From owner-freebsd-bugs@FreeBSD.ORG Tue Mar 30 15:50:04 2010 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A9691065675 for ; Tue, 30 Mar 2010 15:50:04 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0DA738FC1C for ; Tue, 30 Mar 2010 15:50:04 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o2UFo3HK080191 for ; Tue, 30 Mar 2010 15:50:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o2UFo3Fa080190; Tue, 30 Mar 2010 15:50:03 GMT (envelope-from gnats) Resent-Date: Tue, 30 Mar 2010 15:50:03 GMT Resent-Message-Id: <201003301550.o2UFo3Fa080190@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nathaniel Filardo Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C6BF106564A for ; Tue, 30 Mar 2010 15:45:17 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id 4BBB28FC0A for ; Tue, 30 Mar 2010 15:45:17 +0000 (UTC) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o2UFjGoS026253 for ; Tue, 30 Mar 2010 15:45:16 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.3/8.14.3/Submit) id o2UFjGpw026252; Tue, 30 Mar 2010 15:45:16 GMT (envelope-from nobody) Message-Id: <201003301545.o2UFjGpw026252@www.freebsd.org> Date: Tue, 30 Mar 2010 15:45:16 GMT From: Nathaniel Filardo To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/145211: Memory modified after free X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2010 15:50:04 -0000 >Number: 145211 >Category: kern >Synopsis: Memory modified after free >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 30 15:50:03 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Nathaniel Filardo >Release: 9.0-CURRENT >Organization: >Environment: FreeBSD hydra.priv.oc.ietfng.org 9.0-CURRENT FreeBSD 9.0-CURRENT #19: Mon Mar 29 18:21:58 EDT 2010 root@hydra.priv.oc.ietfng.org:/systank/obj/systank/src/sys/NWFKERN sparc64 >Description: Kernel panic. No dump to disk is made. Moreover, despite having KDB turned on, the system did not drop to a db> prompt. login: Memory modified after free 0xfffff80019f97000(2048) val=dead0003 @ 0xfffff80019f97000 Memory modified after free 0xfffff8000569f000(2048) val=dead0003 @ 0xfffff8000569f000 Memory modified after free 0xfffff80005686800(2048) val=dead0003 @ 0xfffff80005686800 Memory modified after free 0xfffff800056dd800(2048) val=dead0003 @ 0xfffff800056dd800 Memory modified after free 0xfffff800054ba800(2048) val=dead0003 @ 0xfffff800054ba800 Memory modified after free 0xfffff8000565b000(2048) val=dead0003 @ 0xfffff8000565b000 Memory modified after free 0xfffff80005609800(2048) val=dead0003 @ 0xfffff80005609800 Memory modified after free 0xfffff80005608000(2048) val=dead0003 @ 0xfffff80005608000 Memory modified after free 0xfffff80005695800(2048) val=dead0003 @ 0xfffff80005695800 Memory modified after free 0xfffff8000563e800(2048) val=dead0003 @ 0xfffff8000563e800 Memory modified after free 0xfffff800055c2000(2048) val=dead0003 @ 0xfffff800055c2000 Memory modified after free 0xfffff80019f77800(2048) val=dead0003 @ 0xfffff80019f77800 Memory modified after free 0xfffff8001920b000(2048) val=dead0003 @ 0xfffff8001920b000 Memory modified after free 0xfffff80019fae000(2048) val=dead0003 @ 0xfffff80019fae000 Memory modified after free 0xfffff800055a6800(2048) val=dead0003 @ 0xfffff800055a6800 Memory modified after free 0xfffff8000565e000(2048) val=dead0003 @ 0xfffff8000565e000 Memory modified after free 0xfffff80005641800(2048) val=dead0003 @ 0xfffff80005641800 Memory modified after free 0xfffff80005675000(2048) val=dead0003 @ 0xfffff80005675000 Memory modified after free 0xfffff8000564c800(2048) val=dead0003 @ 0xfffff8000564c800 panic: pcib: PCI bus B error AFAR 0 AFSR 0 PCI CSR 0x10730b2aff IOMMU 0x3060003 STATUS 0x2a0 cpuid = 1 On pcib bus B I seem to have the following devices: pcib0: mem 0x4000ff00000-0x4000ff0afff,0x4000fc10000-0x4000fc1701f,0x7f600000000-0x7f6000000ff,0x4000ff80000-0x4000ff8ffff irq 2035,2032,2033,2036,2019 on nexus0 pcib0: Tomatillo, version 4, IGN 0x1f, bus B, 66MHz pcib0: DVMA map: 0xc0000000 to 0xdfffffff 65536 entries pci0: on pcib0 pci0: on pcib0 bge0: mem 0x200000-0x20ffff,0x110000-0x11ffff at device 2.0 on pci0 bge1: mem 0x400000-0x40ffff,0x120000-0x12ffff at device 2.1 on pci0 atapci0: port 0x900-0x907,0x918-0x91b,0x910-0x917,0x908-0x90b,0x920-0x92f at device 13.0 on pci1 atapci0: [ITHREAD] atapci0: using PIO transfers above 137GB as workaround for 48bit DMA access bug, expect reduced performance There's only a DVD drive attached to atapci0, and the driver for that is not loaded. pcib3: mem 0x4000ef00000-0x4000ef0afff,0x4000ec10000-0x4000ec1701f,0x7c600000000-0x7c6000000ff,0x4000ef80000-0x4000ef8ffff irq 1907,1904,1905,1908,1893 on nexus0 pcib3: Tomatillo, version 4, IGN 0x1d, bus B, 66MHz pcib3: DVMA map: 0xc0000000 to 0xdfffffff 65536 entries pci3: on pcib3 bge2: mem 0x200000-0x20ffff,0x110000-0x11ffff at device 2.0 on pci3 bge3: mem 0x400000-0x40ffff,0x120000-0x12ffff at device 2.1 on pci3 atapci1: port 0x300-0x3ff mem 0x600000-0x6fffff,0x800000-0xbfffff at device 1.0 on pci3 ata8: on atapci1 ata9: on atapci1 ata10: on atapci1 ata11: on atapci1 ad0: 715404MB at ata8-master UDMA100 SATA 3Gb/s ad1: 715404MB at ata9-master UDMA100 SATA 3Gb/s ad2: 715404MB at ata10-master UDMA100 SATA 3Gb/s ad3: 715404MB at ata11-master UDMA100 SATA 3Gb/s These four disks form a RAIDZ. Kernel configuration options that seem relevant: options SMP options KDB options INVARIANTS options INVARIANT_SUPPORT options WITNESS options WITNESS_SKIPSPIN device ata device atadisk nodevice atapicd nodevice atapifd nodevice atapist device atamarvell What more would be useful to know? >How-To-Repeat: Unknown; the crash has happened twice so far, once with a kernel from January after weeks of uptime and once with a kernel from yesterday after only a few hours. The system routinely survives multiple zfs scrubs of the four disks hanging off of pci3, so if it's an ATA bug it's a funny one. >Fix: >Release-Note: >Audit-Trail: >Unformatted: