mbuf double-free panic
Michael McGoldrick
michael at mcgoldrick.org
Fri May 2 13:07:33 PDT 2003
Not sure what tickled this one.
panic: m_free detected a mbuf double-free
debug session attached.
--
Michael McGoldrick: mmcgoldrick at linuxdriven.net
-------------- next part --------------
Script started on Fri May 2 18:57:32 2003
uriel# gdb -k vmcore.9 /usr/obj/usr/src/sys/i3�8���[K��[K��[K��[K��[K��[K��[K��[K��[K��[K��[Ksrc/�Ur���[K�R���[K��[Ksys/URIEL/�
Makefile isa_if.h opt_vpo.h
ac97.o isa_if.o opt_wavelan.h
ac97_if.c isa_pci.o opt_wi.h
ac97_if.h isahint.o opt_witness.h
ac97_if.o ithread.o opt_xbonehack.h
ac97_patch.o k6_mem.o opt_zero.h
acphy.o kbd.o orm.o
ad1816.o kern_acct.o p1003_1b.o
agp.o kern_acl.o pci.o
agp_ali.o kern_clock.o pci_bus.o
agp_amd.o kern_condvar.o pci_cfgreg.o
agp_i810.o kern_conf.o pci_if.c
agp_if.c kern_context.o pci_if.h
agp_if.h kern_descrip.o pci_if.o
agp_if.o kern_environment.o pci_pci.o
agp_intel.o kern_event.o pci_user.o
agp_sis.o kern_exec.o pcib_if.c
agp_via.o kern_exit.o pcib_if.h
aicasm* kern_fork.o pcib_if.o
aicasm.o kern_idle.o phys_pager.o
aicasm_gram.c kern_intr.o pmap.o
aicasm_gram.h kern_jail.o pnaphy.o
aicasm_gram.o kern_kthread.o pnp.o
aicasm_macro_gram.c kern_ktrace.o pnphy.o
aicasm_macro_gram.h kern_linker.o pnpparse.o
aicasm_macro_gram.o kern_lock.o posix4_mib.o
aicasm_macro_scan.c kern_lockf.o power_if.c
aicasm_macro_scan.o kern_mac.o power_if.h
aicasm_scan.c kern_malloc.o power_if.o
aicasm_scan.o kern_mib.o ppb_1284.o
aicasm_symbol.o kern_module.o ppb_base.o
als4000.o kern_mtxpool.o ppb_msq.o
amphy.o kern_mutex.o ppbconf.o
apm.o kern_ntptime.o ppbus_if.c
arc4random.o kern_physio.o ppbus_if.h
asc.h kern_proc.o ppbus_if.o
assym.s kern_prot.o ppc.o
ata-all.o kern_resource.o ppi.o
ata-chipset.o kern_sema.o ppp_tty.o
ata-disk.o kern_shutdown.o procfs.o
ata-dma.o kern_sig.o procfs_ctl.o
ata-isa.o kern_subr.o procfs_dbregs.o
ata-pci.o kern_switch.o procfs_fpregs.o
ata-raid.o kern_sx.o procfs_ioctl.o
atapi-all.o kern_synch.o procfs_map.o
atapi-cd.o kern_syscalls.o procfs_mem.o
atapi-fd.o kern_sysctl.o procfs_note.o
atapi-tape.o kern_tc.o procfs_regs.o
atkbd.o kern_thr.o procfs_rlimit.o
atkbd_isa.o kern_thread.o procfs_status.o
atkbdc.o kern_time.o procfs_type.o
atkbdc_isa.o kern_timeout.o pseudofs.o
atomic.o kern_umtx.o pseudofs_fileno.o
autoconf.o kern_uuid.o pseudofs_vncache.o
bcd.o kern_xxx.o pseudofs_vnops.o
bios.o kernel* psm.o
bioscall.o kernel.debug* qdivrem.o
bmtphy.o ksched.o qsort.o
bpf.o le.h qsphy.o
bpf_filter.o legacy.o radix.o
brgphy.o link_elf.o random.o
bsearch.o linker_if.c randomdev.o
buffer.o linker_if.h raw_cb.o
bus_if.c linker_if.o raw_ip.o
bus_if.h locore.o raw_ip6.o
bus_if.o lpt.o raw_usrreq.o
busdma_machdep.o lxtphy.o rdp.h
cam.o machdep.o rijndael-alg-fst.o
cam_periph.o machine@ rijndael-api-fst.o
cam_queue.o maestro.o rindex.o
cam_sim.o majors.c rlphy.o
cam_xpt.o majors.o route.o
card.h md.o route6.o
card_if.c md5c.o rtsock.o
card_if.h mem.o sb16.o
card_if.o meteor.h sb8.o
cd9660_bmap.o mii.o sbc.o
cd9660_lookup.o mii_physubr.o scanc.o
cd9660_node.o miibus_if.c sched_4bsd.o
cd9660_rrip.o miibus_if.h schistory.o
cd9660_util.o miibus_if.o scmouse.o
cd9660_vfsops.o miidevs.h scope6.o
cd9660_vnops.o mixer.o scsi_all.o
channel.o mixer_if.c scsi_cd.o
channel_if.c mixer_if.h scsi_da.o
channel_if.h mixer_if.o scsi_pass.o
channel_if.o mld6.o scsi_sa.o
clock.o mlphy.o scterm-dumb.o
cmi.o moddi3.o scterm-sc.o
config.c modules/ scterm.o
config.o msdosfs_conv.o scvgarndr.o
crc32.o msdosfs_denode.o scvidctl.o
critical.o msdosfs_fat.o scvtb.o
cs4281.o msdosfs_lookup.o sha2.o
csa.o msdosfs_vfsops.o sio.o
csapcm.o msdosfs_vnops.o sio_isa.o
ctx.h mss.o sio_pci.o
cx.h nd6.o skpc.o
cy.h nd6_nbr.o slcompress.o
db_access.o nd6_rtr.o sndbuf_dma.o
db_break.o neomagic.o sndstat.o
db_command.o net_osdep.o solo.o
db_disasm.o netisr.o sound.o
db_elf.o nexus.o spec_vnops.o
db_examine.o nfs_bio.o spigot.h
db_expr.o nfs_common.o splash.o
db_input.o nfs_diskless.o strcat.o
db_interface.o nfs_lock.o strcmp.o
db_kld.o nfs_nfsiod.o strcpy.o
db_lex.o nfs_node.o strdup.o
db_output.o nfs_serv.o strlcat.o
db_print.o nfs_socket.o strlcpy.o
db_ps.o nfs_srvcache.o strlen.o
db_run.o nfs_srvsock.o strncmp.o
db_sym.o nfs_srvsubs.o strncpy.o
db_sysctl.o nfs_subs.o strsep.o
db_trace.o nfs_syscalls.o strtol.o
db_trap.o nfs_vfsops.o strtoq.o
db_variables.o nfs_vnops.o strtoul.o
db_watch.o npx.o strtouq.o
db_write_cmd.o nsgphy.o strvalid.o
dcphy.o nsphy.o subr_autoconf.o
dead_vnops.o null.o subr_blist.o
default_pager.o ohci.o subr_bus.o
dest6.o ohci_pci.o subr_devstat.o
devfs_devs.o opt_aac.h subr_disk.o
devfs_rule.o opt_accept_filter_data.h subr_eventhandler.o
devfs_vfsops.o opt_accept_filter_http.h subr_hints.o
devfs_vnops.o opt_acpi.h subr_kobj.o
device_if.c opt_adaptive_mutexes.h subr_log.o
device_if.h opt_adw.h subr_mbuf.o
device_if.o opt_aic79xx.h subr_module.o
device_pager.o opt_aic7xxx.h subr_param.o
dgb.h opt_alq.h subr_pcpu.o
divdi3.o opt_asr.h subr_power.o
ds1.o opt_ata.h subr_prf.o
dsp.o opt_atalk.h subr_prof.o
dump_machdep.o opt_atkbd.h subr_rman.o
e1000phy.o opt_atm.h subr_sbuf.o
eisa_pci.o opt_auto_eoi.h subr_scanf.o
eisaconf.o opt_bdg.h subr_taskqueue.o
el.h opt_bktr.h subr_trap.o
elf_machdep.o opt_bootp.h subr_xxx.o
emu10k1.o opt_bpf.h support.o
env.c opt_bus.h swap_pager.o
env.o opt_cam.h swtch.o
es137x.o opt_cd.h sys_generic.o
es1888.o opt_clock.h sys_machdep.o
ess.o opt_comconsole.h sys_pipe.o
exception.o opt_compat.h sys_process.o
exphy.o opt_compat_oldisa.h sys_socket.o
fake.o opt_config.h syscons.o
fb.o opt_cpu.h syscons_isa.o
fd.o opt_cy_pci_fastintr.h sysmouse.o
feeder.o opt_ddb.h sysv_ipc.o
feeder_fmt.o opt_ddb_trace.h sysv_msg.o
feeder_if.c opt_ddb_unattended.h sysv_sem.o
feeder_if.h opt_debug_cluster.h sysv_shm.o
feeder_if.o opt_debug_lockf.h t4dwave.o
feeder_rate.o opt_debug_npx.h tcp_input.o
ffs_alloc.o opt_debug_si.h tcp_output.o
ffs_balloc.o opt_devfs.h tcp_subr.o
ffs_inode.o opt_dgb.h tcp_syncache.o
ffs_snapshot.o opt_directio.h tcp_timer.o
ffs_softdep.o opt_dontuse.h tcp_usrreq.o
ffs_softdep_stub.o opt_dpt.h tdkphy.o
ffs_subr.o opt_drm.h tlphy.o
ffs_tables.o opt_ed.h trap.o
ffs_vfsops.o opt_ef.h tsc.o
ffs_vnops.o opt_eisa.h tty.o
fifo_vnops.o opt_fb.h tty_compat.o
fixup_pci.o opt_fdc.h tty_conf.o
fm801.o opt_ffs.h tty_cons.o
fnmatch.o opt_ffs_broken_fixme.h tty_pty.o
frag6.o opt_geom.h tty_subr.o
g_bde.o opt_global.h tty_tty.o
g_bde_crypt.o opt_hifn.h uaudio.o
g_bde_lock.o opt_hw_wdog.h uaudio_pcm.o
g_bde_work.o opt_i4b.h ucmpdi2.o
genassym.o opt_i586_guprof.h udivdi3.o
geom_bsd.o opt_inet.h udp6_output.o
geom_bsd_enc.o opt_inet6.h udp6_usrreq.o
geom_ctl.o opt_init_path.h udp_usrreq.o
geom_dev.o opt_intpm.h ufs_acl.o
geom_disk.o opt_ip6fw.h ufs_bmap.o
geom_dump.o opt_ipdivert.h ufs_dirhash.o
geom_event.o opt_ipdn.h ufs_extattr.o
geom_io.o opt_ipfilter.h ufs_ihash.o
geom_kern.o opt_ipfw.h ufs_inode.o
geom_mbr.o opt_ipsec.h ufs_lookup.o
geom_mbr_enc.o opt_ipstealth.h ufs_quota.o
geom_slice.o opt_ipx.h ufs_vfsops.o
geom_subr.o opt_isa.h ufs_vnops.o
gsc.h opt_isp.h ugen.o
gusc.o opt_kbd.h uhci.o
hack.So* opt_kstack_max_pages.h uhci_pci.o
harvest.o opt_kstack_pages.h uhid.o
hash.o opt_ktr.h uhub.o
hid.o opt_ktrace.h uipc_accf.o
hints.c opt_libiconv.h uipc_domain.o
hints.o opt_libmchain.h uipc_jumbo.o
i386-gdbstub.o opt_lpt.h uipc_mbuf.o
i4bing.h opt_mac.h uipc_mbuf2.o
i4bipr.h opt_math_emulate.h uipc_proto.o
i4bisppp.h opt_maxmem.h uipc_socket.o
i4brbch.h opt_maxusers.h uipc_socket2.o
i4btel.h opt_mbuf_stress_test.h uipc_syscalls.o
i4btrc.h opt_mca.h uipc_usrreq.o
i686_mem.o opt_md.h ukbd.o
ich.o opt_meteor.h ukphy.o
icmp6.o opt_mrouting.h ukphy_subr.o
identcpu.o opt_msgbuf.h ulpt.o
if.o opt_natm.h uma_core.o
if_aue.o opt_ncp.h uma_dbg.o
if_cs.o opt_ncr.h umass.o
if_cs_isa.o opt_netgraph.h umoddi3.o
if_cue.o opt_netsmb.h ums.o
if_ether.o opt_nfs.h urio.o
if_ethersubr.o opt_nfsroot.h usb.o
if_faith.o opt_npx.h usb_ethersubr.o
if_gif.o opt_ntp.h usb_if.c
if_kue.o opt_panic.h usb_if.h
if_lnc.o opt_param.h usb_if.o
if_lnc_isa.o opt_pcfclock.h usb_quirks.o
if_lnc_pci.o opt_pcvt.h usb_subr.o
if_loop.o opt_pecoff.h usbdi.o
if_media.o opt_perfmon.h usbdi_util.o
if_mib.o opt_pfil_hooks.h uscanner.o
if_plip.o opt_plip.h vchan.o
if_ppp.o opt_pmap.h vcoda.h
if_rl.o opt_posix.h vers.c
if_sl.o opt_ppb_1284.h vers.o
if_tun.o opt_ppc.h version
if_xl.o opt_ppp.h vfs_bio.o
igmp.o opt_psm.h vfs_cache.o
ignore_pci.o opt_pt.h vfs_cluster.o
imgact_elf.o opt_puc.h vfs_default.o
imgact_shell.o opt_quota.h vfs_export.o
in.o opt_raid.h vfs_init.o
in6.o opt_random_ip_id.h vfs_lookup.o
in6_cksum.o opt_reset.h vfs_mount.o
in6_gif.o opt_rootdevname.h vfs_subr.o
in6_ifattach.o opt_sa.h vfs_syscalls.o
in6_pcb.o opt_sched.h vfs_vnops.o
in6_prefix.o opt_scsi.h vga.o
in6_proto.o opt_ses.h vga_isa.o
in6_rmx.o opt_show_busybufs.h via8233.o
in6_src.o opt_sio.h via82c686.o
in_cksum.o opt_slip.h vibes.o
in_gif.o opt_spigot.h vm86.o
in_pcb.o opt_splash.h vm_contig.o
in_proto.o opt_spx_hack.h vm_fault.o
in_rmx.o opt_suiddir.h vm_glue.o
index.o opt_svr4.h vm_init.o
inet_ntoa.o opt_swap.h vm_kern.o
init_main.o opt_swtch.h vm_machdep.o
init_sysent.o opt_sym.h vm_map.o
initcpu.o opt_syscons.h vm_meter.o
inphy.o opt_sysvipc.h vm_mmap.o
intr_machdep.o opt_tcp_input.h vm_object.o
ip6_forward.o opt_tcpdebug.h vm_page.o
ip6_input.o opt_tdfx.h vm_pageout.o
ip6_mroute.o opt_ti.h vm_pageq.o
ip6_output.o opt_trap.h vm_pager.o
ip_divert.o opt_tty.h vm_swap.o
ip_ecn.o opt_ubsec.h vm_unix.o
ip_encap.o opt_ufs.h vm_zeroidle.o
ip_flow.o opt_ukbd.h vnode_if.c
ip_icmp.o opt_usb.h vnode_if.h
ip_id.o opt_uvscom.h vnode_if.o
ip_input.o opt_vesa.h vnode_pager.o
ip_output.o opt_vfs_aio.h wt.h
isa.o opt_vga.h xmphy.o
isa_common.o opt_vinum.h yarrow.o
isa_dma.o opt_vm.h
isa_if.c opt_vmpage.h
uriel# gdb -k vmcore.9 /usr/obj/usr/src/sys/URIEL/kernel.debug
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"..."/usr/crash/vmcore.9": not in executable format: File format not recognized
No kernel exec file specified
(kgdb) uriel#
uriel# man script
Formatting page, please wait...Done.
�[?1h�=�[24;1H�[KSCRIPT(1) FreeBSD General Commands Manual SCRIPT(1)
�[1mNAME�[m�
�[1mscript�[m� - make typescript of terminal session
�[1mSYNOPSIS�[m�
�[1mscript�[m� [�[1m-a�[m�] [�[1m-k�[m�] [�[1m-q�[m�] [�[1m-t�[m� �[4mtime�[24m] [�[4mfile�[24m [command ...]]
�[1mDESCRIPTION�[m�
The �[1mscript�[m� utility makes a typescript of everything printed on your ter-
minal. It is useful for students who need a hardcopy record of an inter-
active session as proof of an assignment, as the typescript file can be
printed out later with lpr(1).
If the argument �[4mfile�[24m is given, �[1mscript�[m� saves all dialogue in �[4mfile�[24m. If no
file name is given, the typescript is saved in the file �[4mtypescript�[24m.
If the argument �[4mcommand�[24m �[4m...�[24m is given, �[1mscript�[m� will run the specified com-
mand with an optional argument vector instead of an interactive shell.
Options:
�[24;1H�[K�[7mbyte 983�[27m�[24;1H�[24;1H�[K
�[1m-a�[m� Append the output to �[4mfile�[24m or �[4mtypescript�[24m, retaining the prior
contents.
�[1m-k�[m� Log keys sent to program as well as output.
�[1m-q�[m� Run in quiet mode, omit the start and stop status messages.
�[1m-t�[m� �[4mtime�[24m Specify time interval between flushing script output file. A
value of 0 causes �[1mscript�[m� to flush for every character I/O event.
The default interval is 30 seconds.
The script ends when the forked shell (or command) exits (a �[4mcontrol-D�[24m to
exit the Bourne shell (sh(1)), and �[4mexit�[24m, �[4mlogout�[24m or �[4mcontrol-d�[24m (if
�[4mignoreeof�[24m is not set) for the C-shell, csh(1)).
Certain interactive commands, such as vi(1), create garbage in the type-
script file. The �[1mscript�[m� utility works best with commands that do not
manipulate the screen. The results are meant to emulate a hardcopy ter-
minal, not an addressable one.
�[1mENVIRONMENT�[m�
The following environment variable is utilized by �[1mscript�[m�:
�[24;1H�[K�[7mbyte 2132�[27m�[24;1H�[K�[?1l�>uriel# ^D��exit
Script done on Fri May 2 18:59:42 2003
Script started on Fri May 2 18:59:50 2003
uriel# gdb -k /usr/sr��[K��[Kobj/usr/srv��[Kc/sys/�URIEL/kerne�l.debug vm�core.9
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: ohci_add_done: addr 0x005b15c0 not found
panic messages:
---
panic: ohci_add_done: addr 0x005b15c0 not found
syncing disks, buffers remaining... 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407 1407
giving up on 1246 buffers
Uptime: 19m15s
Dumping 127 MB
ata1: resetting devices ..
done
16[CTRL-C to abort] 32[CTRL-C to abort] 48 64 80 96 112
---
Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/linux/linux.ko.debug...done.
Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/linux/linux.ko.debug
Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/acpi/acpi.ko.debug...done.
Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/acpi/acpi.ko.debug
Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/linprocfs/linprocfs.ko.debug...done.
Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/linprocfs/linprocfs.ko.debug
Reading symbols from /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/ipfw/ipfw.ko.debug...done.
Loaded symbols for /usr/obj/usr/src/sys/URIEL/modules/usr/src/sys/modules/ipfw/ipfw.ko.debug
Reading symbols from /boot/kernel/logo_saver.ko...done.
Loaded symbols for /boot/kernel/logo_saver.ko
Reading symbols from /boot/kernel/ng_ubt.ko...done.
Loaded symbols for /boot/kernel/ng_ubt.ko
Reading symbols from /boot/kernel/netgraph.ko...done.
Loaded symbols for /boot/kernel/netgraph.ko
Reading symbols from /boot/kernel/ng_bluetooth.ko...done.
Loaded symbols for /boot/kernel/ng_bluetooth.ko
Reading symbols from /boot/kernel/ng_hci.ko...done.
Loaded symbols for /boot/kernel/ng_hci.ko
Reading symbols from /boot/kernel/ng_l2cap.ko...done.
Loaded symbols for /boot/kernel/ng_l2cap.ko
---Type <return> to continue, or q <return> to quit---
Reading symbols from /boot/kernel/ng_btsocket.ko...done.
Loaded symbols for /boot/kernel/ng_btsocket.ko
Reading symbols from /boot/kernel/ng_socket.ko...done.
Loaded symbols for /boot/kernel/ng_socket.ko
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:238
238 dumping++;
(kgdb) bt
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:238
#1 0xc023aada in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:370
#2 0xc023ae2b in panic () at /usr/src/sys/kern/kern_shutdown.c:543
#3 0xc01cfd97 in ohci_add_done (sc=0xc2322000, done=5969344)
at /usr/src/sys/dev/usb/ohci.c:1305
#4 0xc01cfb09 in ohci_intr1 (sc=0xc2322000)
at /usr/src/sys/dev/usb/ohci.c:1200
#5 0xc01cf91e in ohci_intr (p=0xc2322000) at /usr/src/sys/dev/usb/ohci.c:1130
#6 0xc0227522 in ithread_loop (arg=0xc2335800)
at /usr/src/sys/kern/kern_intr.c:537
#7 0xc0226510 in fork_exit (callout=0xc2322000, arg=0x0, frame=0x0)
at /usr/src/sys/kern/kern_fork.c:793
(kgdb) up 3
#3 0xc01cfd97 in ohci_add_done (sc=0xc2322000, done=5969344)
at /usr/src/sys/dev/usb/ohci.c:1305
1305 panic("ohci_add_done: addr 0x%08lx not found\n", (u_long)done);
(kgdb) print done
$1 = 5969344
(kgdb) print done�����[4h*�[4l
---Can't read userspace from dump, or kernel process---
(kgdb) show locals
Undefined show command: "locals". Try "help show".
(kgdb) uriel# sysctl -a | grep usb
hw.usb.uaudio.debug: 0
hw.usb.ohci.debug: 0
hw.usb.ugen.debug: 0
hw.usb.uhci.debug: 0
hw.usb.uhci.loop: 0
hw.usb.uhid.debug: 0
hw.usb.uhub.debug: 0
hw.usb.ukbd.debug: 0
hw.usb.ulpt.debug: 0
hw.usb.umass.debug: 0
hw.usb.ums.debug: 0
hw.usb.urio.debug: 0
hw.usb.uscanner.debug: 0
hw.usb.debug: 0
uriel# ^D��exit
Script done on Fri May 2 19:04:04 2003
More information about the freebsd-current
mailing list