Re: Panic in callout_reset()

From: John Baldwin <jhb_at_freebsd.org>
Date: Mon, 16 Jul 2007 10:32:21 -0400
On Tuesday 19 June 2007 03:12:03 pm Peter Jeremy wrote:
> Running: FreeBSD 7.0-CURRENT #5: Sat Jun  9 18:29:40 EST 2007
>     root_at_server.vk2pj.dyndns.org:/var/obj/k7/usr/src/sys/server
> Panic String: Bad tailq NEXT(0xcce421a8->tqh_last) != NULL
> 
> #0  doadump () at pcpu.h:195
> #1  0xc04524a9 in db_fncall (dummy1=0xc0576aa2, dummy2=0x0, dummy3=0x1, 
dummy4=0xd3b23a3c "")
>     at /usr/src/sys/ddb/db_command.c:486
> #2  0xc0452a15 in db_command_loop () at /usr/src/sys/ddb/db_command.c:401
> #3  0xc0454195 in db_trap (type=0x3, code=0x0) 
at /usr/src/sys/ddb/db_main.c:222
> #4  0xc0576943 in kdb_trap (type=0x3, code=0x0, tf=0xd3b23bd4) 
at /usr/src/sys/kern/subr_kdb.c:502
> #5  0xc06d4d4b in trap (frame=0xd3b23bd4) 
at /usr/src/sys/i386/i386/trap.c:620
> #6  0xc06c21db in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #7  0xc0576aa2 in kdb_enter (msg=0xc0719d31 "panic") at cpufunc.h:60
> #8  0xc0550035 in panic (fmt=0xc06fdb26 "Bad tailq NEXT(%p->tqh_last) != 
NULL")
>     at /usr/src/sys/kern/kern_shutdown.c:547
> #9  0xc056180a in callout_reset (c=0xc07ec000, to_ticks=0xa, ftn=0xc063fd30 
<nfsrv_timer>, arg=0x0)
>     at /usr/src/sys/kern/kern_timeout.c:477
> #10 0xc063fde4 in nfsrv_timer (arg=0x0) 
at /usr/src/sys/nfsserver/nfs_srvsock.c:815
> #11 0xc0561f1e in softclock (dummy=0x0) 
at /usr/src/sys/kern/kern_timeout.c:280
> #12 0xc0534485 in ithread_loop (arg=0xc2926670) 
at /usr/src/sys/kern/kern_intr.c:1036
> #13 0xc0531a57 in fork_exit (callout=0xc05342d0 <ithread_loop>, 
arg=0xc2926670, frame=0xd3b23d38)
>     at /usr/src/sys/kern/kern_fork.c:787
> #14 0xc06c2250 in fork_trampoline () 
at /usr/src/sys/i386/i386/exception.s:205
> 
> 'c' in callout_reset looks like:
> (kgdb) p *c
> $1 = {
>   c_links = {
>     sle = {
>       sle_next = 0xc07e5e08
>     }, 
>     tqe = {
>       tqe_next = 0xc07e5e08, 
>       tqe_prev = 0xcce42158
>     }
>   }, 
>   c_time = 0x3230ae73, 
>   c_arg = 0x0, 
>   c_func = 0xc063fd30 <nfsrv_timer>, 
>   c_mtx = 0x0, 
>   c_flags = 0x16
> }
> 
> (kgdb) p *$1.c_links.tqe.tqe_next
> $3 = {
>   c_links = {
>     sle = {
>       sle_next = 0x0
>     }, 
>     tqe = {
>       tqe_next = 0x0, 
>       tqe_prev = 0xcce42158
>     }
>   }, 
>   c_time = 0x3230ae69, 
>   c_arg = 0x0, 
>   c_func = 0xc0605f80 <tcp_isn_tick>, 
>   c_mtx = 0x0, 
>   c_flags = 0x16
> }
> (kgdb) p *$1.c_links.tqe.tqe_prev
> $5 = (struct callout *) 0xc07e5e08
> 
> Any suggestions?

The panic is because the callout is already on a list.  Maybe try moving the 
NFSD_UNLOCK() in nfsrv_timer() after the callout_reset().

-- 
John Baldwin
Received on Mon Jul 16 2007 - 12:57:55 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:14 UTC