Date: Wed, 1 Sep 2004 20:16:29 +0200 From: Ulrich Spoerlein <q@uni.de> To: current@freebsd.org Subject: panic: Duplicate free of item 0xc3474084 from zone 0xc1044c60(g_bio) Message-ID: <20040901181629.GB953@galgenberg.net>
next in thread | raw e-mail | index | archive | help
--AqsLC8rIMeq19msA Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I discovered the following panic yesterday after fiddling with suspend and lid close on my laptop. First the odd thing: After several suspend+resume cycles there were no more ACPI Events. Pressing Fn+ESC (suspend), closing the lid, even pressing the power button did nothing. I restarted devd -D -d and it didn't "see" any events happening. acpiconf -s 1 still worked, and pressing the power button correctly resumed the laptop. Even 'sysctl hw.acpi.video.lcd0.active=3D0/1' worked as expected. It's just that the buttons on the laptop did nothing. I can't remember what I did next, I think it was after sysctl hw.acpi.video.lcd0.active=3D1 that the laptop crashed with this message and trace panic: Duplicate free of item 0xc3474084 from zone 0xc1044c60(g_bio) (kgdb) bt #0 doadump () at pcpu.h:159 #1 0xc048e0bb in db_fncall (dummy1=3D-482686232, dummy2=3D0, dummy3=3D-482= 686332,=20 dummy4=3D0xe33aca80 "z=E0n=C0") at /usr/src/sys/ddb/db_command.c:531 #2 0xc048e45c in db_command_loop () at /usr/src/sys/ddb/db_command.c:349 #3 0xc048fbe1 in db_trap (type=3D3, code=3D0) at /usr/src/sys/ddb/db_main.= c:221 #4 0xc057a245 in kdb_trap (type=3D3, code=3D0, tf=3D0xe33acba0) at /usr/sr= c/sys/kern/subr_kdb.c:418 #5 0xc06bb5f3 in trap (frame=3D {tf_fs =3D -482738152, tf_es =3D -1068040176, tf_ds =3D -1066336240, = tf_edi =3D 256, tf_esi =3D -1066180656, tf_ebp =3D -482685984, tf_isp =3D -= 482686004, tf_ebx =3D -482685944, tf_edx =3D 0, tf_ecx =3D -1066288042, tf_= eax =3D -1066296234, tf_trapno =3D 3, tf_err =3D 0, tf_eip =3D -1067999498,= tf_cs =3D 8, tf_eflags =3D 646, tf_esp =3D -482685956, tf_ss =3D -10680839= 65}) at /usr/src/sys/i386/i386/trap.c:576 #6 0xc06b027a in calltrap () at /usr/src/sys/i386/i386/exception.s:140 #7 0xe33a0018 in ?? () #8 0xc0570010 in softclock (dummy=3D0xc0719c56) at /usr/src/sys/kern/kern_= timeout.c:201 #9 0xc0565503 in panic (fmt=3D---Can't read userspace from dump, or kernel= process---) at /usr/src/sys/kern/kern_shutdown.c:542 #10 0xc068cd4b in uma_dbg_free (zone=3D0xc1044c60, slab=3D0xc3474f70, item= =3D0xc3474084) at /usr/src/sys/vm/uma_dbg.c:276 #11 0xc068b7d8 in uma_zfree_arg (zone=3D0xc1044c60, item=3D0xc3474084, udat= a=3D0x0) at /usr/src/sys/vm/uma_core.c:2228 #12 0xc05323c2 in g_destroy_bio (bp=3D0xc3474084) at uma.h:302 #13 0xc0530b0b in g_disk_done (bp=3D0xc3474084) at /usr/src/sys/geom/geom_d= isk.c:203 #14 0xc04af06d in ad_done (request=3D0xc25a1000) at /usr/src/sys/dev/ata/at= a-disk.c:322 #15 0xc04a2fd5 in ata_completed (context=3D0xc25a1000, dummy=3D0) at /usr/s= rc/sys/dev/ata/ata-queue.c:404 #16 0xc04a30de in ata_timeout (request=3D0xc25a1000) at /usr/src/sys/dev/at= a/ata-queue.c:442 #17 0xc0570153 in softclock (dummy=3D0x0) at /usr/src/sys/kern/kern_timeout= =2Ec:259 #18 0xc0554b8b in ithread_loop (arg=3D0xc22d4580) at /usr/src/sys/kern/kern= _intr.c:546 #19 0xc05540a2 in fork_exit (callout=3D0xc0554a79 <ithread_loop>, arg=3D0xc= 22d4580, frame=3D0xe33acd48) at /usr/src/sys/kern/kern_fork.c:820 #20 0xc06b02dc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:= 209 (kgdb) f 10 #10 0xc068cd4b in uma_dbg_free (zone=3D0xc1044c60, slab=3D0xc3474f70, item= =3D0xc3474084) at /usr/src/sys/vm/uma_dbg.c:276 276 panic("Duplicate free of item %p from zone %p(%s)\n= ", (kgdb) l 271 } 272 273 if (slab->us_freelist[freei].us_item !=3D 255) { 274 printf("Slab at %p, freei %d =3D %d.\n", 275 slab, freei, slab->us_freelist[freei].us_item); 276 panic("Duplicate free of item %p from zone %p(%s)\n= ", 277 item, zone, zone->uz_name); 278 } 279 280 /* (kgdb) p item $1 =3D (void *) 0xc3474084 (kgdb) p *item Attempt to dereference a generic pointer. (kgdb) p zone $2 =3D 0xc1044c60 (kgdb) p *zone $3 =3D {uz_name =3D 0xc0713f19 "g_bio", uz_lock =3D 0xc101e5a8, uz_keg =3D = 0xc101e5a0, uz_link =3D { le_next =3D 0x0, le_prev =3D 0xc101e5d8}, uz_full_bucket =3D {lh_first = =3D 0xc362d418},=20 uz_free_bucket =3D {lh_first =3D 0x0}, uz_ctor =3D 0, uz_dtor =3D 0, uz_i= nit =3D 0, uz_fini =3D 0,=20 uz_allocs =3D 1495977, uz_fills =3D 0, uz_count =3D 128, uz_cpu =3D {{uc_= freebucket =3D 0xc28d7a3c,=20 uc_allocbucket =3D 0xc3cc0418, uc_allocs =3D 40}}} I will update to the latest RELENG_5 and try to reproduce this panic. An older dmesg and the DSDT and ASL can be found here http://www.galgenberg.net/~q/freebsd/ Ulrich Spoerlein --=20 PGP Key ID: F0DB9F44 Get it while it's hot! PGP Fingerprint: F1CE D062 0CA9 ADE3 349B 2FE8 980A C6B5 F0DB 9F44 "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD4DBQFBNhH9mArGtfDbn0QRAkSiAJjWgPCgQ6DBOLfBM8kbMtwq4L9pAKCWD5F5 8qC6Ruf9DqduXQhslVMHkg== =UqRC -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040901181629.GB953>