',
  requested_s_scale = 1 '\001', ts_recent = 289118643,
  ts_recent_age = 280063744, last_ack_sent = 0, cc_send = 100631, cc_recv =
0,
  snd_cwnd_prev = 1073725440, snd_ssthresh_prev = 1073725440,
  t_badrxtwin = 280063257}
(kgdb)
(kgdb) p *inp
$8 = {inp_hash = {le_next = 0x0, le_prev = 0xcc28d9d4}, inp_list = {
    le_next = 0xedadd8e0, le_prev = 0xc0412480}, inp_flow = 0, inp_inc = {
    inc_flags = 0 '\000', inc_len = 0 '\000', inc_pad = 0, inc_ie = {
      ie_fport = 40861, ie_lport = 51976, ie_dependfaddr = {ie46_foreign = {
          ia46_pad32 = {0, 0, 0}, ia46_addr4 = {s_addr = 2120346432}},
        ie6_foreign = {__u6_addr = {
            __u6_addr8 = '\000' <repeats 12 times>, "@ëa~", __u6_addr16 =
{0,
              0, 0, 0, 0, 0, 60224, 32353}, __u6_addr32 = {0, 0, 0,
              2120346432}}}}, ie_dependladdr = {ie46_local = {ia46_pad32 =
{0,
            0, 0}, ia46_addr4 = {s_addr = 181044696}}, ie6_local = {
          __u6_addr = {__u6_addr8 = '\000' <repeats 12 times>, "O\205E\n",
            __u6_addr16 = {0, 0, 0, 0, 0, 0, 34264, 2762}, __u6_addr32 = {0,
              0, 0, 181044696}}}}}, inc_dependroute = {inc4_route = {
        ro_rt = 0xd7b63300, ro_dst = {sa_len = 16 '\020',
          sa_family = 2 '\002',
          sa_data = "\000\000@ëa~\000\000\000\000\000\000\000"}},
      inc6_route = {ro_rt = 0xd7b63300, ro_dst = {sin6_len = 16 '\020',
          sin6_family = 2 '\002', sin6_port = 0, sin6_flowinfo = 2120346432,
          sin6_addr = {__u6_addr = {__u6_addr8 = '\000' <repeats 15 times>,
              __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0,
0,
                0}}}, sin6_scope_id = 0}}}}, inp_ppcb = 0xedaddbc0 "",
  inp_primecb = 0x0, inp_pcbinfo = 0xc04125e0, inp_socket = 0xec0d6b00,
  inp_flags = 64, inp_sp = 0x0, inp_vflag = 1 '\001', inp_ip_ttl = 64 '@',
  inp_ip_p = 0 '\000', inp_depend4 = {inp4_ip_tos = 0 '\000',
    inp4_options = 0x0, inp4_moptions = 0x0}, inp_depend6 = {
    inp6_options = 0x0, inp6_outputopts = 0x0, inp6_moptions = 0x0,
    inp6_icmp6filt = 0x0, inp6_cksum = 0, inp6_ifindex = 0, inp6_hops = 0,
    inp6_hlim = 0 '\000'}, inp_portlist = {le_next = 0x0,
    le_prev = 0xcc40bad8}, inp_phd = 0xcc40bad0, inp_gencnt = 531468}
(kgdb)