Bug 213832

Summary: panic: vm_page_unwire: page 0x[...]'s wire count is zero
Product: Base System Reporter: emz
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: New ---    
Severity: Affects Only Me    
Priority: ---    
Version: 11.0-RELEASE   
Hardware: Any   
OS: Any   
Description Flags
core.txt.1 none

Description emz 2016-10-27 11:19:05 UTC
Created attachment 176215 [details]

After upgrade to 11.0-RELEASE-p2 I'm getting panics:

panic: vm_page_unwire: page 0xfffff8023ca8b2f8's wire count is zero

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: vm_page_unwire: page 0xfffff8023ca8b2f8's wire count is zero
cpuid = 3
KDB: stack backtrace:
#0 0xffffffff80b1b417 at kdb_backtrace+0x67
#1 0xffffffff80ad0782 at vpanic+0x182
#2 0xffffffff80ad05f3 at panic+0x43
#3 0xffffffff80e693b3 at vm_page_unwire+0x73
#4 0xffffffff80accb40 at sf_ext_free+0xb0
#5 0xffffffff80aa7ad0 at mb_free_ext+0xc0
#6 0xffffffff80aa81a8 at m_freem+0x38
#7 0xffffffff80cf7453 at tcp_do_segment+0x28a3
#8 0xffffffff80cf3edc at tcp_input+0xd1c
#9 0xffffffff80c64c5f at ip_input+0x15f
#10 0xffffffff80bfa135 at netisr_dispatch_src+0xa5
#11 0xffffffff80be2b9a at ether_demux+0x12a
#12 0xffffffff80be37f2 at ether_nh_input+0x322
#13 0xffffffff80bfa135 at netisr_dispatch_src+0xa5
#14 0xffffffff80be2e16 at ether_input+0x26
#15 0xffffffff8055983c at igb_rxeof+0x81c
#16 0xffffffff80558b92 at igb_msix_que+0x152
#17 0xffffffff80a8a7af at intr_event_execute_handlers+0x20f
Uptime: 28m25s
Dumping 3780 out of 8147 MB:..1%..11%..21%..31%..41%..51%..61%..71%..81%..91%

Reading symbols from /boot/kernel/zfs.ko...Reading symbols from /usr/lib/debug//boot/kernel/zfs.ko.debug...done.
Loaded symbols for /boot/kernel/zfs.ko
Reading symbols from /boot/kernel/opensolaris.ko...Reading symbols from /usr/lib/debug//boot/kernel/opensolaris.ko.debug...done.
Loaded symbols for /boot/kernel/opensolaris.ko
#0  doadump (textdump=<value optimized out>) at pcpu.h:221
221     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) #0  doadump (textdump=<value optimized out>) at pcpu.h:221
#1  0xffffffff80ad0209 in kern_reboot (howto=260)
    at /usr/src/sys/kern/kern_shutdown.c:366
#2  0xffffffff80ad07bb in vpanic (fmt=<value optimized out>, 
    ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:759
#3  0xffffffff80ad05f3 in panic (fmt=0x0)
    at /usr/src/sys/kern/kern_shutdown.c:690
#4  0xffffffff80e693b3 in vm_page_unwire (m=<value optimized out>, 
    queue=<value optimized out>) at /usr/src/sys/vm/vm_page.c:3136
#5  0xffffffff80accb40 in sf_ext_free (arg1=0xfffff8023ca8b2f8, arg2=0x0)
    at /usr/src/sys/kern/kern_sendfile.c:140
#6  0xffffffff80aa7ad0 in mb_free_ext (m=0xfffff80022f27c00)
    at /usr/src/sys/kern/kern_mbuf.c:678
#7  0xffffffff80aa81a8 in m_freem (mb=<value optimized out>) at mbuf.h:1180
#8  0xffffffff80cf7453 in tcp_do_segment (m=<value optimized out>, 
    th=<value optimized out>, so=0xfffff80022ba6a20, 
    tp=<value optimized out>, drop_hdrlen=52, tlen=<value optimized out>, 
    iptos=<value optimized out>, ti_locked=Cannot access memory at address 0x1
    at /usr/src/sys/netinet/tcp_input.c:1764
#9  0xffffffff80cf3edc in tcp_input (mp=<value optimized out>, 
    offp=<value optimized out>, proto=<value optimized out>)
    at /usr/src/sys/netinet/tcp_input.c:1442
#10 0xffffffff80c64c5f in ip_input (m=Cannot access memory at address 0x0
) at /usr/src/sys/netinet/ip_input.c:809
#11 0xffffffff80bfa135 in netisr_dispatch_src (proto=1, 
    source=<value optimized out>, m=0x0) at /usr/src/sys/net/netisr.c:1121
#12 0xffffffff80be2b9a in ether_demux (ifp=<value optimized out>, m=0x0)
    at /usr/src/sys/net/if_ethersubr.c:850
#13 0xffffffff80be37f2 in ether_nh_input (m=<value optimized out>)
    at /usr/src/sys/net/if_ethersubr.c:639
#14 0xffffffff80bfa135 in netisr_dispatch_src (proto=5, 
    source=<value optimized out>, m=0x0) at /usr/src/sys/net/netisr.c:1121
#15 0xffffffff80be2e16 in ether_input (ifp=<value optimized out>, m=0x0)
    at /usr/src/sys/net/if_ethersubr.c:759
#16 0xffffffff8055983c in igb_rxeof (count=583080448)
    at /usr/src/sys/dev/e1000/if_igb.c:4957
#17 0xffffffff80558b92 in igb_msix_que (arg=0xfffff8000649b538)
    at /usr/src/sys/dev/e1000/if_igb.c:1612
#18 0xffffffff80a8a7af in intr_event_execute_handlers (
    p=<value optimized out>, ie=<value optimized out>)
    at /usr/src/sys/kern/kern_intr.c:1262
#19 0xffffffff80a8aa16 in ithread_loop (arg=<value optimized out>)
    at /usr/src/sys/kern/kern_intr.c:1275
#20 0xffffffff80a873f5 in fork_exit (
    callout=0xffffffff80a8a950 <ithread_loop>, arg=0xfffff80006497900, 
    frame=0xfffffe01f0b1cc00) at /usr/src/sys/kern/kern_fork.c:1038
#21 0xffffffff80fc112e in fork_trampoline ()
    at /usr/src/sys/amd64/amd64/exception.S:611
#22 0x0000000000000000 in ?? ()
Current language:  auto; currently minimal

They are repeatable. I see a similar but closed PR for 9.2 and an open PR for this panic for a NFS client case. My system is neither of these cases (not 9.x, neither an NFS client), so I decided to open a new one. 

I have also attached core.txt.0 and .1. I also have the coredumps in case someone needs them.
Comment 1 emz 2016-10-27 11:19:34 UTC
Created attachment 176216 [details]
Comment 2 emz 2016-10-30 10:41:27 UTC
A vmcore from core.0.txt: http://zhegan.in/files/vmcore.0.xz

Kernel config:

include GENERIC

device          carp
device          pf
device          pflog
device          pfsync

nodevice        vga
nodevice        sc
device          vt
device          vt_vga

options         ALTQ
options         ALTQ_CBQ        # Class Based Queueing
options         ALTQ_RED        # Random Early Detection
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler
options         ALTQ_CDNR       # Traffic conditioner
options         ALTQ_PRIQ       # Priority Queueing
options         ALTQ_NOPCC      # Required if the TSC is unusable