Date: Thu, 7 Oct 2004 16:48:44 -0400 From: Brian Fundakowski Feldman <green@FreeBSD.org> To: Kris Kennaway <kris@obsecurity.org> Cc: net@FreeBSD.org Subject: Re: "panic: fxp_start_body: attempted use of a free mbuf!" in RELENG_5 Message-ID: <20041007204844.GE73261@green.homeunix.org> In-Reply-To: <20041007165719.GA4023@xor.obsecurity.org> References: <20041007165719.GA4023@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 07, 2004 at 09:57:19AM -0700, Kris Kennaway wrote:
> Top of RELENG_5 on an smp machine:
> 
> panic: fxp_start_body: attempted use of a free mbuf!
> cpuid = 1
> KDB: enter: panic
> [thread 100042]
> Stopped at      kdb_enter+0x30: leave
> db> trace
> kdb_enter(c06de69a,1,c06d47c5,ebbd2b14,c34cd320) at kdb_enter+0x30
> panic(c06d47c5,c06c1030,4,c0499300,c3539000) at panic+0x14e
> fxp_start_body(c3539000,0,c06d5639,4ca,c3539000) at fxp_start_body+0x462
> fxp_start(c3539000,122,0,c3539000) at fxp_start+0x3f
> if_start(c3539000,0,c06e7822,179,ffff8002) at if_start+0x99
> ether_output_frame(c3539000,c38b5300,6,c4106b00,ebbd2bc8) at ether_output_frame+0x218
> ether_output(c3539000,c38b5300,c4106b00,c95ec210,c04fe48d) at ether_output+0x43e
> in_arpinput(c38b8700,122,c38b8700,c07656b8,c38b8700) at in_arpinput+0x686
> arpintr(c38b8700,0,c06e7c88,e5,c07656b8) at arpintr+0x104
> netisr_processqueue(c07656b8,c0738ac0,1,c06dda24,c3462940) at netisr_processqueue+0x8e
> swi_net(0,0,c06dc037,269,c0738ac0) at swi_net+0xe9
> ithread_loop(c345d880,ebbd2d48,c06dbe2a,323,d552d9c9) at ithread_loop+0x172
> fork_exit(c04f1210,c345d880,ebbd2d48) at fork_exit+0xc6
> fork_trampoline() at fork_trampoline+0x8
> --- trap 0x1, eip = 0, esp = 0xebbd2d7c, ebp = 0 ---
Does this fix it?
Index: uma_core.c
===================================================================
RCS file: /usr/ncvs/src/sys/vm/uma_core.c,v
retrieving revision 1.105
diff -u -r1.105 uma_core.c
--- uma_core.c	6 Aug 2004 21:52:38 -0000	1.105
+++ uma_core.c	7 Oct 2004 20:31:08 -0000
@@ -825,13 +825,16 @@
 	slab->us_freecount = keg->uk_ipers;
 	slab->us_firstfree = 0;
 	slab->us_flags = flags;
-	for (i = 0; i < keg->uk_ipers; i++)
-		slab->us_freelist[i].us_item = i+1;
 
 	if (keg->uk_flags & UMA_ZONE_REFCNT) {
 		slabref = (uma_slabrefcnt_t)slab;
-		for (i = 0; i < keg->uk_ipers; i++)
+		for (i = 0; i < keg->uk_ipers; i++) {
 			slabref->us_freelist[i].us_refcnt = 0;
+			slabref->us_freelist[i].us_item = i+1;
+		}
+	} else {
+		for (i = 0; i < keg->uk_ipers; i++)
+			slab->us_freelist[i].us_item = i+1;
 	}
 
 	if (keg->uk_init != NULL) {
@@ -1983,13 +1986,19 @@
 uma_slab_alloc(uma_zone_t zone, uma_slab_t slab)
 {
 	uma_keg_t keg;
+	uma_slabrefcnt_t slabref;
 	void *item;
 	u_int8_t freei;
 
 	keg = zone->uz_keg;
 
 	freei = slab->us_firstfree;
-	slab->us_firstfree = slab->us_freelist[freei].us_item;
+	if (keg->uk_flags & UMA_ZONE_REFCNT) {
+		slabref = (uma_slabrefcnt_t)slab;
+		slab->us_firstfree = slabref->us_freelist[freei].us_item;
+	} else {
+		slab->us_firstfree = slab->us_freelist[freei].us_item;
+	}
 	item = slab->us_data + (keg->uk_rsize * freei);
 
 	slab->us_freecount--;
@@ -2339,6 +2348,7 @@
     enum zfreeskip skip)
 {
 	uma_slab_t slab;
+	uma_slabrefcnt_t slabref;
 	uma_keg_t keg;
 	u_int8_t *mem;
 	u_int8_t freei;
@@ -2382,7 +2392,12 @@
 		uma_dbg_free(zone, slab, item);
 #endif
 
-	slab->us_freelist[freei].us_item = slab->us_firstfree;
+	if (keg->uk_flags & UMA_ZONE_REFCNT) {
+		slabref = (uma_slabrefcnt_t)slab;
+		slabref->us_freelist[freei].us_item = slab->us_firstfree;
+	} else {
+		slab->us_freelist[freei].us_item = slab->us_firstfree;
+	}
 	slab->us_firstfree = freei;
 	slab->us_freecount++;
 
@@ -2545,18 +2560,19 @@
 u_int32_t *
 uma_find_refcnt(uma_zone_t zone, void *item)
 {
-	uma_slabrefcnt_t slab;
+	uma_slabrefcnt_t slabref;
 	uma_keg_t keg;
 	u_int32_t *refcnt;
 	int idx;
 
 	keg = zone->uz_keg;
-	slab = (uma_slabrefcnt_t)vtoslab((vm_offset_t)item & (~UMA_SLAB_MASK));
-	KASSERT(slab != NULL,
+	slabref = (uma_slabrefcnt_t)vtoslab((vm_offset_t)item &
+	    (~UMA_SLAB_MASK));
+	KASSERT(slabref != NULL && slabref->us_keg->uk_flags & UMA_ZONE_REFCNT,
 	    ("uma_find_refcnt(): zone possibly not UMA_ZONE_REFCNT"));
-	idx = ((unsigned long)item - (unsigned long)slab->us_data)
+	idx = ((unsigned long)item - (unsigned long)slabref->us_data)
 	    / keg->uk_rsize;
-	refcnt = &(slab->us_freelist[idx].us_refcnt);
+	refcnt = &slabref->us_freelist[idx].us_refcnt;
 	return refcnt;
 }
 
Index: uma_dbg.c
===================================================================
RCS file: /usr/ncvs/src/sys/vm/uma_dbg.c,v
retrieving revision 1.15
diff -u -r1.15 uma_dbg.c
--- uma_dbg.c	2 Aug 2004 00:18:35 -0000	1.15
+++ uma_dbg.c	7 Oct 2004 20:35:22 -0000
@@ -218,6 +218,7 @@
 uma_dbg_alloc(uma_zone_t zone, uma_slab_t slab, void *item)
 {
 	uma_keg_t keg;
+	uma_slabrefcnt_t slabref;
 	int freei;
 
 	keg = zone->uz_keg;
@@ -231,7 +232,12 @@
 	freei = ((unsigned long)item - (unsigned long)slab->us_data)
 	    / keg->uk_rsize;
 
-	slab->us_freelist[freei].us_item = 255;
+	if (keg->uk_flags & UMA_ZONE_REFCNT) {
+		slabref = (uma_slabrefcnt_t)slab;
+		slabref->us_freelist[freei].us_item = 255;
+	} else {
+		slab->us_freelist[freei].us_item = 255;
+	}
 
 	return;
 }
@@ -246,6 +252,7 @@
 uma_dbg_free(uma_zone_t zone, uma_slab_t slab, void *item)
 {
 	uma_keg_t keg;
+	uma_slabrefcnt_t slabref;
 	int freei;
 
 	keg = zone->uz_keg;
@@ -270,17 +277,34 @@
 		    (freei * keg->uk_rsize) + slab->us_data);
 	}
 
-	if (slab->us_freelist[freei].us_item != 255) {
-		printf("Slab at %p, freei %d = %d.\n",
-		    slab, freei, slab->us_freelist[freei].us_item);
-		panic("Duplicate free of item %p from zone %p(%s)\n",
-		    item, zone, zone->uz_name);
+	if (keg->uk_flags & UMA_ZONE_REFCNT) {
+		slabref = (uma_slabrefcnt_t)slab;
+		if (slabref->us_freelist[freei].us_item != 255) {
+			printf("Slab at %p, freei %d = %d.\n",
+			    slab, freei, slabref->us_freelist[freei].us_item);
+			panic("Duplicate free of item %p from zone %p(%s)\n",
+			    item, zone, zone->uz_name);
+		}
+
+		/*
+		 * When this is actually linked into the slab this will change.
+		 * Until then the count of valid slabs will make sure we don't
+		 * accidentally follow this and assume it's a valid index.
+		 */
+		slabref->us_freelist[freei].us_item = 0;
+	} else {
+		if (slab->us_freelist[freei].us_item != 255) {
+			printf("Slab at %p, freei %d = %d.\n",
+			    slab, freei, slab->us_freelist[freei].us_item);
+			panic("Duplicate free of item %p from zone %p(%s)\n",
+			    item, zone, zone->uz_name);
+		}
+
+		/*
+		 * When this is actually linked into the slab this will change.
+		 * Until then the count of valid slabs will make sure we don't
+		 * accidentally follow this and assume it's a valid index.
+		 */
+		slab->us_freelist[freei].us_item = 0;
 	}
-
-	/*
-	 * When this is actually linked into the slab this will change.
-	 * Until then the count of valid slabs will make sure we don't
-	 * accidentally follow this and assume it's a valid index.
-	 */
-	slab->us_freelist[freei].us_item = 0;
 }
-- 
Brian Fundakowski Feldman                           \'[ FreeBSD ]''''''''''\
  <> green@FreeBSD.org                               \  The Power to Serve! \
 Opinions expressed are my own.                       \,,,,,,,,,,,,,,,,,,,,,,\
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041007204844.GE73261>
