Re: kern/101763: [panic] sodealloc(): so_count 1

From: Robert Watson <rwatson_at_FreeBSD.org>
Date: Fri, 11 Aug 2006 10:29:01 +0100 (BST)
On Fri, 11 Aug 2006, Gleb Kozyrev wrote:

> Gleb Kozyrev wrote to "Robert Watson" <rwatson_at_FreeBSD.org> on Thu, 10 Aug 2006 19:35:12 +0300:
>
>>>> i386 7.0-CURRENT #0: Sun Aug 6 repeatedly panics when doing some default
>>>> periodic jobs at 3 AM.
>
> RW>> Could you file a PR for this, and forward me the PR receipt?  I'd be
> RW>> happy to investigate this problem.  I've seen one or two other reports
> RW>> of so_count 1, but not in a way that's reproduceable.  The output of
> RW>> the following DDB commands would be most helpful:
>
> RW>>    show pcpu
> RW>>    show allpcpu
> RW>>    alltrace
> RW>>    show  alllocks
>
> GK> Here you are: kern/101763
>
> I'm sorry for misleading you.
> You see, for some reasons I forgot that there's a little jail on
> that machine. ;)
> It is ipfw in jail that triggers the panic invoked from
> /etc/periodic/security/500.ipfwdenied

Try this minor tweak:

Index: uipc_socket.c
===================================================================
RCS file: /data/fbsd-cvs/ncvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.277
diff -u -r1.277 uipc_socket.c
--- uipc_socket.c	2 Aug 2006 00:45:27 -0000	1.277
+++ uipc_socket.c	11 Aug 2006 09:27:52 -0000
_at__at_ -367,6 +367,9 _at__at_
  	so->so_count = 1;
  	error = (*prp->pr_usrreqs->pru_attach)(so, proto, td);
  	if (error) {
+		KASSERT(so->so_count == 1, ("socreate: so_count %d",
+		    so->so_count));
+		so->so_count = 0;
  		sodealloc(so);
  		return (error);
  	}

Looks like I made a logic error in my change to move to sodealloc() here: the 
refcount is never reduced back from when it is initially set to 1, and 
sodealloc() has a "no references" assertion (possibly that I added).

Robert N M Watson
Computer Laboratory
University of Cambridge

>
> Today the coredump was successfully saved. So if it still matters..
>
> =========Beginning of the citation==============
> (kgdb) where
> #0  doadump () at pcpu.h:166
> #1  0xc06a3ee0 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
> #2  0xc06a41f5 in panic (fmt=0xc092e717 "sodealloc(): so_count %d") at /usr/src/sys/kern/kern_shutdown.c:565
> #3  0xc06e45cc in sodealloc (so=0xc1a163e4) at /usr/src/sys/kern/uipc_socket.c:289
> #4  0xc06e4811 in socreate (dom=0, aso=0x0, type=3, proto=255, cred=0xc19f5180, td=0xc18ad510) at
> /usr/src/sys/kern/uipc_socket.c:370
> #5  0xc06e8985 in socket (td=0xc18ad510, uap=0xc853bd04) at /usr/src/sys/kern/uipc_syscalls.c:175
> #6  0xc08a0d7e in syscall (frame=
>      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077943668, tf_esi = 136331264, tf_ebp = -1077943800, tf_isp = -934036124,
> tf_ebx = 54, tf_edx = 0, tf_ecx = 0, tf_eax = 97, tf_trapno = 12, tf_err = 2, tf_eip = 672368711, tf_cs = 51, tf_eflags = 582,
> tf_esp = -1077943844, tf_ss = 59})
>    at /usr/src/sys/i386/i386/trap.c:1006
> #7  0xc088bb3f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:191
> #8  0x00000033 in ?? ()
> Previous frame inner to this frame (corrupt stack?)
> (kgdb) frame 3
> #3  0xc06e45cc in sodealloc (so=0xc1a163e4) at /usr/src/sys/kern/uipc_socket.c:289
> 289             KASSERT(so->so_count == 0, ("sodealloc(): so_count %d", so->so_count));
> (kgdb) print *so
> $1 = {so_count = 1, so_type = 3, so_options = 0, so_linger = 0, so_state = 0, so_qstate = 0, so_pcb = 0x0, so_proto = 0xc09dbd5c,
> so_head = 0x0,
>  so_incomp = {tqh_first = 0x0, tqh_last = 0xc1a16400}, so_comp = {tqh_first = 0x0, tqh_last = 0xc1a16408}, so_list = {tqe_next =
> 0x0, tqe_prev = 0x0},
>  so_qlen = 0, so_incqlen = 0, so_qlimit = 0, so_timeo = 0, so_error = 0, so_sigio = 0x0, so_oobmark = 0, so_aiojobq = {tqh_first =
> 0x0,
>    tqh_last = 0xc1a1642c}, so_rcv = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list =
> {slh_first = 0x0},
>        kl_lock = 0xc068a3f4 <knlist_mtx_lock>, kl_unlock = 0xc068a410 <knlist_mtx_unlock>, kl_locked = 0xc068a42c
> <knlist_mtx_locked>,
>        kl_lockarg = 0xc1a16458}, si_flags = 0}, sb_mtx = {mtx_object = {lo_name = 0xc092b0f2 "so_rcv", lo_type = 0xc092b0f2
> "so_rcv", lo_flags = 16973824,
>        lo_witness_data = {lod_list = {stqe_next = 0xc0a25fe8}, lod_witness = 0xc0a25fe8}}, mtx_lock = 4, mtx_recurse = 0}, sb_state
> = 0, sb_mb = 0x0,
>    sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 0, sb_hiwat = 0, sb_mbcnt = 0, sb_mbmax = 0, sb_ctl = 0, sb_lowat = 0, sb_timeo =
> 0, sb_flags = 0},
>  so_snd = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0},
>        kl_lock = 0xc068a3f4 <knlist_mtx_lock>, kl_unlock = 0xc068a410 <knlist_mtx_unlock>, kl_locked = 0xc068a42c
> <knlist_mtx_locked>,
>        kl_lockarg = 0xc1a164c4}, si_flags = 0}, sb_mtx = {mtx_object = {lo_name = 0xc092b0eb "so_snd", lo_type = 0xc092b0eb
> "so_snd", lo_flags = 16973824,
>        lo_witness_data = {lod_list = {stqe_next = 0xc0a26010}, lod_witness = 0xc0a26010}}, mtx_lock = 4, mtx_recurse = 0}, sb_state
> = 0, sb_mb = 0x0,
>    sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 0, sb_hiwat = 0, sb_mbcnt = 0, sb_mbmax = 0, sb_ctl = 0, sb_lowat = 0, sb_timeo =
> 0, sb_flags = 0},
>  so_upcall = 0, so_upcallarg = 0x0, so_cred = 0xc19f5180, so_label = 0x0, so_peerlabel = 0x0, so_gencnt = 830, so_emuldata = 0x0,
> so_accf = 0x0}
> (
> =========The end of the citation================
>
> -- 
> With best regards, Gleb Kozyrev.
>
>
Received on Fri Aug 11 2006 - 07:29:02 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:58 UTC