[Bug 148807] [panic] "panic: sbdrop" and "panic: sbsndptr: sockbuf _ and mbuf _ clashing" (8.1-RELEASE/10.1-STABLE/11-CURRENT)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Oct 13 04:51:25 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=148807

--- Comment #31 from Hiren Panchasara <hiren at FreeBSD.org> ---
(In reply to Robert Watson from comment #29)

Robert,

Thanks for your response.

 On a slightly modified (nothing in driver space) stable/11, I am seeing
repeated panic in sbsndptr() with igb while box is pretty much idle or doing
very low traffic.

(kgdb) bt
#0  __curthread () at ./machine/pcpu.h:221
#1  doadump (textdump=-2121667464) at
/d2/hiren/freebsd/sys/kern/kern_shutdown.c:298
#2  0xffffffff80389f86 in db_fncall_generic (nargs=0, addr=<optimized out>,
rv=<optimized out>, 
    args=<optimized out>) at /d2/hiren/freebsd/sys/ddb/db_command.c:568
#3  db_fncall (dummy1=<optimized out>, dummy2=<optimized out>,
dummy3=<optimized out>, dummy4=<optimized out>)
    at /d2/hiren/freebsd/sys/ddb/db_command.c:616
#4  0xffffffff80389a29 in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, 
    dopager=<optimized out>) at /d2/hiren/freebsd/sys/ddb/db_command.c:440
#5  0xffffffff80389784 in db_command_loop () at
/d2/hiren/freebsd/sys/ddb/db_command.c:493
#6  0xffffffff8038c76b in db_trap (type=<optimized out>, code=<optimized out>)
    at /d2/hiren/freebsd/sys/ddb/db_main.c:251
#7  0xffffffff809a6f33 in kdb_trap (type=<optimized out>, code=<optimized out>,
tf=<optimized out>)
    at /d2/hiren/freebsd/sys/kern/subr_kdb.c:654
#8  0xffffffff80d93521 in trap_fatal (frame=0xfffffe1f2bb38210, eva=24)
    at /d2/hiren/freebsd/sys/amd64/amd64/trap.c:836
#9  0xffffffff80d93753 in trap_pfault (frame=0xfffffe1f2bb38210, usermode=0)
    at /d2/hiren/freebsd/sys/amd64/amd64/trap.c:691
#10 0xffffffff80d92cdc in trap (frame=0xfffffe1f2bb38210) at
/d2/hiren/freebsd/sys/amd64/amd64/trap.c:442
#11 <signal handler called>
#12 sbsndptr (sb=0xfffff8060f8a5518, off=0, len=4294967287,
moff=0xfffffe1f2bb38420)
    at /d2/hiren/freebsd/sys/kern/uipc_sockbuf.c:1191
#13 0xffffffff80ab9382 in tcp_output (tp=<optimized out>) at
/d2/hiren/freebsd/sys/netinet/tcp_output.c:1099
#14 0xffffffff80ab6105 in tcp_do_segment (m=<optimized out>, th=<optimized
out>, so=0xfffff8060f8a5360, 
    tp=<optimized out>, drop_hdrlen=60, tlen=<optimized out>, iptos=<optimized
out>, 
    ti_locked=<error reading variable: Cannot access memory at address 0x1>)
    at /d2/hiren/freebsd/sys/netinet/tcp_input.c:3182
#15 0xffffffff80ab2803 in tcp_input (mp=<optimized out>, offp=<optimized out>,
proto=<optimized out>)
    at /d2/hiren/freebsd/sys/netinet/tcp_input.c:1444
#16 0xffffffff80aa6bc5 in ip_input (m=<error reading variable: Cannot access
memory at address 0x0>)
    at /d2/hiren/freebsd/sys/netinet/ip_input.c:809
#17 0xffffffff80a82b35 in netisr_dispatch_src (proto=1, source=<optimized out>,
m=0x0)
    at /d2/hiren/freebsd/sys/net/netisr.c:1120
#18 0xffffffff80a6c2ca in ether_demux (ifp=<optimized out>, m=0x0) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:850
#19 0xffffffff80a6cf22 in ether_input_internal (ifp=<optimized out>, m=0x0)
    at /d2/hiren/freebsd/sys/net/if_ethersubr.c:639
#20 ether_nh_input (m=<optimized out>) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:669
#21 0xffffffff80a82b35 in netisr_dispatch_src (proto=5, source=<optimized out>,
m=0x0)
    at /d2/hiren/freebsd/sys/net/netisr.c:1120
#22 0xffffffff80a6c546 in ether_input (ifp=<optimized out>, m=0x0) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:759
#23 0xffffffff804e2b3c in igb_rx_input (rxr=<optimized out>,
ifp=0xfffff80115614800, m=0xfffff8014eee7600, 
    ptype=<optimized out>) at /d2/hiren/freebsd/sys/dev/e1000/if_igb.c:4957
#24 igb_rxeof (que=<optimized out>, count=358700136, done=<optimized out>)
    at /d2/hiren/freebsd/sys/dev/e1000/if_igb.c:5185
#25 0xffffffff804e1daf in igb_msix_que (arg=<optimized out>) at
/d2/hiren/freebsd/sys/dev/e1000/if_igb.c:1612
#26 0xffffffff8091425f in intr_event_execute_handlers (p=<optimized out>,
ie=<optimized out>)
    at /d2/hiren/freebsd/sys/kern/kern_intr.c:1262
#27 0xffffffff80914876 in ithread_execute_handlers (ie=<optimized out>,
p=<optimized out>)
    at /d2/hiren/freebsd/sys/kern/kern_intr.c:1275
#28 ithread_loop (arg=<optimized out>) at
/d2/hiren/freebsd/sys/kern/kern_intr.c:1356
#29 0xffffffff80910ea5 in fork_exit (callout=0xffffffff809147b0 <ithread_loop>,
arg=0xfffff8011561a0e0, 
    frame=0xfffffe1f2bb38ac0) at /d2/hiren/freebsd/sys/kern/kern_fork.c:1040
#30 <signal handler called>

----------------------------------------------------------------

Most interesting frames are these 2:

#22 0xffffffff80a6c546 in ether_input (ifp=<optimized out>, m=0x0) at
/d2/hiren/freebsd/sys/net/if_ethersubr.c:759
#23 0xffffffff804e2b3c in igb_rx_input (rxr=<optimized out>,
ifp=0xfffff80115614800, m=0xfffff8014eee7600, 
    ptype=<optimized out>) at /d2/hiren/freebsd/sys/dev/e1000/if_igb.c:4957

#23 has an mbuf while #22 has it null.

Does this point to your hunch of
"device-driver bugs involving modifications to the mbuf chain after submitting
the mbuf to the network stack (e.g., due to concurrency bugs in the device
driver)" ?

OR something else is going on?

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-net mailing list