I recently had two "sbdrop" panics on 6.0-RELEASE-p4 i386. Following are the stack traces and the kernel configuration. Of course, I still have the crash dumps, and I'll gladly help anyone who wants more informaion. --Eric ############################################################ ############################################################ $ kgdb kernel.debug /var/crash/vmcore-panic-sbdrop-2006-03-09 GNU gdb 6.1.1 [FreeBSD] [...] Unread portion of the kernel message buffer: [not ascii; here is a hexdump] c1 20 33 70 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 00 00 00 00 00 00 00 00 90 02 00 00 00 00 00 00 00 00 00 6c 0b 05 c1 00 00 00 00 09 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 88 14 05 c1 30 33 70 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2a 00 00 00 00 00 00 00 00 a0 02 00 00 00 00 00 00 00 00 00 b4 0b 05 c1 00 00 00 00 0d 0a 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 14 05 c1 40 33 70 c0 18 0c 05 c1 90 a3 4b c1 88 a3 4b c1 00 00 00 00 6c 7f 4f c1 f8 15 00 00 00 00 00 00 00 b0 02 00 00 00 00 #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt f #0 doadump () at pcpu.h:165 No locals. #1 0xc04fae3e in boot (howto=260) at /freebsd/src/sys/kern/kern_shutdown.c:399 first_buf_printf = 1 #2 0xc04fb104 in panic (fmt=0xc069ed40 "sbdrop") at /freebsd/src/sys/kern/kern_shutdown.c:555 td = (struct thread *) 0xc190e480 bootopt = 260 newpanic = 1 ap = 0xc190e480 "" buf = "sbdrop", '\0' <repeats 249 times> #3 0xc05378b8 in sbdrop_locked (sb=0xcf603b50, len=940) at /freebsd/src/sys/kern/uipc_socket2.c:1157 m = (struct mbuf *) 0x0 next = (struct mbuf *) 0x0 #4 0xc05377ce in sbflush_locked (sb=0xcf603b50) at /freebsd/src/sys/kern/uipc_socket2.c:1124 No locals. #5 0xc0536d49 in sbrelease_locked (sb=0xcf603b50, so=0x0) at /freebsd/src/sys/kern/uipc_socket2.c:559 No locals. #6 0xc0536db1 in sbrelease (sb=0xcf603b50, so=0xc19c2c84) at /freebsd/src/sys/kern/uipc_socket2.c:572 No locals. #7 0xc0534921 in sorflush (so=0xc19c2c84) at /freebsd/src/sys/kern/uipc_socket.c:1480 sb = (struct sockbuf *) 0xc19c2cd4 pr = (struct protosw *) 0xc06d46a0 asb = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0, kl_unlock = 0, kl_locked = 0, kl_lockarg = 0x0}, si_flags = 0}, sb_mtx = {mtx_object = {lo_class = 0xc06cf004, lo_name = 0xc069ecad "so_rcv", lo_type = 0xc069ecad "so_rcv", lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3247498368, mtx_recurse = 0}, sb_state = 0, sb_mb = 0xc29af800, sb_mbtail = 0xc29af800, sb_lastrecord = 0xc29af800, sb_cc = 940, sb_hiwat = 8192, sb_mbcnt = 2048, sb_mbmax = 65536, sb_ctl = 0, sb_lowat = 1, sb_timeo = 0, sb_flags = 64} #8 0xc0532cbb in sofree (so=0xc19c2c84) at /freebsd/src/sys/kern/uipc_socket.c:406 head = (struct socket *) 0x0 #9 0xc0532fe9 in soclose (so=0xc19c2c84) at /freebsd/src/sys/kern/uipc_socket.c:484 error = 0 #10 0xc0522e6b in soo_close (fp=0xc1eac870, td=0xc190e480) at /freebsd/src/sys/kern/sys_socket.c:317 error = 0 so = (struct socket *) 0x0 #11 0xc04dc0d4 in fdrop_locked (fp=0xc1eac870, td=0xc190e480) at file.h:289 error = 0 #12 0xc04dc025 in fdrop (fp=0xc1eac870, td=0xc190e480) at /freebsd/src/sys/kern/kern_descrip.c:2101 No locals. #13 0xc04da653 in closef (fp=0xc1eac870, td=0xc190e480) at /freebsd/src/sys/kern/kern_descrip.c:1921 vp = (struct vnode *) 0xc1eac870 lf = {l_start = 4294967295, l_len = -4495592928909675680, l_pid = 0, l_type = -7040, l_whence = -15984} fdtol = (struct filedesc_to_leader *) 0xcf603ca0 fdp = (struct filedesc *) 0xc2ce5200 #14 0xc04d7a81 in close (td=0xc190e480, uap=0x0) at /freebsd/src/sys/kern/kern_descrip.c:1004 fdp = (struct filedesc *) 0xc2ce5200 fp = (struct file *) 0xc1eac870 fd = 1 error = -1047468928 holdleaders = 0 #15 0xc0662dbb in syscall (frame {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 1, tf_esi = 134613344, tf_ebp = -1077941400, tf_isp = -815776412, tf_ebx = 134729728, tf_edx = 0, tf_ecx = 1, tf_eax = 6, tf_trapno = 22, tf_err = 2, tf_eip = 169785299, tf_cs = 51, tf_eflags = 642, tf_esp = -1077941428, tf_ss = 59}) at /freebsd/src/sys/i386/i386/trap.c:976 params = 0xbfbfeb50 <Address 0xbfbfeb50 out of bounds> callp = (struct sysent *) 0xc06ca6e8 td = (struct thread *) 0xc190e480 p = (struct proc *) 0xc19c720c orig_tf_eflags = 642 sticks = 4436 error = 0 narg = 1 args = {1, -815776464, -1067048045, 0, 0, 0, 4436, -1046711796} code = 6 #16 0xc06520cf in Xint0x80_syscall () at /freebsd/src/sys/i386/i386/exception.s:200 No locals. #17 0x00000033 in ?? () No symbol table info available. Previous frame inner to this frame (corrupt stack?) ############################################################ ############################################################ $ kgdb kernel.debug /var/crash/vmcore-panic-sbdrop-2006-03-12 GNU gdb 6.1.1 [FreeBSD] [...] Unread portion of the kernel message buffer: [not ascii; here is a hexdump] 51 c1 00 40 09 28 18 6c 03 c1 08 3c 03 c1 38 01 03 c1 50 95 03 c1 44 44 51 c1 00 a0 06 08 00 00 00 00 74 07 37 c1 d0 e5 02 c1 28 f9 02 c1 4c 4b 51 c1 00 00 12 28 d0 52 03 c1 f4 48 3c c1 c0 7c 03 c1 a0 f6 02 c1 18 43 51 c1 00 20 07 28 00 00 00 00 ac 37 35 c1 08 0d 0a 03 c1 88 40 03 c1 78 4c 51 c1 00 30 0f 28 d8 c3 03 c1 18 e8 02 c1 e0 e4 02 c1 20 02 03 c1 c8 47 51 c1 00 a0 13 08 00 00 00 00 4c 13 3b c1 a0 28 03 c1 28 60 03 c1 18 43 51 c1 00 b0 bf bf 00 00 00 00 5c 0c 35 c1 58 0b 03 c1 d0 43 03 c1 c8 47 51 c1 00 50 17 08 00 00 00 00 e4 d0 36 c1 d0 4b 03 c1 00 1d 03 c1 a4 dd 94 c1 00 #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt f #0 doadump () at pcpu.h:165 No locals. #1 0xc04fae3e in boot (howto=260) at /freebsd/src/sys/kern/kern_shutdown.c:399 first_buf_printf = 1 #2 0xc04fb104 in panic (fmt=0xc069ed40 "sbdrop") at /freebsd/src/sys/kern/kern_shutdown.c:555 td = (struct thread *) 0xc194ac00 bootopt = 260 newpanic = 1 ap = 0xc194ac00 "" buf = "sbdrop", '\0' <repeats 249 times> #3 0xc05378b8 in sbdrop_locked (sb=0xcf612b50, len=17) at /freebsd/src/sys/kern/uipc_socket2.c:1157 m = (struct mbuf *) 0x0 next = (struct mbuf *) 0x0 #4 0xc05377ce in sbflush_locked (sb=0xcf612b50) at /freebsd/src/sys/kern/uipc_socket2.c:1124 No locals. #5 0xc0536d49 in sbrelease_locked (sb=0xcf612b50, so=0x0) at /freebsd/src/sys/kern/uipc_socket2.c:559 No locals. #6 0xc0536db1 in sbrelease (sb=0xcf612b50, so=0xc1908b20) at /freebsd/src/sys/kern/uipc_socket2.c:572 No locals. #7 0xc0534921 in sorflush (so=0xc1908b20) at /freebsd/src/sys/kern/uipc_socket.c:1480 sb = (struct sockbuf *) 0xc1908b70 pr = (struct protosw *) 0xc06d8b14 asb = {sb_sel = {si_thrlist = {tqe_next = 0x0, tqe_prev = 0x0}, si_thread = 0x0, si_note = {kl_list = {slh_first = 0x0}, kl_lock = 0, kl_unlock = 0, kl_locked = 0, kl_lockarg = 0x0}, si_flags = 0}, sb_mtx = {mtx_object = {lo_class = 0xc06cf004, lo_name = 0xc069ecad "so_rcv", lo_type = 0xc069ecad "so_rcv", lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 3247746048, mtx_recurse = 0}, sb_state = 0, sb_mb = 0x0, sb_mbtail = 0x0, sb_lastrecord = 0x0, sb_cc = 17, sb_hiwat = 42080, sb_mbcnt = 4294964992, sb_mbmax = 262144, sb_ctl = 4294967280, sb_lowat = 1, sb_timeo = 0, sb_flags = 64} #8 0xc0532cbb in sofree (so=0xc1908b20) at /freebsd/src/sys/kern/uipc_socket.c:406 head = (struct socket *) 0x0 #9 0xc0532fe9 in soclose (so=0xc1908b20) at /freebsd/src/sys/kern/uipc_socket.c:484 error = 0 #10 0xc0522e6b in soo_close (fp=0xc198ea20, td=0xc194ac00) at /freebsd/src/sys/kern/sys_socket.c:317 error = 0 so = (struct socket *) 0x0 #11 0xc04dc0d4 in fdrop_locked (fp=0xc198ea20, td=0xc194ac00) at file.h:289 error = 0 #12 0xc04dc025 in fdrop (fp=0xc198ea20, td=0xc194ac00) at /freebsd/src/sys/kern/kern_descrip.c:2101 No locals. #13 0xc04da653 in closef (fp=0xc198ea20, td=0xc194ac00) at /freebsd/src/sys/kern/kern_descrip.c:1921 vp = (struct vnode *) 0xc198ea20 lf = {l_start = -4580996068436530020, l_len = 23122899, l_pid = -370322744, l_type = 599, l_whence = 0} fdtol = (struct filedesc_to_leader *) 0xbe24ecff fdp = (struct filedesc *) 0xc1ca2400 #14 0xc04d7a81 in close (td=0xc194ac00, uap=0x0) at /freebsd/src/sys/kern/kern_descrip.c:1004 fdp = (struct filedesc *) 0xc1ca2400 fp = (struct file *) 0xc198ea20 fd = 3 error = -1047221248 holdleaders = 0 #15 0xc0662dbb in syscall (frame {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 0, tf_esi = 673886912, tf_ebp = -1077941608, tf_isp = -815714972, tf_ebx = 673809636, tf_edx = 0, tf_ecx = 0, tf_eax = 6, tf_trapno = 0, tf_err = 2, tf_eip = 673286099, tf_cs = 51, tf_eflags = 534, tf_esp = -1077941636, tf_ss = 59}) at /freebsd/src/sys/i386/i386/trap.c:976 params = 0xbfbfea80 <Address 0xbfbfea80 out of bounds> callp = (struct sysent *) 0xc06ca6e8 td = (struct thread *) 0xc194ac00 p = (struct proc *) 0xc1a7f624 orig_tf_eflags = 534 sticks = 12 error = 0 narg = 1 args = {3, -1066484000, 152949657, -815715028, -1067035982, -1066484000, -815715020, 672605572} code = 6 #16 0xc06520cf in Xint0x80_syscall () at /freebsd/src/sys/i386/i386/exception.s:200 No locals. #17 0x00000033 in ?? () No symbol table info available. Previous frame inner to this frame (corrupt stack?) ############################################################ ############################################################ machine i386 cpu I686_CPU options SCHED_4BSD options PREEMPTION options INET options INET6 options FFS options SOFTUPDATES options UFS_ACL options UFS_DIRHASH options MSDOSFS options CD9660 options GEOM_GPT options COMPAT_43 options COMPAT_FREEBSD4 options COMPAT_FREEBSD5 options SCSI_DELAY=1000 options KTRACE options SYSVSHM options SYSVMSG options SYSVSEM options _KPOSIX_PRIORITY_SCHEDULING options KBD_INSTALL_CDEV options ADAPTIVE_GIANT device apic device isa device pci device ata device atadisk options ATA_STATIC_ID device scbus device da device cd device pass device atkbdc device atkbd device psm device vga device splash device sc device agp device npx device pmtimer device ppc device ppbus device lpt device plip device ppi device loop device mem device io device random device ether device pty device md device bpf device uhci device ohci device ehci device usb device ugen device uhid device ukbd device ulpt device umass device ums options INCLUDE_CONFIG_FILE makeoptions DEBUG=-g options KDB options DDB options GDB ident WITHHELD device fdc device atapicd device atapicam device sym device sio device miibus device rl device fxp device wlan device wlan_wep device wlan_ccmp device wlan_tkip device wlan_xauth device wlan_acl device ath device ath_hal device ath_rate_sample options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=1024 options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT