panic: bfe_start: attempted use of a free mbuf! (RELENG_5)

Ulrich Spoerlein q at uni.de
Wed Sep 8 08:37:47 PDT 2004 

On Fri, 30.07.2004 at 08:34:40 +0200, Ulrich Spoerlein wrote:
> panic: bfe_start: attempted use of a free mbuf!
> KDB: enter: panic
> [thread 100019]
> Stopped at kdb_enter+0x2a: leave
> > trace
> kdb_enter()
> panic()
> bfe_start()
> bfe_intr()
> ithread_loop()
> fork_exit()
> fork_trampoline()
> --- trap 0x1, eip=0, esp=0xdb0c6d7c, ebp=0 ---

This just happend again on a recent RELENG_5. I get an _instant reboot_,
when trying to move a file from my gbde-home to NFS-mounted
/usr/ports/distfiles (this is symliked three times... don't ask :)

I then tried to copy it from / to the NFS server directly (without the
three level symlinks) and got this panic (and dump! yay!)

panic: bfe_start: attempted use of a free mbuf!
(kgdb) bt
#0  doadump () at pcpu.h:159
#1  0xc048e14b in db_fncall (dummy1=-281335756, dummy2=0, dummy3=-281335856, 
    dummy4=0xef3b27cc "\036änÀ") at /usr/src/sys/ddb/db_command.c:531
#2  0xc048e4ec in db_command_loop () at /usr/src/sys/ddb/db_command.c:349
#3  0xc048fc71 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:221
#4  0xc057a355 in kdb_trap (type=3, code=0, tf=0xef3b28ec) at /usr/src/sys/kern/subr_kdb.c:418
#5  0xc06bb84f in trap (frame=
      {tf_fs = -281346024, tf_es = -1068040176, tf_ds = -1066336240, tf_edi = 256, tf_esi = -1066397045, tf_ebp = -281335508, tf_isp = -281335528, tf_ebx = -281335468, tf_edx = 0, tf_ecx = -1066286908, tf_eax = -1066295100, tf_trapno = 3, tf_err = 0, tf_eip = -1067999226, tf_cs = 8, tf_eflags = 646, tf_esp = -281335480, tf_ss = -1068083641}) at /usr/src/sys/i386/i386/trap.c:576
#6  0xc06b04ca in calltrap () at /usr/src/sys/i386/i386/exception.s:140
#7  0xef3b0018 in ?? ()
#8  0xc0570010 in kern_timeout_callwheel_alloc (v=0x0) at /usr/src/sys/kern/kern_timeout.c:125
#9  0xc0565647 in panic (fmt=0xc070128b "%s: attempted use of a free mbuf!")
    at /usr/src/sys/kern/kern_shutdown.c:536
#10 0xc04b4681 in bfe_start (ifp=0xc2419000) at /usr/src/sys/dev/bfe/if_bfe.c:1400
#11 0xc05c0309 in ether_output_frame (ifp=0xc2419000, m=0xc3393500)
    at /usr/src/sys/net/if_ethersubr.c:377
#12 0xc05c0646 in ether_output (ifp=0xc2419000, m=0xc3393500, dst=0xef3b2a3c, rt0=0x0)
    at /usr/src/sys/net/if_ethersubr.c:330
#13 0xc05e3ef5 in ip_output (m=0xc3393500, opt=0xc3393500, ro=0xef3b2a38, flags=0, imo=0x0, 
    inp=0xc28c52d0) at /usr/src/sys/netinet/ip_output.c:824
#14 0xc05f203b in udp_send (so=0x0, flags=0, m=0x0, addr=0x0, control=0x0, td=0xc32be840)
    at /usr/src/sys/netinet/udp_usrreq.c:906
#15 0xc0595f8f in sosend (so=0xc28c3288, addr=0x0, uio=0x0, top=0xc3368200, control=0x0, flags=0, 
    td=0xc32be840) at /usr/src/sys/kern/uipc_socket.c:799
#16 0xc062b391 in nfs_send (so=0xc28c3288, nam=0xc252f7a0, top=0xc3368200, rep=0xc32a5a00)
    at pcpu.h:156
---Type <return> to continue, or q <return> to quit---
#17 0xc062bd7d in nfs_request (vp=0xc32e6420, mrest=0xc32a5a00, procnum=7, td=0x0, 
    cred=0xc2a5c800, mrp=0xef3b2c54, mdp=0xef3b2c58, dposp=0xef3b2c5c)
    at /usr/src/sys/nfsclient/nfs_socket.c:1002
#18 0xc063134f in nfs_writerpc (vp=0xc32e6420, uiop=0xef3b2ccc, cred=0xc2a5c800, 
    iomode=0xef3b2cbc, must_commit=0xef3b2cc0) at /usr/src/sys/nfsclient/nfs_vnops.c:1129
#19 0xc0628dd0 in nfs_doio (bp=0xd64b563c, cr=0xc2a5c800, td=0x0)
    at /usr/src/sys/nfsclient/nfs_bio.c:1452
#20 0xc062e533 in nfssvc_iod (instance=0xc07c6538) at /usr/src/sys/nfsclient/nfs_nfsiod.c:262
#21 0xc0554326 in fork_exit (callout=0xc062e3e4 <nfssvc_iod>, arg=0xc07c6538, frame=0xef3b2d48)
    at /usr/src/sys/kern/kern_fork.c:820
#22 0xc06b052c in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209
(kgdb) f 10
#10 0xc04b4681 in bfe_start (ifp=0xc2419000) at /usr/src/sys/dev/bfe/if_bfe.c:1400
1400                    BPF_MTAP(ifp, m_head);
(kgdb) l
1395
1396                    /*
1397                     * If there's a BPF listener, bounce a copy of this frame
1398                     * to him.
1399                     */
1400                    BPF_MTAP(ifp, m_head);
1401            }
1402
1403            sc->bfe_tx_prod = idx;
1404            /* Transmit - twice due to apparent hardware bug */
(kgdb) p *ifp
$1 = {if_softc = 0xc2419000, if_link = {tqe_next = 0xc243482c, tqe_prev = 0xc07b6b24}, 
  if_xname = "bfe0", '\0' <repeats 11 times>, if_dname = 0xc22cd56c "bfe", if_dunit = 0, 
  if_addrhead = {tqh_first = 0xc2418200, tqh_last = 0xc28e1260}, if_klist = {kl_lock = 0xc078bea0, 
    kl_list = {slh_first = 0x0}}, if_pcount = 0, if_carp = 0x0, if_bpf = 0xc2431200, if_index = 1, 
  if_timer = 5, if_nvlans = 0, if_flags = 34883, if_capabilities = 8, if_capenable = 8, 
  if_linkmib = 0x0, if_linkmiblen = 0, if_data = {ifi_type = 6 '\006', ifi_physical = 0 '\0', 
    ifi_addrlen = 6 '\006', ifi_hdrlen = 18 '\022', ifi_link_state = 2 '\002', 
    ifi_recvquota = 0 '\0', ifi_xmitquota = 0 '\0', ifi_mtu = 1500, ifi_metric = 0, 
    ifi_baudrate = 100000000, ifi_ipackets = 640, ifi_ierrors = 0, ifi_opackets = 7145, 
    ifi_oerrors = 0, ifi_collisions = 0, ifi_ibytes = 128126, ifi_obytes = 10260512, 
    ifi_imcasts = 0, ifi_omcasts = 7, ifi_iqdrops = 0, ifi_noproto = 0, ifi_hwassist = 0, 
    ifi_unused = 0, ifi_lastchange = {tv_sec = 1094655632, tv_usec = 806107}}, if_multiaddrs = {
    tqh_first = 0xc2530860, tqh_last = 0xc28bd500}, if_amcount = 0, 
  if_output = 0xc05c0314 <ether_output>, if_input = 0xc05c0903 <ether_input>, 
  if_start = 0xc04b4278 <bfe_start>, if_ioctl = 0xc04b5076 <bfe_ioctl>, 
  if_watchdog = 0xc04b501a <bfe_watchdog>, if_init = 0xc04b4b90 <bfe_init>, 
  if_resolvemulti = 0xc05c0d98 <ether_resolvemulti>, if_snd = {ifq_head = 0x0, ifq_tail = 0x0, 
    ifq_len = 0, ifq_maxlen = 256, ifq_drops = 0, ifq_mtx = {mtx_object = {lo_class = 0xc075dc44, 
        lo_name = 0xc241900c "bfe0", lo_type = 0xc0722ed9 "if send queue", lo_flags = 196608, 
        lo_list = {tqe_next = 0xc241827c, tqe_prev = 0xc2419204}, lo_witness = 0xc0792498}, 
      mtx_lock = 4, mtx_recurse = 0}, ifq_drv_head = 0x0, ifq_drv_tail = 0x0, ifq_drv_len = 0, 
    ifq_drv_maxlen = 256, altq_type = 0, altq_flags = 1, altq_disc = 0x0, altq_ifp = 0xc2419000, 
    altq_enqueue = 0, altq_dequeue = 0, altq_request = 0, altq_clfier = 0x0, altq_classify = 0, 
    altq_tbr = 0x0, altq_cdnr = 0x0}, if_broadcastaddr = 0xc06e14a0 "ÿÿÿÿÿÿether_ipfw_chk", 
  lltables = 0x0, if_label = 0x0, if_prefixhead = {tqh_first = 0x0, tqh_last = 0xc2419154}, 
  if_afdata = {0x0 <repeats 28 times>, 0xc2534730, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 
  if_afdata_initialized = 1, if_afdata_mtx = {mtx_object = {lo_class = 0xc075dc44, 
      lo_name = 0xc0722e9d "if_afdata", lo_type = 0xc0722e9d "if_afdata", lo_flags = 196608, 
      lo_list = {tqe_next = 0xc24190e8, tqe_prev = 0xc241b35c}, lo_witness = 0xc07924c0}, 
---Type <return> to continue, or q <return> to quit---
    mtx_lock = 4, mtx_recurse = 0}, if_starttask = {ta_link = {stqe_next = 0x0}, ta_pending = 0, 
    ta_priority = 0, ta_func = 0xc05bf59c <if_start_deferred>, ta_context = 0xc2419000}}
(kgdb) p *m_head
$2 = {m_hdr = {mh_next = 0xc3393600, mh_nextpkt = 0x0, mh_data = 0xc3393532 "", mh_len = 34, 
    mh_flags = 43010, mh_type = 2}, M_dat = {MH = {MH_pkthdr = {rcvif = 0x0, len = 266, 
        header = 0x0, csum_flags = 0, csum_data = 0, tags = {slh_first = 0x0}}, MH_dat = {
        MH_ext = {ext_buf = 0x1000e800---Can't read userspace from dump, or kernel process---
(kgdb) up
#11 0xc05c0309 in ether_output_frame (ifp=0xc2419000, m=0xc3393500)
    at /usr/src/sys/net/if_ethersubr.c:377
377             IFQ_HANDOFF(ifp, m, error);
(kgdb) l
372
373             /*
374              * Queue message on interface, update output statistics if
375              * successful, and start output if interface not yet active.
376              */
377             IFQ_HANDOFF(ifp, m, error);
378             return (error);
379     }
380
381     #if defined(INET) || defined(INET6)

The system is running with giant-locked network stack, because of IPSec
FreeBSD 5.3-BETA3 #16: Tue Sep  7 16:23:16 CEST 2004
    root at igor.q.local:/usr/obj/usr/src/sys/IGOR
WARNING: WITNESS option enabled, expect reduced performance.
WARNING: debug.mpsafenet forced to 0 as ipsec requires Giant
WARNING: MPSAFE network stack disabled, expect reduced performance.


I will now try with a GENERIC-Kernel and see if that helps.

Ulrich Spoerlein
-- 
PGP Key ID: F0DB9F44				Get it while it's hot!
PGP Fingerprint: F1CE D062 0CA9 ADE3 349B  2FE8 980A C6B5 F0DB 9F44
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."	-- Benjamin Franklin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20040908/91c284f7/attachment.bin

More information about the freebsd-current mailing list