kern/101763: [panic] sodealloc(): so_count 1

Robert Watson rwatson at FreeBSD.org
Fri Aug 11 09:30:20 UTC 2006 

The following reply was made to PR kern/101763; it has been noted by GNATS.

From: Robert Watson <rwatson at FreeBSD.org>
To: Gleb Kozyrev <gkozyrev at gmail.com>
Cc: bug-followup at FreeBSD.org, freebsd-current at FreeBSD.org
Subject: Re: kern/101763: [panic] sodealloc(): so_count 1
Date: Fri, 11 Aug 2006 10:29:01 +0100 (BST)

 On Fri, 11 Aug 2006, Gleb Kozyrev wrote:
 
 > Gleb Kozyrev wrote to "Robert Watson" <rwatson at FreeBSD.org> on Thu, 10 Aug 2006 19:35:12 +0300:
 >
 >>>> i386 7.0-CURRENT #0: Sun Aug 6 repeatedly panics when doing some default
 >>>> periodic jobs at 3 AM.
 >
 > RW>> Could you file a PR for this, and forward me the PR receipt?  I'd be
 > RW>> happy to investigate this problem.  I've seen one or two other reports
 > RW>> of so_count 1, but not in a way that's reproduceable.  The output of
 > RW>> the following DDB commands would be most helpful:
 >
 > RW>>    show pcpu
 > RW>>    show allpcpu
 > RW>>    alltrace
 > RW>>    show  alllocks
 >
 > GK> Here you are: kern/101763
 >
 > I'm sorry for misleading you.
 > You see, for some reasons I forgot that there's a little jail on
 > that machine. ;)
 > It is ipfw in jail that triggers the panic invoked from
 > /etc/periodic/security/500.ipfwdenied
 
 Try this minor tweak:
 
 Index: uipc_socket.c
 ===================================================================
 RCS file: /data/fbsd-cvs/ncvs/src/sys/kern/uipc_socket.c,v
 retrieving revision 1.277
 diff -u -r1.277 uipc_socket.c
 --- uipc_socket.c	2 Aug 2006 00:45:27 -0000	1.277
 +++ uipc_socket.c	11 Aug 2006 09:27:52 -0000
 @@ -367,6 +367,9 @@
   	so->so_count = 1;
   	error = (*prp->pr_usrreqs->pru_attach)(so, proto, td);
   	if (error) {
 +		KASSERT(so->so_count == 1, ("socreate: so_count %d",
 +		    so->so_count));
 +		so->so_count = 0;
   		sodealloc(so);
   		return (error);
   	}
 
 Looks like I made a logic error in my change to move to sodealloc() here: the 
 refcount is never reduced back from when it is initially set to 1, and 
 sodealloc() has a "no references" assertion (possibly that I added).
 
 Robert N M Watson
 Computer Laboratory
 University of Cambridge
 
 >
 > Today the coredump was successfully saved. So if it still matters..
 >
 > =========Beginning of the citation==============
 > (kgdb) where
 > #0  doadump () at pcpu.h:166
 > #1  0xc06a3ee0 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
 > #2  0xc06a41f5 in panic (fmt=0xc092e717 "sodealloc(): so_count %d") at /usr/src/sys/kern/kern_shutdown.c:565
 > #3  0xc06e45cc in sodealloc (so=0xc1a163e4) at /usr/src/sys/kern/uipc_socket.c:289
 > #4  0xc06e4811 in socreate (dom=0, aso=0x0, type=3, proto=255, cred=0xc19f5180, td=0xc18ad510) at
 > /usr/src/sys/kern/uipc_socket.c:370
 > #5  0xc06e8985 in socket (td=0xc18ad510, uap=0xc853bd04) at /usr/src/sys/kern/uipc_syscalls.c:175
 > #6  0xc08a0d7e in syscall (frame=
 >      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077943668, tf_esi = 136331264, tf_ebp = -1077943800, tf_isp = -934036124,
 > tf_ebx = 54, tf_edx = 0, tf_ecx = 0, tf_eax = 97, tf_trapno = 12, tf_err = 2, tf_eip = 672368711, tf_cs = 51, tf_eflags = 582,
 > tf_esp = -1077943844, tf_ss = 59})
 >    at /usr/src/sys/i386/i386/trap.c:1006
 > #7  0xc088bb3f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:191
 > #8  0x00000033 in ?? ()
 > Previous frame inner to this frame (corrupt stack?)
 > (kgdb) frame 3
 > #3  0xc06e45cc in sodealloc (so=0xc1a163e4) at /usr/src/sys/kern/uipc_socket.c:289
 > 289             KASSERT(so->so_count == 0, ("sodealloc(): so_count %d", so->so_count));
 > (kgdb) print *so
 > $1 = {so_count = 1, so_type = 3, so_options = 0, so_linger = 0, so_state = 0, so_qstate = 0, so_pcb = 0x0, so_proto = 0xc09dbd5c,
 > so_head = 0x0,
 >  so_incomp = {tqh_first = 0x0, tqh_last = 0xc1a16400}, so_comp = {tqh_first = 0x0, tqh_last = 0xc1a16408}, so_list = {tqe_next =
 > 0x0, tqe_prev = 0x0},
 >  so_qlen = 0, so_incqlen = 0, so_qlimit = 0, so_timeo = 0, so_error = 0, so_sigio = 0x0, so_oobmark = 0, so_aiojobq = {tqh_first =
 > 0x0,
 >    tqh_last = 0xc1a1642c}, so_rcv = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list =
 > {slh_first = 0x0},
 >        kl_lock = 0xc068a3f4 <knlist_mtx_lock>, kl_unlock = 0xc068a410 <knlist_mtx_unlock>, kl_locked = 0xc068a42c
 > <knlist_mtx_locked>,
 >        kl_lockarg = 0xc1a16458}, si_flags = 0}, sb_mtx = {mtx_object = {lo_name = 0xc092b0f2 "so_rcv", lo_type = 0xc092b0f2
 > "so_rcv", lo_flags = 16973824,
 >        lo_witness_data = {lod_list = {stqe_next = 0xc0a25fe8}, lod_witness = 0xc0a25fe8}}, mtx_lock = 4, mtx_recurse = 0}, sb_state
 > = 0, sb_mb = 0x0,
 >    sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 0, sb_hiwat = 0, sb_mbcnt = 0, sb_mbmax = 0, sb_ctl = 0, sb_lowat = 0, sb_timeo =
 > 0, sb_flags = 0},
 >  so_snd = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0},
 >        kl_lock = 0xc068a3f4 <knlist_mtx_lock>, kl_unlock = 0xc068a410 <knlist_mtx_unlock>, kl_locked = 0xc068a42c
 > <knlist_mtx_locked>,
 >        kl_lockarg = 0xc1a164c4}, si_flags = 0}, sb_mtx = {mtx_object = {lo_name = 0xc092b0eb "so_snd", lo_type = 0xc092b0eb
 > "so_snd", lo_flags = 16973824,
 >        lo_witness_data = {lod_list = {stqe_next = 0xc0a26010}, lod_witness = 0xc0a26010}}, mtx_lock = 4, mtx_recurse = 0}, sb_state
 > = 0, sb_mb = 0x0,
 >    sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 0, sb_hiwat = 0, sb_mbcnt = 0, sb_mbmax = 0, sb_ctl = 0, sb_lowat = 0, sb_timeo =
 > 0, sb_flags = 0},
 >  so_upcall = 0, so_upcallarg = 0x0, so_cred = 0xc19f5180, so_label = 0x0, so_peerlabel = 0x0, so_gencnt = 830, so_emuldata = 0x0,
 > so_accf = 0x0}
 > (
 > =========The end of the citation================
 >
 > -- 
 > With best regards, Gleb Kozyrev.
 >
 >

More information about the freebsd-bugs mailing list