kern/95288: panic in sys/kern/tty_subr.c putc()

Marcin Gryszkalis mg at fork.pl
Mon Apr 3 22:40:15 UTC 2006 

>Number:         95288
>Category:       kern
>Synopsis:       panic in sys/kern/tty_subr.c putc()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 03 22:40:13 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Marcin Gryszkalis
>Release:        FreeBSD 6.1-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD imul.math.uni.lodz.pl 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #9: Fri Mar 24 09:41:54 CET 2006 root at imul.math.uni.lodz.pl:/usr/obj/usr/src/sys/imul i386


	
>Description:

	I got panic during ppp connection, the backtrace is:

#0  doadump () at pcpu.h:165
#1  0xc04ff027 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
#2  0xc04ff369 in panic (fmt=0xc06b308b "%s") at /usr/src/sys/kern/kern_shutdown.c:558
#3  0xc06899bc in trap_fatal (frame=0xd43bda80, eva=0) at /usr/src/sys/i386/i386/trap.c:836
#4  0xc0689692 in trap_pfault (frame=0xd43bda80, usermode=0, eva=6) at /usr/src/sys/i386/i386/trap.c:744
#5  0xc068924f in trap (frame=
      {tf_fs = -1017249784, tf_es = 40, tf_ds = 4915240, tf_edi = 209, tf_esi = -1019750344, tf_ebp = -734274864, tf_isp = -734274900, tf_ebx = 0, tf_edx = 2, tf_ecx = 5, tf_eax = -33, tf_trapno = 12, tf_err = 2, tf_eip = -1068239194, tf_cs = 32, tf_eflags = 590343, tf_esp = 0, tf_ss = -734274812}) at /usr/src/sys/i386/i386/trap.c:434
#6  0xc067622a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
#7  0xc053f6a6 in putc (chr=209, clistp=0xc337d838) at /usr/src/sys/kern/tty_subr.c:416
#8  0xc05924cd in pppasyncstart (sc=0xc39c7400) at /usr/src/sys/net/ppp_tty.c:649
#9  0xc058c64d in pppoutput (ifp=0xc33d2800, m0=0xc35b4a00, dst=0xd43bdb88, rtp=0xc3563528) at /usr/src/sys/net/if_ppp.c:961
#10 0xc05b0907 in ip_output (m=0xc35b4a00, opt=0xc33d2800, ro=0xd43bdb84, flags=1, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:777
#11 0xc05afc00 in ip_forward (m=0xc35b4a00, srcrt=0) at /usr/src/sys/netinet/ip_input.c:1907
#12 0xc05ae32c in ip_input (m=0xc35b4a00) at /usr/src/sys/netinet/ip_input.c:689
#13 0xc05917c9 in netisr_processqueue (ni=0xc0717ad8) at /usr/src/sys/net/netisr.c:236
#14 0xc0591a2f in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:349
#15 0xc04e4918 in ithread_execute_handlers (p=0xc32a7830, ie=0xc32e5280) at /usr/src/sys/kern/kern_intr.c:673
#16 0xc04e4a86 in ithread_loop (arg=0xc3291720) at /usr/src/sys/kern/kern_intr.c:756
#17 0xc04e346f in fork_exit (callout=0xc04e4a10 <ithread_loop>, arg=0xffffffdf, frame=0xffffffdf) at /usr/src/sys/kern/kern_fork.c:805
#18 0xc067628c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208

	The problem seems to be here:

(kgdb) frame 7
#7  0xc053f6a6 in putc (chr=209, clistp=0xc337d838) at /usr/src/sys/kern/tty_subr.c:416
416                     clrbit(cblockp->c_quote, clistp->c_cl - (char *)cblockp->c_info);

(kgdb) p cblockp
$1 = (struct cblock *) 0x0


	Additional info

(kgdb) p chr
$2 = 209

(kgdb) p *clistp
$6 = {c_cc = 41, c_cbcount = 0, c_cbmax = 19, c_cbreserved = 19, c_cf = 0x0, c_cl = 0x29 <Address 0x29 out of bounds>}

(kgdb) frame 8
#8  0xc05924cd in pppasyncstart (sc=0xc39c7400) at /usr/src/sys/net/ppp_tty.c:649
649                         if (putc(*q, &tp->t_outq)) {

(kgdb) p *tp
$10 = {t_rawq = {c_cc = 0, c_cbcount = 0, c_cbmax = 0, c_cbreserved = 0, c_cf = 0x0, c_cl = 0x0}, t_rawcc = 6812, t_canq = {c_cc = 0, c_cbcount = 0, c_cbmax = 1,
    c_cbreserved = 1, c_cf = 0x0, c_cl = 0x0}, t_cancc = 14, t_outq = {c_cc = 41, c_cbcount = 0, c_cbmax = 19, c_cbreserved = 19, c_cf = 0x0,
    c_cl = 0x29 <Address 0x29 out of bounds>}, t_outcc = 2394, t_line = 5, t_dev = 0xc3897500, t_mdev = 0xc3922100, t_devunit = 2, t_state = 131112, t_flags = 0,
  t_timeout = 300000, t_pgrp = 0xc5935600, t_session = 0xc3a33880, t_sigio = 0x0, t_rsel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0xc51e2330}, si_thread = 0xc51e2300,
    si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0xc04dc960 <knlist_mtx_lock>, kl_unlock = 0xc04dc9c0 <knlist_mtx_unlock>, kl_locked = 0xc04dca20 <knlist_mtx_locked>,
      kl_lockarg = 0xc337d9ec}, si_flags = 0}, t_wsel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0},
      kl_lock = 0xc04dc960 <knlist_mtx_lock>, kl_unlock = 0xc04dc9c0 <knlist_mtx_unlock>, kl_locked = 0xc04dca20 <knlist_mtx_locked>, kl_lockarg = 0xc337d9ec}, si_flags = 0},
  t_termios = {c_iflag = 5, c_oflag = 0, c_cflag = 215808, c_lflag = 0, c_cc = "\004\000ÿ\177\027\025\022\b\003\034\032\031\021\023\026\017\001\000\024ÿ", c_ispeed = 57600,
    c_ospeed = 57600}, t_init_in = {c_iflag = 11010, c_oflag = 3, c_cflag = 19200, c_lflag = 1408,
    c_cc = "\004ÿÿ\177\027\025\022\b\003\034\032\031\021\023\026\017\001\000\024ÿ", c_ispeed = 9600, c_ospeed = 9600}, t_init_out = {c_iflag = 11010, c_oflag = 3,
    c_cflag = 19200, c_lflag = 1408, c_cc = "\004ÿÿ\177\027\025\022\b\003\034\032\031\021\023\026\017\001\000\024ÿ", c_ispeed = 9600, c_ospeed = 9600}, t_lock_in = {c_iflag = 0,
    c_oflag = 0, c_cflag = 0, c_lflag = 0, c_cc = '\0' <repeats 19 times>, c_ispeed = 0, c_ospeed = 0}, t_lock_out = {c_iflag = 0, c_oflag = 0, c_cflag = 0, c_lflag = 0,
    c_cc = '\0' <repeats 19 times>, c_ispeed = 0, c_ospeed = 0}, t_winsize = {ws_row = 0, ws_col = 0, ws_xpixel = 0, ws_ypixel = 0}, t_sc = 0xc37e0800, t_lsc = 0xc39c7400,
  t_column = 39, t_rocount = 0, t_rocol = 0, t_ififosize = 512, t_ihiwat = 7680, t_ilowat = 6720, t_ispeedwat = 0, t_ohiwat = 2052, t_olowat = 256, t_ospeedwat = 0, t_gen = 29,
  t_list = {tqe_next = 0xc3392400, tqe_prev = 0xc33b5ddc}, t_actout = 1, t_wopeners = 0, t_mtx = {mtx_object = {lo_class = 0xc06edda4, lo_name = 0xc06bf0b1 "tty",
      lo_type = 0xc06bf0b1 "tty", lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}, t_refcnt = 3,
  t_hotchar = 126, t_dtr_wait = 3000, t_do_timestamp = 0, t_timestamp = {tv_sec = 0, tv_usec = 0}, t_pps = 0x0, t_oproc = 0xc048f070 <ucomstart>, t_stop = 0xc048f360 <ucomstop>,
  t_param = 0xc048eed0 <ucomparam>, t_modem = 0xc048ebf0 <ucommodem>, t_break = 0xc048ecd0 <ucombreak>, t_ioctl = 0xc048eb60 <ucomioctl>, t_open = 0xc048e8a0 <ucomopen>,
  t_purge = 0, t_close = 0xc048eae0 <ucomclose>, t_cioctl = 0}

	
>How-To-Repeat:
	Happened just once (~100 ppp connections established so far on this box), bug may be related to USB-serial driver (as you can see above this modem is connected via ucom).

>Fix:

	


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list