From owner-freebsd-current Mon May 28 0: 7:52 2001 Delivered-To: freebsd-current@freebsd.org Received: from midten.fast.no (midten.fast.no [213.188.8.11]) by hub.freebsd.org (Postfix) with ESMTP id 9489737B422 for ; Mon, 28 May 2001 00:07:48 -0700 (PDT) (envelope-from Tor.Egge@fast.no) Received: from fast.no (IDENT:tegge@midten.fast.no [213.188.8.11]) by midten.fast.no (8.9.3/8.9.3) with ESMTP id JAA01656; Mon, 28 May 2001 09:07:37 +0200 (CEST) Message-Id: <200105280707.JAA01656@midten.fast.no> To: DougB@DougBarton.net Cc: peter.jeremy@alcatel.com.au, kris@obsecurity.org, current@FreeBSD.ORG Subject: Re: freelist corruption From: Tor.Egge@fast.no In-Reply-To: Your message of "Sun, 27 May 2001 21:32:43 -0700" References: <3B11D4EB.18663F7E@DougBarton.net> X-Mailer: Mew version 1.70 on Emacs 19.34.1 Mime-Version: 1.0 Content-Type: Multipart/Mixed; boundary="--Next_Part(Mon_May_28_09:07:36_2001)--" Content-Transfer-Encoding: 7bit Date: Mon, 28 May 2001 09:07:37 +0200 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----Next_Part(Mon_May_28_09:07:36_2001)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit > Peter Jeremy wrote: > > > > On 2001-May-27 20:36:54 -0700, Kris Kennaway wrote: > > >I've been getting rather a lot of these tonight..any ideas? > > > > > >May 27 18:52:06 xor /boot/kernel/kernel: Data modified on freelist: word 2 of object 0xc1a60100 size 64 previous type pagedep (0xd6adc0de != 0xdeadc0de) > > > > If this isn't an ECC system > > I got one of these on my ECC system: > > May 25 01:16:20 Master /boot/kernel/kernel: Data modified on > freelist: word 2 of object 0xc1a58dc0 size 52 previous type vfscache > (0xd6adc0de != 0xdeadc0de) I'm using the following experimental patch to avoid system crashes and the freelist corruption message. The softupdate code seems to free pagedeps structures with the NEWBLOCK flag set (which indicates that a newdirblk structure is currently pointing to the pagedep structure). When the newdirblk structure is freed later on, it clears the NEWBLOCK flag, changing 0xdeadc0de to 0xd6adc0de. If the memory for the pagedep structure has been reused for something else, the system might crash. free_newdirblk will typically be on the ddb stack backtrace - Tor Egge ----Next_Part(Mon_May_28_09:07:36_2001)-- Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Index: sys/ufs/ffs/ffs_softdep.c =================================================================== RCS file: /home/ncvs/src/sys/ufs/ffs/ffs_softdep.c,v retrieving revision 1.97 diff -u -r1.97 ffs_softdep.c --- sys/ufs/ffs/ffs_softdep.c 2001/05/19 19:24:26 1.97 +++ sys/ufs/ffs/ffs_softdep.c 2001/05/24 01:48:22 @@ -1932,6 +1932,11 @@ WORKLIST_INSERT(&inodedep->id_bufwait, &dirrem->dm_list); } + if ((pagedep->pd_state & NEWBLOCK) != 0) { + FREE_LOCK(&lk); + panic("deallocate_dependencies: " + "active pagedep"); + } WORKLIST_REMOVE(&pagedep->pd_list); LIST_REMOVE(pagedep, pd_hash); WORKITEM_FREE(pagedep, D_PAGEDEP); @@ -3930,8 +3935,12 @@ * is written back to disk. */ if (LIST_FIRST(&pagedep->pd_pendinghd) == 0) { - LIST_REMOVE(pagedep, pd_hash); - WORKITEM_FREE(pagedep, D_PAGEDEP); + if ((pagedep->pd_state & NEWBLOCK) != 0) { + printf("handle_written_filepage: active pagedep\n"); + } else { + LIST_REMOVE(pagedep, pd_hash); + WORKITEM_FREE(pagedep, D_PAGEDEP); + } } return (0); } ----Next_Part(Mon_May_28_09:07:36_2001)---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message