Re: CURRENT + amd64 + user-ppp = panic

From: Victor Snezhko <snezhko_at_indorsoft.ru>
Date: Wed, 09 Nov 2005 14:25:37 +0600
Mark Tinguely <tinguely_at_casselton.net> writes:

> This is great, you caught the kernel trashing a callout entry
> in uma_dbg.

Hmm, not so fast...

Look at the list output:

103	if ((u_int32_t)c == uma_junk) {
104		kdb_enter("trash_dtor: uma_junk found in a "\
105			  "callwheel element");

By the moment when I start traversing callwheel, it is already
corrupted! (Or maybe modified by someone who doesn't hold the
callout_lock)

> I cannot figure out how #14 linked the function sorecieved() to 
> the inline function uma_zfree(). (thinking as I am typing) Could
> someone changed the recieve function call for this socket?

Maybe inline function introduces this mess?

> In my opinion, you can remove the callout_check_callwheel function
> and calls.

Agreed, I just wanted to demonstrate that things are not so simple.

> You want to always catch it before it corrupts, and that
> is done in the uma_dbg. 

Unfortunately, uma_dbg catches already corrupted callwheel (or
not catches anything at all, in this case ppp works)

> Once you catch the corruption, we know it will panic in the near
> future, unless we are in the debugger long enough, for the timer to
> expire and be removed.

Hmm, looks like it's really so. This needs additional checking.

> I would completely delete the compile directory and "config" and
> do a fresh make.

This is exactly what I have done before submitting my report. Because
I cvsdown'ed to 2005.10.21.16.30.00 to be independent of recent
changes that would mess up something. I also tested on fresh current
on Saturday or Sunday - backtrace was similar - may be different lines
or something.

-- 
WBR, Victor V. Snezhko
EMail: snezhko_at_indorsoft.ru
Received on Wed Nov 09 2005 - 07:25:51 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:47 UTC