kern/101763: [panic] sodealloc(): so_count 1
Robert Watson
rwatson at FreeBSD.org
Fri Aug 11 09:30:20 UTC 2006
The following reply was made to PR kern/101763; it has been noted by GNATS.
From: Robert Watson <rwatson at FreeBSD.org>
To: Gleb Kozyrev <gkozyrev at gmail.com>
Cc: bug-followup at FreeBSD.org, freebsd-current at FreeBSD.org
Subject: Re: kern/101763: [panic] sodealloc(): so_count 1
Date: Fri, 11 Aug 2006 10:29:01 +0100 (BST)
On Fri, 11 Aug 2006, Gleb Kozyrev wrote:
> Gleb Kozyrev wrote to "Robert Watson" <rwatson at FreeBSD.org> on Thu, 10 Aug 2006 19:35:12 +0300:
>
>>>> i386 7.0-CURRENT #0: Sun Aug 6 repeatedly panics when doing some default
>>>> periodic jobs at 3 AM.
>
> RW>> Could you file a PR for this, and forward me the PR receipt? I'd be
> RW>> happy to investigate this problem. I've seen one or two other reports
> RW>> of so_count 1, but not in a way that's reproduceable. The output of
> RW>> the following DDB commands would be most helpful:
>
> RW>> show pcpu
> RW>> show allpcpu
> RW>> alltrace
> RW>> show alllocks
>
> GK> Here you are: kern/101763
>
> I'm sorry for misleading you.
> You see, for some reasons I forgot that there's a little jail on
> that machine. ;)
> It is ipfw in jail that triggers the panic invoked from
> /etc/periodic/security/500.ipfwdenied
Try this minor tweak:
Index: uipc_socket.c
===================================================================
RCS file: /data/fbsd-cvs/ncvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.277
diff -u -r1.277 uipc_socket.c
--- uipc_socket.c 2 Aug 2006 00:45:27 -0000 1.277
+++ uipc_socket.c 11 Aug 2006 09:27:52 -0000
@@ -367,6 +367,9 @@
so->so_count = 1;
error = (*prp->pr_usrreqs->pru_attach)(so, proto, td);
if (error) {
+ KASSERT(so->so_count == 1, ("socreate: so_count %d",
+ so->so_count));
+ so->so_count = 0;
sodealloc(so);
return (error);
}
Looks like I made a logic error in my change to move to sodealloc() here: the
refcount is never reduced back from when it is initially set to 1, and
sodealloc() has a "no references" assertion (possibly that I added).
Robert N M Watson
Computer Laboratory
University of Cambridge
>
> Today the coredump was successfully saved. So if it still matters..
>
> =========Beginning of the citation==============
> (kgdb) where
> #0 doadump () at pcpu.h:166
> #1 0xc06a3ee0 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
> #2 0xc06a41f5 in panic (fmt=0xc092e717 "sodealloc(): so_count %d") at /usr/src/sys/kern/kern_shutdown.c:565
> #3 0xc06e45cc in sodealloc (so=0xc1a163e4) at /usr/src/sys/kern/uipc_socket.c:289
> #4 0xc06e4811 in socreate (dom=0, aso=0x0, type=3, proto=255, cred=0xc19f5180, td=0xc18ad510) at
> /usr/src/sys/kern/uipc_socket.c:370
> #5 0xc06e8985 in socket (td=0xc18ad510, uap=0xc853bd04) at /usr/src/sys/kern/uipc_syscalls.c:175
> #6 0xc08a0d7e in syscall (frame=
> {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077943668, tf_esi = 136331264, tf_ebp = -1077943800, tf_isp = -934036124,
> tf_ebx = 54, tf_edx = 0, tf_ecx = 0, tf_eax = 97, tf_trapno = 12, tf_err = 2, tf_eip = 672368711, tf_cs = 51, tf_eflags = 582,
> tf_esp = -1077943844, tf_ss = 59})
> at /usr/src/sys/i386/i386/trap.c:1006
> #7 0xc088bb3f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:191
> #8 0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> (kgdb) frame 3
> #3 0xc06e45cc in sodealloc (so=0xc1a163e4) at /usr/src/sys/kern/uipc_socket.c:289
> 289 KASSERT(so->so_count == 0, ("sodealloc(): so_count %d", so->so_count));
> (kgdb) print *so
> $1 = {so_count = 1, so_type = 3, so_options = 0, so_linger = 0, so_state = 0, so_qstate = 0, so_pcb = 0x0, so_proto = 0xc09dbd5c,
> so_head = 0x0,
> so_incomp = {tqh_first = 0x0, tqh_last = 0xc1a16400}, so_comp = {tqh_first = 0x0, tqh_last = 0xc1a16408}, so_list = {tqe_next =
> 0x0, tqe_prev = 0x0},
> so_qlen = 0, so_incqlen = 0, so_qlimit = 0, so_timeo = 0, so_error = 0, so_sigio = 0x0, so_oobmark = 0, so_aiojobq = {tqh_first =
> 0x0,
> tqh_last = 0xc1a1642c}, so_rcv = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list =
> {slh_first = 0x0},
> kl_lock = 0xc068a3f4 <knlist_mtx_lock>, kl_unlock = 0xc068a410 <knlist_mtx_unlock>, kl_locked = 0xc068a42c
> <knlist_mtx_locked>,
> kl_lockarg = 0xc1a16458}, si_flags = 0}, sb_mtx = {mtx_object = {lo_name = 0xc092b0f2 "so_rcv", lo_type = 0xc092b0f2
> "so_rcv", lo_flags = 16973824,
> lo_witness_data = {lod_list = {stqe_next = 0xc0a25fe8}, lod_witness = 0xc0a25fe8}}, mtx_lock = 4, mtx_recurse = 0}, sb_state
> = 0, sb_mb = 0x0,
> sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 0, sb_hiwat = 0, sb_mbcnt = 0, sb_mbmax = 0, sb_ctl = 0, sb_lowat = 0, sb_timeo =
> 0, sb_flags = 0},
> so_snd = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0},
> kl_lock = 0xc068a3f4 <knlist_mtx_lock>, kl_unlock = 0xc068a410 <knlist_mtx_unlock>, kl_locked = 0xc068a42c
> <knlist_mtx_locked>,
> kl_lockarg = 0xc1a164c4}, si_flags = 0}, sb_mtx = {mtx_object = {lo_name = 0xc092b0eb "so_snd", lo_type = 0xc092b0eb
> "so_snd", lo_flags = 16973824,
> lo_witness_data = {lod_list = {stqe_next = 0xc0a26010}, lod_witness = 0xc0a26010}}, mtx_lock = 4, mtx_recurse = 0}, sb_state
> = 0, sb_mb = 0x0,
> sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 0, sb_hiwat = 0, sb_mbcnt = 0, sb_mbmax = 0, sb_ctl = 0, sb_lowat = 0, sb_timeo =
> 0, sb_flags = 0},
> so_upcall = 0, so_upcallarg = 0x0, so_cred = 0xc19f5180, so_label = 0x0, so_peerlabel = 0x0, so_gencnt = 830, so_emuldata = 0x0,
> so_accf = 0x0}
> (
> =========The end of the citation================
>
> --
> With best regards, Gleb Kozyrev.
>
>
More information about the freebsd-bugs
mailing list