kern/126742: [panic] kernel panic when sending file via ng_ubt(4)

pluknet pluknet at gmail.com
Mon Aug 25 19:17:46 UTC 2008 

2008/8/25 pluknet <pluknet at gmail.com>:
> 2008/8/23 Alex <freebsd.alex at spamfoodie.com>:
>>  this should work. i simply replaced the lines with a single dot (".") in it with "DOT".
>
> You have a truncated mail maybe because of '.' treated as a special
> symbol that means "end of body" in SMTP.
>
>>  Unread portion of the kernel message buffer:
>>  sblastmbufchk: sb_mb 0xc91a5300 sb_mbtail 0 last 0xc91a5300
>>  packet tree:
>>        0xc91a5300
>>  panic: sblastmbufchk from /usr/src/sys/kern/uipc_sockbuf.c:794
>>  cpuid = 0
>>  Syncing disks, buffers remaining... 7171 7168 7168 7168 7168 7168 7168 7167 7169 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167 7167
>>  Giving up on 7167 buffers
>>  Uptime: 2d18h9m43s
>>  Physical memory: 2030 MB
>>  Dumping 231 MB: 216 200 184 168 152 136 120 104 88 72 56 40 24 8
>>  Dump complete
>>  panic: 5 vncache entries remaining
>>  cpuid = 0
>>  Uptime: 2d18h9m47s
>>  Physical memory: 2030 MB
>>  Dumping 231 MB: 216 200 184 168 152 136 120 104 88 72 56 40 24 8
>>
>>  #0  doadump () at pcpu.h:195
>>        in pcpu.h
>>  (kgdb) bt
>>  #0  doadump () at pcpu.h:195
>>  #1  0xc04daa4e in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418
>>  #2  0xc04dac7c in panic (fmt=) at /usr/src/sys/kern/kern_shutdown.c:572
>>  #3  0xc07d73e4 in pfs_vncache_unload () at /usr/src/sys/modules/pseudofs/../../fs/pseudofs/pseudofs_vncache.c:102
>>  #4  0xc07d6515 in pfs_modevent (mod=0xc54b8280, evt=2, arg=0x0) at /usr/src/sys/modules/pseudofs/../../fs/pseudofs/pseudofs.c:438
>>  #5  0xc04cd318 in module_shutdown (arg1=0x0, arg2=) at /usr/src/sys/kern/kern_module.c:105
>>  #6  0xc04daaef in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:421
>>  #7  0xc04dac7c in panic (fmt=) at /usr/src/sys/kern/kern_shutdown.c:572
>>  #8  0xc052d79b in sblastmbufchk (sb=0x0, file=0xc06838ad "/usr/src/sys/kern/uipc_sockbuf.c", line=794) at /usr/src/sys/kern/uipc_sockbuf.c:425
>>  #9  0xc052eed0 in sbcompress (sb=0xc8cb11f0, m=0x0, n=0xc91a5300) at /usr/src/sys/kern/uipc_sockbuf.c:794
>>  #10 0xc052eff0 in sbappendrecord_locked (sb=0xc8cb11f0, m0=0xc91a5300) at /usr/src/sys/kern/uipc_sockbuf.c:599
>>  #11 0xc052f041 in sbappendrecord (sb=0xc8cb11f0, m0=0xc91a5300) at /usr/src/sys/kern/uipc_sockbuf.c:610
>>  #12 0xc5a2f8fe in ng_btsocket_l2cap_input (context=0x0, pending=1) at /usr/src/sys/modules/netgraph/bluetooth/socket/../../../../netgraph/bluetooth/socket/ng_btsocket_l2cap.c:1458
>>  #13 0xc050cd1b in taskqueue_run (queue=0xc556b500) at /usr/src/sys/kern/subr_taskqueue.c:282
>>  #14 0xc050cf53 in taskqueue_swi_giant_run (dummy=0x0) at /usr/src/sys/kern/subr_taskqueue.c:336
>>  #15 0xc04be975 in ithread_loop (arg=0xc55d7160) at /usr/src/sys/kern/kern_intr.c:1088
>>  #16 0xc04bc258 in fork_exit (callout=0xc04be7b0 <ithread_loop>, arg=0xc55d7160, frame=0xe5b12d38) at /usr/src/sys/kern/kern_fork.c:781
>>  #17 0xc06348b0 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:205
>>  --- crash ends here ---
>>
>>  --- ARUNDEL begins here ---
>>  cpu            I686_CPU
>>  ident          ARUNDEL
>>  #maxusers      10
>>  makeoptions    DEBUG=-g
>>  #makeoptions   CONF_CFLAGS=-fno-builtin
>>  #options               MPTABLE_FORCE_HTT       # Enable HTT CPUs with the MP Table
>>  #options               CPU_SUSP_HLT
>>  #options               CPU_UPGRADE_HW_CACHE
>>  #options               CPU_FASTER_5X86_FPU
>>  options                ATA_STATIC_ID
>>
>>  #options               MSDOSFS
>>  #options               CD9660
>>  #options               USB_DEBUG
>>  #options               TCP_DROP_SYNFIN         #drop TCP packets with SYN+FIN
>>  #options               HZ=100
>>
>>  #options               PREEMPTION
>>  #options               IPI_PREEMPTION
>>
>>  options                SCHED_4BSD              #4BSD scheduler
>>  #options               SCHED_ULE
>>  options        INET                    #InterNETworking
>>  options        FFS                     #Berkeley Fast Filesystem
>>  options        SOFTUPDATES             #Enable FFS soft updates support
>>  options        UFS_DIRHASH             #Improve performance on big directories
>>  options                COMPAT_43               #Compatible with BSD 4.3 [KEEP THIS!]
>>  options                COMPAT_43TTY            #Compatible with BSD 4.3 [KEEP THIS!]
>>  options                COMPAT_FREEBSD4         #Compatible with FreeBSD4
>>  options                COMPAT_FREEBSD5         #Compatible with FreeBSD5
>>  options                COMPAT_FREEBSD6         #Compatible with FreeBSD6
>>
>>  options                SC_HISTORY_SIZE=1000    #number of history buffer lines
>>  #options               KDB                     #Compile with kernel debugger related code
>>  #options               KDB_TRACE               #Print a stack trace of the current thread on the console for a panic.
>>  #options       KTRACE                  #ktrace(1) support
>>  #options               DDB
>>  options                INVARIANTS
>>  options                INVARIANT_SUPPORT
>>  options                SOCKBUF_DEBUG
>>  options                WITNESS
>>  options                WITNESS_SKIPSPIN
>>  options        SYSVSHM                 #SYSV-style shared memory
>>  options        SYSVMSG                 #SYSV-style message queues
>>  options        SYSVSEM                 #SYSV-style semaphores
>>  options        _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
>>  options        KBD_INSTALL_CDEV        #install a CDEV entry in /dev
>>  options                UKBD_DFLT_KEYMAP        #specify the built-in keymap
>>  makeoptions    UKBD_DFLT_KEYMAP="german.iso"
>>  #options               AUTO_EOI_1
>>  #options               AUTO_EOI_2
>>  #options         ADAPTIVE_GIANT          # Giant mutex is adaptive.
>>  #options         STOP_NMI                # Stop CPUS using NMI instead of IPI
>>
>>
>>  options                SMP                     # Symmetric MultiProcessor Kernel
>>  device         apic                    # I/O APIC
>>
>>
>>  #devices
>>  device         eisa
>>  device         pci
>>  device         ata
>>  device         atadisk
>>  device         atapicd
>>  device         usb
>>  device         uhci
>>  device         ehci
>>  device         vga
>>  device         sc
>>  device         ukbd
>>  device         ulpt
>>  device         ath
>>  device         ath_hal
>>  device         ath_rate_sample
>>  device         wlan
>>  device         cpufreq
>>  device         coretemp
>>
>>  #pseudo devices
>>  device         loop
>>  device         ether
>>  device         pty
>>  --- ARUNDEL ends here ---
>
> Looks like it was triggered by the SOCKBUF_DEBUG kernel option.
> I will try to reproduce it this evening as I'm user of ng_ubt(4).
>

I did some debugging and found some fuzzy code in sbappendrecord_locked().

>>  #10 0xc052eff0 in sbappendrecord_locked (sb=0xc8cb11f0, m0=0xc91a5300) at /usr/src/sys/kern/uipc_sockbuf.c:599
sb->sb_mb and m0 both point to the same address 0xc91a5300.

-
    sbappendrecord_locked(struct sockbuf *sb, struct mbuf *m0)
    {
            struct mbuf *m;

            SOCKBUF_LOCK_ASSERT(sb);

            if (m0 == 0)
                    return;
            m = sb->sb_mb;
-
m also points to the same address 0xc91a5300 now (as sb->sb_mb and m0 do).

-
            if (m)
                    while (m->m_nextpkt)
                            m = m->m_nextpkt;
-
Does nothing because m->m_nextpkt is NULL in the first iteration.

-
            sballoc(sb, m0);
            SBLASTRECORDCHK(sb);
            SBLINKRECORD(sb, m0);
-
Does effectively nothing or non-relevant.

-
            if (m)
                    m->m_nextpkt = m0;
            else
                    sb->sb_mb = m0;
-
m and m->m_nextpkt both point to the same address 0xc91a5300 now.

-
            m = m0->m_next;
-
But hey! m0->m_next is NULL.

Eventually sbcompress(sb, m, m0) is called with m == NULL and it fails
in the SBLASTMBUFCHK check then.

wbr,
pluknet

More information about the freebsd-net mailing list