Bug #1143

panic: sf_buf_free: freeing free sf_buf

Added by pavalos over 5 years ago. Updated about 5 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Got this running -HEAD:

panic: sf_buf_free: freeing free sf_buf
mp_lock = 00000001; cpuid = 1
Trace beginning at frame 0xd73ccc6c
panic(d73ccc90,0,c039b5c0,0,d73ccc98) at panic+0x14d
panic(c03692d0,0,f7c469c0,d73cccac,c01e9abc) at panic+0x14d
sf_buf_free(c039b5c0,c03f59e8,f33f1700,d73cccc4,c01e2090) at
sf_buf_free+0x18
sf_buf_mfree(f7c469c0,f33f1700,c03f59e8,da55b9c0,d73cccd8) at
sf_buf_mfree+0x7d
m_free(f33f1700,17,ed4a79d4,d73ccd14,c0180c57) at m_free+0x1e8
m_freem(f6e0f000,fa83a4,da678000,15,18) at m_freem+0x2a
em_txeof(c03f59e8,da55b9c0,d38800d0,d73ccd54,c01abad8) at em_txeof+0x14e
em_poll(da55b9c0,0,5,0,5) at em_poll+0xe3
netisr_poll(d388035c) at netisr_poll+0x1e4
netmsg_service(d388035c,1,0,ff8083a4,ff808000) at netmsg_service+0x32
netmsg_service_loop(c03f67a8,0,0,0,0) at netmsg_service_loop+0x18
lwkt_exit() at lwkt_exit
boot() called on cpu#1
Uptime: 1d2h5m12s

dumping to dev #da/0x20001, blockno 378927

(kgdb) bt
#0 dumpsys () at ./machine/thread.h:83
#1 0xc01b3799 in boot (howto=260) at
/usr/src/sys/kern/kern_shutdown.c:375
#2 0xc01b3a5c in panic (fmt=0xc03692d0 "sf_buf_free: freeing free
sf_buf") at /usr/src/sys/kern/kern_shutdown.c:800
#3 0xc01b7506 in sf_buf_free (sf=0xc039b5c0) at
/usr/src/sys/kern/kern_sfbuf.c:228
#4 0xc01e9abc in sf_buf_mfree (arg=0xf7c469c0) at
/usr/src/sys/kern/uipc_syscalls.c:1384
#5 0xc01e2090 in m_free (m=0xf33f1700) at
/usr/src/sys/kern/uipc_mbuf.c:979
#6 0xc01e23bc in m_freem (m=0xf33f1700) at
/usr/src/sys/kern/uipc_mbuf.c:1009
#7 0xc0180c57 in em_txeof (adapter=0xda55b9c0) at
/usr/src/sys/dev/netif/em/if_em.c:2650
#8 0xc018206c in em_poll (ifp=0xda55b9c0, cmd=POLL_ONLY, count=5) at
/usr/src/sys/dev/netif/em/if_em.c:1182
#9 0xc01abad8 in netisr_poll (msg=0xd388035c) at
/usr/src/sys/kern/kern_poll.c:647
#10 0xc0232918 in netmsg_service (msg=0xd388035c, mpsafe_mode=1,
mplocked=0) at /usr/src/sys/net/netisr.c:279
#11 0xc0232d04 in netmsg_service_loop (arg=0xc03f67a8) at
/usr/src/sys/net/netisr.c:333
#12 0xc01bab6a in lwkt_deschedule_self (td=Cannot access memory at
address 0x8
) at /usr/src/sys/kern/lwkt_thread.c:228
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

These sysctl's were set:
net.netisr.mpsafe_thread=1
net.inet.tcp.mpsafe_thread=1
net.inet.udp.mpsafe_thread=1

Core is being uploaded to leaf right now, but it's going to take an hour
or so. Once it's there...leaf:~pavalos/crash/*.19

--Peter

History

#1 Updated by dillon over 5 years ago

:sf_buf_free(c039b5c0,c03f59e8,f33f1700,d73cccc4,c01e2090) at
:sf_buf_free+0x18
:sf_buf_mfree(f7c469c0,f33f1700,c03f59e8,da55b9c0,d73cccd8) at
:sf_buf_mfree+0x7d
:m_free(f33f1700,17,ed4a79d4,d73ccd14,c0180c57) at m_free+0x1e8
:m_freem(f6e0f000,fa83a4,da678000,15,18) at m_freem+0x2a
:em_txeof(c03f59e8,da55b9c0,d38800d0,d73ccd54,c01abad8) at em_txeof+0x14e
:em_poll(da55b9c0,0,5,0,5) at em_poll+0xe3
:netisr_poll(d388035c) at netisr_poll+0x1e4
:netmsg_service(d388035c,1,0,ff8083a4,ff808000) at netmsg_service+0x32
:netmsg_service_loop(c03f67a8,0,0,0,0) at netmsg_service_loop+0x18
:lwkt_exit() at lwkt_exit
:boot() called on cpu#1
:Uptime: 1d2h5m12s

Side note: For m_free() to be calling sf_buf_free() implies this
is the sendfile() code.

-Matt

#2 Updated by sepherosa over 5 years ago

Please nuke the old patch I sent to you on IRC and test following one:
http://leaf.dragonflybsd.org/~sephe/sendfile.diff1

Best Regards,
sephe

#3 Updated by dillon over 5 years ago

:Please nuke the old patch I sent to you on IRC and test following one:
:http://leaf.dragonflybsd.org/~sephe/sendfile.diff1
:
:Best Regards,
:sephe

FreeBSD has a cute atomic_fetchadd_int() function that can also be
used. It is in /archive/FreeBSD-current/src/sys/i386/include/atomic.h.

Instead of:

serialize_enter
subtract_int...
serialize_exit

You would do:

if (atomic_fetchadd_int(&sfm->mref_count, -1) == 1) {
... last ref went away ...
}

-Matt
Matthew Dillon
<>

#4 Updated by sepherosa over 5 years ago

On Mon, Oct 20, 2008 at 10:52 PM, Matthew Dillon
<> wrote:
>
> :Please nuke the old patch I sent to you on IRC and test following one:
> :http://leaf.dragonflybsd.org/~sephe/sendfile.diff1
> :
> :Best Regards,
> :sephe
>
> FreeBSD has a cute atomic_fetchadd_int() function that can also be
> used. It is in /archive/FreeBSD-current/src/sys/i386/include/atomic.h.

You had added it :)

Please test/review following patch:
http://leaf.dragonflybsd.org/~sephe/sendfile.diff2

Best Regards,
sephe

#5 Updated by sepherosa over 5 years ago

If no object comes, I will commit the above patch this week.

Best Regards,
sephe

#6 Updated by hasso about 5 years ago

Committed as 321e057fb4f4ee4ed2c9ed7da0c993ae3335be18

Also available in: Atom PDF