kern/95288: panic in sys/kern/tty_subr.c putc()

Robert Watson rwatson at FreeBSD.org
Wed Apr 5 15:20:23 UTC 2006 


On Tue, 4 Apr 2006, Marcin Gryszkalis wrote:

> 	I got panic during ppp connection, the backtrace is:

You want to update to a slightly more recent RELENG_6 to catch the following 
change, which may help:

   revision 1.105.2.3
   date: 2006/04/02 11:10:38;  author: rwatson;  state: Exp;  lines: +1 -1
   Merge if_ppp.c:1.113 from HEAD to RELENG_6:

     Add IFF_NEEDSGIANT to kernel PPP support.  I have no idea why this wasn't
     here, but it should have been.

   Approved by:    re (hrs)

It looks like your RELENG_6 snapshot is about a week before this change went 
in.

Robert N M Watson

>
> #0  doadump () at pcpu.h:165
> #1  0xc04ff027 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:402
> #2  0xc04ff369 in panic (fmt=0xc06b308b "%s") at /usr/src/sys/kern/kern_shutdown.c:558
> #3  0xc06899bc in trap_fatal (frame=0xd43bda80, eva=0) at /usr/src/sys/i386/i386/trap.c:836
> #4  0xc0689692 in trap_pfault (frame=0xd43bda80, usermode=0, eva=6) at /usr/src/sys/i386/i386/trap.c:744
> #5  0xc068924f in trap (frame=
>      {tf_fs = -1017249784, tf_es = 40, tf_ds = 4915240, tf_edi = 209, tf_esi = -1019750344, tf_ebp = -734274864, tf_isp = -734274900, tf_ebx = 0, tf_edx = 2, tf_ecx = 5, tf_eax = -33, tf_trapno = 12, tf_err = 2, tf_eip = -1068239194, tf_cs = 32, tf_eflags = 590343, tf_esp = 0, tf_ss = -734274812}) at /usr/src/sys/i386/i386/trap.c:434
> #6  0xc067622a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #7  0xc053f6a6 in putc (chr=209, clistp=0xc337d838) at /usr/src/sys/kern/tty_subr.c:416
> #8  0xc05924cd in pppasyncstart (sc=0xc39c7400) at /usr/src/sys/net/ppp_tty.c:649
> #9  0xc058c64d in pppoutput (ifp=0xc33d2800, m0=0xc35b4a00, dst=0xd43bdb88, rtp=0xc3563528) at /usr/src/sys/net/if_ppp.c:961
> #10 0xc05b0907 in ip_output (m=0xc35b4a00, opt=0xc33d2800, ro=0xd43bdb84, flags=1, imo=0x0, inp=0x0) at /usr/src/sys/netinet/ip_output.c:777
> #11 0xc05afc00 in ip_forward (m=0xc35b4a00, srcrt=0) at /usr/src/sys/netinet/ip_input.c:1907
> #12 0xc05ae32c in ip_input (m=0xc35b4a00) at /usr/src/sys/netinet/ip_input.c:689
> #13 0xc05917c9 in netisr_processqueue (ni=0xc0717ad8) at /usr/src/sys/net/netisr.c:236
> #14 0xc0591a2f in swi_net (dummy=0x0) at /usr/src/sys/net/netisr.c:349
> #15 0xc04e4918 in ithread_execute_handlers (p=0xc32a7830, ie=0xc32e5280) at /usr/src/sys/kern/kern_intr.c:673
> #16 0xc04e4a86 in ithread_loop (arg=0xc3291720) at /usr/src/sys/kern/kern_intr.c:756
> #17 0xc04e346f in fork_exit (callout=0xc04e4a10 <ithread_loop>, arg=0xffffffdf, frame=0xffffffdf) at /usr/src/sys/kern/kern_fork.c:805
> #18 0xc067628c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:208
>
> 	The problem seems to be here:
>
> (kgdb) frame 7
> #7  0xc053f6a6 in putc (chr=209, clistp=0xc337d838) at /usr/src/sys/kern/tty_subr.c:416
> 416                     clrbit(cblockp->c_quote, clistp->c_cl - (char *)cblockp->c_info);
>
> (kgdb) p cblockp
> $1 = (struct cblock *) 0x0
>
>
> 	Additional info
>
> (kgdb) p chr
> $2 = 209
>
> (kgdb) p *clistp
> $6 = {c_cc = 41, c_cbcount = 0, c_cbmax = 19, c_cbreserved = 19, c_cf = 0x0, c_cl = 0x29 <Address 0x29 out of bounds>}
>
> (kgdb) frame 8
> #8  0xc05924cd in pppasyncstart (sc=0xc39c7400) at /usr/src/sys/net/ppp_tty.c:649
> 649                         if (putc(*q, &tp->t_outq)) {
>
> (kgdb) p *tp
> $10 = {t_rawq = {c_cc = 0, c_cbcount = 0, c_cbmax = 0, c_cbreserved = 0, c_cf = 0x0, c_cl = 0x0}, t_rawcc = 6812, t_canq = {c_cc = 0, c_cbcount = 0, c_cbmax = 1,
>    c_cbreserved = 1, c_cf = 0x0, c_cl = 0x0}, t_cancc = 14, t_outq = {c_cc = 41, c_cbcount = 0, c_cbmax = 19, c_cbreserved = 19, c_cf = 0x0,
>    c_cl = 0x29 <Address 0x29 out of bounds>}, t_outcc = 2394, t_line = 5, t_dev = 0xc3897500, t_mdev = 0xc3922100, t_devunit = 2, t_state = 131112, t_flags = 0,
>  t_timeout = 300000, t_pgrp = 0xc5935600, t_session = 0xc3a33880, t_sigio = 0x0, t_rsel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0xc51e2330}, si_thread = 0xc51e2300,
>    si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0xc04dc960 <knlist_mtx_lock>, kl_unlock = 0xc04dc9c0 <knlist_mtx_unlock>, kl_locked = 0xc04dca20 <knlist_mtx_locked>,
>      kl_lockarg = 0xc337d9ec}, si_flags = 0}, t_wsel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0},
>      kl_lock = 0xc04dc960 <knlist_mtx_lock>, kl_unlock = 0xc04dc9c0 <knlist_mtx_unlock>, kl_locked = 0xc04dca20 <knlist_mtx_locked>, kl_lockarg = 0xc337d9ec}, si_flags = 0},
>  t_termios = {c_iflag = 5, c_oflag = 0, c_cflag = 215808, c_lflag = 0, c_cc = "\004\000ÿ\177\027\025\022\b\003\034\032\031\021\023\026\017\001\000\024ÿ", c_ispeed = 57600,
>    c_ospeed = 57600}, t_init_in = {c_iflag = 11010, c_oflag = 3, c_cflag = 19200, c_lflag = 1408,
>    c_cc = "\004ÿÿ\177\027\025\022\b\003\034\032\031\021\023\026\017\001\000\024ÿ", c_ispeed = 9600, c_ospeed = 9600}, t_init_out = {c_iflag = 11010, c_oflag = 3,
>    c_cflag = 19200, c_lflag = 1408, c_cc = "\004ÿÿ\177\027\025\022\b\003\034\032\031\021\023\026\017\001\000\024ÿ", c_ispeed = 9600, c_ospeed = 9600}, t_lock_in = {c_iflag = 0,
>    c_oflag = 0, c_cflag = 0, c_lflag = 0, c_cc = '\0' <repeats 19 times>, c_ispeed = 0, c_ospeed = 0}, t_lock_out = {c_iflag = 0, c_oflag = 0, c_cflag = 0, c_lflag = 0,
>    c_cc = '\0' <repeats 19 times>, c_ispeed = 0, c_ospeed = 0}, t_winsize = {ws_row = 0, ws_col = 0, ws_xpixel = 0, ws_ypixel = 0}, t_sc = 0xc37e0800, t_lsc = 0xc39c7400,
>  t_column = 39, t_rocount = 0, t_rocol = 0, t_ififosize = 512, t_ihiwat = 7680, t_ilowat = 6720, t_ispeedwat = 0, t_ohiwat = 2052, t_olowat = 256, t_ospeedwat = 0, t_gen = 29,
>  t_list = {tqe_next = 0xc3392400, tqe_prev = 0xc33b5ddc}, t_actout = 1, t_wopeners = 0, t_mtx = {mtx_object = {lo_class = 0xc06edda4, lo_name = 0xc06bf0b1 "tty",
>      lo_type = 0xc06bf0b1 "tty", lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0}, t_refcnt = 3,
>  t_hotchar = 126, t_dtr_wait = 3000, t_do_timestamp = 0, t_timestamp = {tv_sec = 0, tv_usec = 0}, t_pps = 0x0, t_oproc = 0xc048f070 <ucomstart>, t_stop = 0xc048f360 <ucomstop>,
>  t_param = 0xc048eed0 <ucomparam>, t_modem = 0xc048ebf0 <ucommodem>, t_break = 0xc048ecd0 <ucombreak>, t_ioctl = 0xc048eb60 <ucomioctl>, t_open = 0xc048e8a0 <ucomopen>,
>  t_purge = 0, t_close = 0xc048eae0 <ucomclose>, t_cioctl = 0}
>
>
>> How-To-Repeat:
> 	Happened just once (~100 ppp connections established so far on this box), bug may be related to USB-serial driver (as you can see above this modem is connected via ucom).
>
>> Fix:
>
>
>
>
>> Release-Note:
>> Audit-Trail:
>> Unformatted:
> _______________________________________________
> freebsd-bugs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
> To unsubscribe, send any mail to "freebsd-bugs-unsubscribe at freebsd.org"
>

More information about the freebsd-bugs mailing list