m_freem detected a mbuf double-free : xl0 kernel panic (BACKTRACE now included)

Matt matt at xtaz.co.uk
Sun May 4 06:44:13 PDT 2003 

Matt said:
> Unfortunatly this machine does not have enough swap space to dump a panic
> and I also do not have a serial console so there is no debug information,
> but I am getting a 100% reproducable panic on a kernel built on sources
> cvsup'd either an hour ago or yesterday morning (I've tried both). Sources
> from friday are fine.

I have now configured the machine with more swap and got a panic again.
This time I have got the full panic and trace. This is 100% reproducable
on my system by booting a kernel dated approx from saturday morning
onwards (3rd of may) and i just run irssi. The moment it tries to connect
to IRC *boom*.

Trace follows:


Script started on Sun May  4 14:32:43 2003
[root at tao root]# gdb -k /usr/obj/usr/src/sys/TAO/kernel.debug
/var/crash/vmcore.0
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: from debugger
panic messages:
---
panic: m_freem detected a mbuf double-free
panic: from debugger
Uptime: 1m3s
Dumping 256 MB
ata0: resetting devices ..
done
 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
---
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:238
238             dumping++;
(kgdb) where
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:238
#1  0xc019f1f3 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:370
#2  0xc019f53b in panic () at /usr/src/sys/kern/kern_shutdown.c:543
#3  0xc0128bc2 in db_panic () at /usr/src/sys/ddb/db_command.c:448
#4  0xc0128b42 in db_command (last_cmdp=0xc0331700, cmd_table=0x0,
aux_cmd_tablep=0xc032ca58,
    aux_cmd_tablep_end=0xc032ca5c) at /usr/src/sys/ddb/db_command.c:346
#5  0xc0128c56 in db_command_loop () at /usr/src/sys/ddb/db_command.c:470
#6  0xc012b9ea in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:72
#7  0xc02dbbd5 in kdb_trap (type=3, code=0, regs=0xcd313bfc)
    at /usr/src/sys/i386/i386/db_interface.c:170
#8  0xc02ecdbc in trap (frame=
      {tf_fs = 24, tf_es = -1058209776, tf_ds = -852426736, tf_edi = 256,
tf_esi = -1058258640, tf_ebp = -852411320, tf_isp = -852411352,
tf_ebx = 0, tf_edx = 0, tf_ecx = 32, tf_eax = 18, tf_trapno = 3,
tf_err = 0, tf_eip = -1070743948, tf_cs = 8, tf_eflags = 646, tf_esp
= -1070430627, tf_ss = -1070520242})
    at /usr/src/sys/i386/i386/trap.c:593
#9  0xc02dd528 in calltrap () at {standard input}:96
#10 0xc019f4db in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:527
#11 0xc01baec9 in m_freem (mb=0xc0edc000) at
/usr/src/sys/kern/subr_mbuf.c:1441
#12 0xc027909e in xl_txeof_90xB (sc=0xc25a2000) at
/usr/src/sys/pci/if_xl.c:2212
#13 0xc02793fd in xl_intr (arg=0xc25a2000) at /usr/src/sys/pci/if_xl.c:2329
#14 0xc018bfb2 in ithread_loop (arg=0xc259d000) at
/usr/src/sys/kern/kern_intr.c:537
#15 0xc018afa0 in fork_exit (callout=0xc2550180, arg=0x0, frame=0x0)
    at /usr/src/sys/kern/kern_fork.c:792
(kgdb) bt full
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:238
No locals.
#1  0xc019f1f3 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:370
No locals.
#2  0xc019f53b in panic () at /usr/src/sys/kern/kern_shutdown.c:543
        td = (struct thread *) 0xc0ec4130
        bootopt = 260
        newpanic = 0
        buf = "from debugger\0ed a mbuf double-free", '\0' <repeats 220
times>
#3  0xc0128bc2 in db_panic () at /usr/src/sys/ddb/db_command.c:448
No locals.
#4  0xc0128b42 in db_command (last_cmdp=0xc0331700, cmd_table=0x0,
aux_cmd_tablep=0xc032ca58,
    aux_cmd_tablep_end=0xc032ca5c) at /usr/src/sys/ddb/db_command.c:346
        cmd = (struct command *) 0xc02fdba0
        t = 0
        modif =
"\0p5À\b¹:ÀÀ:1Í\r\0\0\0\200¤9À\r\0\0\0\001\0\0\0à:1Í\026#-À
\2139À\aK\0
\0¥9À`\0039À\200p5Àx\0\0\0\200p5À\b¹:À\004;1Ía¨\022ÀÂÉ0ÀP§\022À\0\0\0\0\020\0\0\0\b¹:À\200p5ÀÎ
\022À\200p5À8h5Àx\0\0\0\003\0\0"
        addr = -1070743948
        count = -1
        have_addr = 0
        result = 0
#5  0xc0128c56 in db_command_loop () at /usr/src/sys/ddb/db_command.c:470
No locals.
#6  0xc012b9ea in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:72
        bkpt = 0
#7  0xc02dbbd5 in kdb_trap (type=3, code=0, regs=0xcd313bfc)
    at /usr/src/sys/i386/i386/db_interface.c:170
        ef = 70
        ddb_mode = 1
#8  0xc02ecdbc in trap (frame=
      {tf_fs = 24, tf_es = -1058209776, tf_ds = -852426736, tf_edi = 256,
tf_esi = -1058258640, tf_ebp = -852411320, tf_isp = -852411352,
tf_ebx = 0, tf_edx = 0, tf_ecx = 32, tf_eax = 18, tf_trapno = 3,
tf_err = 0, tf_eip = -1070743948, tf_cs = 8, tf_eflags = 646, tf_esp
= -1070430627, tf_ss = -1070520242})
    at /usr/src/sys/i386/i386/trap.c:593
        td = (struct thread *) 0xc0ec4130
        p = (struct proc *) 0xc0eca780
        sticks = 3236711392
        i = 0
        ucode = 0
        type = 3
        code = 0
        eva = 0
#9  0xc02dd528 in calltrap () at {standard input}:96
No locals.
#10 0xc019f4db in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:527
        td = (struct thread *) 0xc0ec4130
        bootopt = 256
        newpanic = 1
        buf = "from debugger\0ed a mbuf double-free", '\0' <repeats 220
times>
#11 0xc01baec9 in m_freem (mb=0xc0edc000) at
/usr/src/sys/kern/subr_mbuf.c:1441
        m = (struct mbuf *) 0xb2
        cchnum = -1058255904
        persist = 0
#12 0xc027909e in xl_txeof_90xB (sc=0xc25a2000) at
/usr/src/sys/pci/if_xl.c:2212
        cur_tx = (struct xl_chain *) 0xc25a3a6c
        ifp = (struct ifnet *) 0xc25a2000
---Type <return> to continue, or q <return> to quit---
        idx = 178
#13 0xc02793fd in xl_intr (arg=0xc25a2000) at /usr/src/sys/pci/if_xl.c:2329
        sc = (struct xl_softc *) 0xc25a2000
        ifp = (struct ifnet *) 0xc25a2000
        status = 57857
#14 0xc018bfb2 in ithread_loop (arg=0xc259d000) at
/usr/src/sys/kern/kern_intr.c:537
        ithd = (struct ithd *) 0xc259d000
        ih = (struct intrhand *) 0xc2550180
        td = (struct thread *) 0xc0ec4130
        p = (struct proc *) 0xc0eca780
#15 0xc018afa0 in fork_exit (callout=0xc2550180, arg=0x0, frame=0x0)
    at /usr/src/sys/kern/kern_fork.c:792
        td = (struct thread *) 0x0
        p = (struct proc *) 0xc259d000
(kgdb)
(kgdb) quit
[root at tao root]# exit

Script done on Sun May  4 14:33:35 2003


-- 
email: matt at xtaz.co.uk - web: http://xtaz.co.uk/
Hardware, n.: The parts of a computer system that can be kicked.

More information about the freebsd-current mailing list