Bug #1834

Panic in tcp_input

Added by lentferj almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

My Autobuild/Bench VM paniced today w/ latest available master.

core.txt attached. If needed I can upload the core.

Jan

core.txt.3 (107 KB) lentferj, 09/12/2010 04:23 PM

History

#1 Updated by dillon almost 4 years ago

:My Autobuild/Bench VM paniced today w/ latest available master.
:
:core.txt attached. If needed I can upload the core.
:
:Jan

Definitely upload. It's a use-after-free issue but I can't figure out
where from the txt.

-Matt

#2 Updated by lentferj almost 4 years ago

Matthew Dillon schrieb:
> Definitely upload. It's a use-after-free issue but I can't figure out
> where from the txt.

Got an assert panic now. I am currently uploading the files to leaf
/home/lentferj/crash, .4 files (and this time for real :-) ).

Jan

Unread portion of the kernel message buffer:
panic: assertion: (so->so_state & SS_ASSERTINPROG) == 0 in sofree
mp_lock = 00000000; cpuid = 0
Trace beginning at frame 0xd13c2bd8
panic(ffffffff) at panic+0x174
panic(c05b117b,c060ddd8,c0592049,d1636200,0) at panic+0x174
sofree(d1636200,cb84f3c0,cb84f3c0,d13c2c3c,c033e42e) at sofree+0x80
soclose(d1636200,7,cb84f3c0,cb84f3c0,d13c2c68) at soclose+0x1cf
soo_close(cb84f3c0,cb84f3c0,d10ec780,d12f41e4,d13c2c6c) at soo_close+0x53
fdrop(cb84f3c0) at fdrop+0xe5
closef(cb84f3c0,ce3f72d0,0,ce429988,d12f40e8) at closef+0x187
kern_close(9,d13c2d34,c056aa03,d13c2cf0,27d330) at kern_close+0x114
sys_close(d13c2cf0,27d330,0,c0675e28,286) at sys_close+0xe
syscall2(d13c2d40) at syscall2+0x2b0
Xint0x80_syscall() at Xint0x80_syscall+0x36
Debugger("panic")

CPU0 stopping CPUs: 0x00000002
stopped
panic: from debugger
mp_lock = 00000000; cpuid = 0
boot() called on cpu#0
Uptime: 2m53s
Physical memory: 759 MB
Dumping 120 MB: 105 89 73 57 41 25 9

Reading symbols from /boot/kernel/acpi.ko...done.
Loaded symbols for /boot/kernel/acpi.ko
Reading symbols from /boot/kernel/ahci.ko...done.
Loaded symbols for /boot/kernel/ahci.ko
Reading symbols from /boot/kernel/ehci.ko...done.
Loaded symbols for /boot/kernel/ehci.ko
_get_mycpu (di=0xc06e76c0) at ./machine/thread.h:83
83 __asm ("movl %%fs:globaldata,%0" : "=r" (gd) :
"m"(__mycpu__dummy));
(kgdb) #0 _get_mycpu (di=0xc06e76c0) at ./machine/thread.h:83
#1 md_dumpsys (di=0xc06e76c0)
at /usr/src/sys/platform/pc32/i386/dump_machdep.c:263
#2 0xc0311bc9 in dumpsys () at /usr/src/sys/kern/kern_shutdown.c:880
#3 0xc0312189 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:387
#4 0xc0312452 in panic (fmt=0xc05b4995 "from debugger")
at /usr/src/sys/kern/kern_shutdown.c:786
#5 0xc017adf5 in db_panic (addr=-1068151584, have_addr=0, count=-1,
modif=0xd13c2a8c "") at /usr/src/sys/ddb/db_command.c:448
#6 0xc017b46a in db_command () at /usr/src/sys/ddb/db_command.c:344
#7 db_command_loop () at /usr/src/sys/ddb/db_command.c:470
#8 0xc017daa4 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:71
#9 0xc0554ee4 in kdb_trap (type=3, code=0, regs=0xd13c2b88)
at /usr/src/sys/platform/pc32/i386/db_interface.c:152
#10 0xc056a2cf in trap (frame=0xd13c2b88)
at /usr/src/sys/platform/pc32/i386/trap.c:823
#11 0xc0556267 in calltrap ()
at /usr/src/sys/platform/pc32/i386/exception.s:785
#12 0xc0554ce0 in breakpoint (msg=0xc05cc75f "panic") at ./cpu/cpufunc.h:73
#13 Debugger (msg=0xc05cc75f "panic")
at /usr/src/sys/platform/pc32/i386/db_interface.c:334
#9 0xc0554ee4 in kdb_trap (type=3, code=0, regs=0xd13c2b88)
at /usr/src/sys/platform/pc32/i386/db_interface.c:152
#10 0xc056a2cf in trap (frame=0xd13c2b88)
at /usr/src/sys/platform/pc32/i386/trap.c:823
#11 0xc0556267 in calltrap ()
at /usr/src/sys/platform/pc32/i386/exception.s:785
#12 0xc0554ce0 in breakpoint (msg=0xc05cc75f "panic") at ./cpu/cpufunc.h:73
#13 Debugger (msg=0xc05cc75f "panic")
at /usr/src/sys/platform/pc32/i386/db_interface.c:334
#14 0xc0312449 in panic (fmt=0xc05b117b "assertion: %s in %s")
at /usr/src/sys/kern/kern_shutdown.c:784
#15 0xc034e335 in sofree (so=0xd1636200) at
/usr/src/sys/kern/uipc_socket.c:325
#16 0xc034ec71 in soclose (so=0xd1636200, fflag=7)
at /usr/src/sys/kern/uipc_socket.c:419
#17 0xc033e42e in soo_close (fp=0xcb84f3c0)
at /usr/src/sys/kern/sys_socket.c:230
#18 0xc02f9aff in fo_close (fp=0xcb84f3c0) at /usr/src/sys/sys/file2.h:121
#19 fdrop (fp=0xcb84f3c0) at /usr/src/sys/kern/kern_descrip.c:2419
#20 0xc02f9db8 in closef (fp=0xcb84f3c0, p=0xce3f72d0)
at /usr/src/sys/kern/kern_descrip.c:2360
#21 0xc02fbfdb in kern_close (fd=9) at /usr/src/sys/kern/kern_descrip.c:857
#22 0xc02fc0bf in sys_close (uap=0xd13c2cf0)
at /usr/src/sys/kern/kern_descrip.c:816
#23 0xc056aa03 in syscall2 (frame=0xd13c2d40)
at /usr/src/sys/platform/pc32/i386/trap.c:1310
#24 0xc0556316 in Xint0x80_syscall ()
at /usr/src/sys/platform/pc32/i386/exception.s:876
#25 0x0000001f in ?? ()

#3 Updated by lentferj almost 4 years ago

Jan Lentfer schrieb:
> Got an assert panic now. I am currently uploading the files to leaf
> /home/lentferj/crash, .4 files (and this time for real :-) ).

Sorry, can't. leaf seems to be down.

#4 Updated by dillon almost 4 years ago

Ok, these should hopefully be fixed now.

What is left, assuming the list races are fixed, is the packet data
overflow which new assertions should catch earlier, and NAT.

-Matt
Matthew Dillon
<>

#5 Updated by lentferj almost 4 years ago

Confirmed. With latest master the VM survived the complete ab test run.

Also available in: Atom PDF