panic: sbsndptr: sockbuf and mbuf clashing [was: Re: Kernel panics in tcp_twclose]

Julien Charbon jch at freebsd.org
Mon Sep 28 08:23:46 UTC 2015 

 Hi Palle,

On 25/09/15 16:19, Palle Girgensohn wrote:
> [...]
> Secondly, is this error related? This is *not* VIMAGE, *not* jail.
> It is a binary installed GENERIC from freebsd-update. 10.1-RELEASE-p19. It
> just crashed today, and we did not get any core dump, but I found this
> core.txt from a crash in August that I was not aware of (I was on
> holiday then... :)
> 
> Since it is installed binary, I have no kernel.debug.
> 
> panic: sbsndptr: sockbuf 0xfffff80312126c68 and mbuf
> 0xfffff800b4a36800 clashing
> 
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "amd64-marcel-freebsd"...
> 
> Unread portion of the kernel message buffer:
> panic: sbsndptr: sockbuf 0xfffff80312126c68 and mbuf 0xfffff800b4a36800 clashing
> cpuid = 1
> KDB: stack backtrace:
> #0 0xffffffff80963000 at kdb_backtrace+0x60
> #1 0xffffffff80928125 at panic+0x155
> #2 0xffffffff8099c180 at sbdroprecord_locked+0
> #3 0xffffffff80ac8c9c at tcp_output+0xdbc
> #4 0xffffffff80ac6a95 at tcp_do_segment+0x3045
> #5 0xffffffff80ac2e04 at tcp_input+0xd04
> #6 0xffffffff80a54fc7 at ip_input+0x97
> #7 0xffffffff809f4f73 at swi_net+0x143
> #8 0xffffffff808faf4b at intr_event_execute_handlers+0xab
> #9 0xffffffff808fb396 at ithread_loop+0x96
> #10 0xffffffff808f8b6a at fork_exit+0x9a
> #11 0xffffffff80d0b67e at fork_trampoline+0xe
> Uptime: 21d0h54m53s
> Dumping 2005 out of 32709 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%..91%
> 
> #0  doadump (textdump=<value optimized out>) at pcpu.h:219
> 219	pcpu.h: No such file or directory.
> 	in pcpu.h
> (kgdb) #0  doadump (textdump=<value optimized out>) at pcpu.h:219
> #1  0xffffffff80927da2 in kern_reboot (howto=260)
>     at /usr/src/sys/kern/kern_shutdown.c:452
> #2  0xffffffff80928164 in panic (fmt=<value optimized out>)
>     at /usr/src/sys/kern/kern_shutdown.c:759
> #3  0xffffffff8099c180 in sbsndptr (sb=<value optimized out>, 
>     off=<value optimized out>, len=<value optimized out>, 
>     moff=<value optimized out>) at /usr/src/sys/kern/uipc_sockbuf.c:1011
> #4  0xffffffff80ac8c9c in tcp_output (tp=0xfffff80312ef5800)
>     at /usr/src/sys/netinet/tcp_output.c:870
> #5  0xffffffff80ac6a95 in tcp_do_segment (m=<value optimized out>, 
>     th=<value optimized out>, so=<value optimized out>, 
>     tp=<value optimized out>, drop_hdrlen=<value optimized out>, tlen=0, 
>     iptos=<value optimized out>, ti_locked=Cannot access memory at address 0x1
> )
>     at /usr/src/sys/netinet/tcp_input.c:3018
> #6  0xffffffff80ac2e04 in tcp_input (m=<value optimized out>, 
>     off0=<value optimized out>) at /usr/src/sys/netinet/tcp_input.c:1377
> #7  0xffffffff80a54fc7 in ip_input (m=0xfffff800b4516600)
>     at /usr/src/sys/netinet/ip_input.c:734
> #8  0xffffffff809f4f73 in swi_net (arg=0xffffffff81988880)
>     at /usr/src/sys/net/netisr.c:765
> #9  0xffffffff808faf4b in intr_event_execute_handlers (
>     p=<value optimized out>, ie=0xfffff800093ac600)
>     at /usr/src/sys/kern/kern_intr.c:1263
> #10 0xffffffff808fb396 in ithread_loop (arg=0xfffff80009388e40)
>     at /usr/src/sys/kern/kern_intr.c:1276
> #11 0xffffffff808f8b6a in fork_exit (
>     callout=0xffffffff808fb300 <ithread_loop>, arg=0xfffff80009388e40, 
>     frame=0xfffffe083c3e3ac0) at /usr/src/sys/kern/kern_fork.c:996
> #12 0xffffffff80d0b67e in fork_trampoline ()
>     at /usr/src/sys/amd64/amd64/exception.S:606
> #13 0x0000000000000000 in ?? ()
> Current language:  auto; currently minimal
> (kgdb) 

 It is unlikely to be related as:

 - It happens quite far away from inp/tcptw code
 - As inp are allocated in their own uma zone, double free-ing a inp
will corrupt only other inps

 Not completely impossible but unlikely.  That said you can add your own
information to this old (July 2010) but still relevant bug report:

[panic] 8.1-RELEASE/10.1-STABLE "panic: sbdrop" and "panic: sbsndptr:
sockbuf _ and mbuf _ clashing"
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=148807

 My 2 cents.

--
Julien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20150928/1dec8b9d/attachment.bin>

More information about the freebsd-net mailing list