Date: Thu, 18 Oct 2001 08:06:21 -0700 (PDT) From: John Baldwin <jhb@FreeBSD.org> To: current@FreeBSD.org Subject: Panic: zalloc: item is free Message-ID: <XFMail.011018080621.jhb@FreeBSD.org>
index | next in thread | raw e-mail
This one is a bit harder to track down than the ata one, it just happened while
I was sitting in X. It might have been just after resuming, but I can't
exactly remember. Note that like the ata panic, we panic'd trying to sync the
disks (perhaps we shouldn't try to sync the disks on a panic?) and thus that
the real panic is at frame #13.
(kgdb) where
#0 dumpsys () at ../../../kern/kern_shutdown.c:488
#1 0xc0202443 in boot (howto=16644) at ../../../kern/kern_shutdown.c:331
#2 0xc0202869 in panic (fmt=0xc03337d9 "bremfree: bp %p not locked")
at ../../../kern/kern_shutdown.c:628
#3 0xc0230f6d in bremfree (bp=0xc3b5f974) at ../../../kern/vfs_bio.c:535
#4 0xc02331f1 in getblk (vp=0xcc7a9ec0, blkno=160, size=8192, slpflag=0,
slptimeo=0) at ../../../kern/vfs_bio.c:2215
#5 0xc0231044 in breadn (vp=0xcc7a9ec0, blkno=160, size=8192, rablkno=0x0,
rabsize=0x0, cnt=0, cred=0x0, bpp=0xccdbfaac)
at ../../../kern/vfs_bio.c:593
#6 0xc0231011 in bread (vp=0xcc7a9ec0, blkno=160, size=8192, cred=0x0,
bpp=0xccdbfaac) at ../../../kern/vfs_bio.c:575
#7 0xc029ff4f in ffs_update (vp=0xccdaacc0, waitfor=0)
at ../../../ufs/ffs/ffs_inode.c:101
#8 0xc02ac9da in ffs_fsync (ap=0xccdbfb20) at ../../../ufs/ffs/ffs_vnops.c:292
#9 0xc02ab1b6 in ffs_sync (mp=0xc141fe00, waitfor=2, cred=0xc0b63e00,
td=0xc03e7624) at vnode_if.h:441
#10 0xc023d4a1 in sync (td=0xc03e7624, uap=0x0)
at ../../../kern/vfs_syscalls.c:640
#11 0xc020208c in boot (howto=16640) at ../../../kern/kern_shutdown.c:240
#12 0xc0202869 in panic (fmt=0xc034516c "item is not free")
at ../../../kern/kern_shutdown.c:628
#13 0xc02c26c7 in zalloc (z=0xc03e5340) at ../../../vm/vm_zone.c:483
#14 0xc02e764a in get_pv_entry () at ../../../i386/i386/pmap.c:1693
#15 0xc02e77bc in pmap_insert_entry (pmap=0xc7fd72cc, va=678203392,
mpte=0xc08d0c5c, m=0xc093b480) at ../../../i386/i386/pmap.c:1793
#16 0xc02e86eb in pmap_copy (dst_pmap=0xc7fd72cc, src_pmap=0xc7fd73ac,
dst_addr=678182912, len=4624384, src_addr=678182912)
at ../../../i386/i386/pmap.c:2845
#17 0xc02b9927 in vm_map_copy_entry (src_map=0xc7fd7340, dst_map=0xc7fd7260,
src_entry=0xccdc19c0, dst_entry=0xccdc3b40) at ../../../vm/vm_map.c:2252
#18 0xc02b9b91 in vmspace_fork (vm1=0xc7fd7340) at ../../../vm/vm_map.c:2371
#19 0xc02b64e9 in vm_forkproc (td=0xccd1ef04, p2=0xccd1eb00, flags=20)
at ../../../vm/vm_glue.c:247
#20 0xc01f4834 in fork1 (td=0xccd1ef04, flags=20, procp=0xccdbfce8)
at ../../../kern/kern_fork.c:624
#21 0xc01f3ad6 in fork (td=0xccd1ef04, uap=0xccdbfd20)
at ../../../kern/kern_fork.c:121
#22 0xc02eafe7 in syscall (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
tf_edi = -1077938084, tf_esi = 686389012, tf_ebp = -1077938028,
tf_isp = -857997964, tf_ebx = 686387764, tf_edx = 4, tf_ecx = 686389012,
tf_eax = 2, tf_trapno = 12, tf_err = 2, tf_eip = 685007816, tf_cs = 31,
tf_eflags = 582, tf_esp = -1077938184, tf_ss = 47})
at ../../../i386/i386/trap.c:1122
(kgdb) frame 13
#13 0xc02c26c7 in zalloc (z=0xc03e5340) at ../../../vm/vm_zone.c:483
483 KASSERT(((void **) item)[1] == ZENTRY_FREE,
(kgdb) l
478 }
479
480 item = z->zitems;
481 z->zitems = ((void **) item)[0];
482 #ifdef INVARIANTS
483 KASSERT(((void **) item)[1] == ZENTRY_FREE,
484 ("item is not free"));
485 ((void **) item)[1] = 0;
486 #endif
487
(kgdb) x/2 item
0xc0ac0ffc: 0xc0ac0fe0 0x12340000
(kgdb) p z->zname
$3 = 0xc034ca37 "PV ENTRY"
(kgdb) p z->zitems
$4 = (void *) 0xc0ac0fe0
../../../vm/vm_zone.c:#define ZENTRY_FREE (void*)0x12342378
Looks like the lower 2 bytes were cleared. Perhaps a dangling reference to a
pv_entry somewhere?
typedef struct pv_entry {
pmap_t pv_pmap; /* pmap where mapping lies */
vm_offset_t pv_va; /* virtual address for mapping */
TAILQ_ENTRY(pv_entry) pv_list;
TAILQ_ENTRY(pv_entry) pv_plist;
vm_page_t pv_ptem; /* VM page for pte */
} *pv_entry_t;
So it looks like pv_va of a free'd pv_entry was modified perhaps?
--
John Baldwin <john@baldwin.cx> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.baldwin.cx/~john/pgpkey.asc
"Power Users Use the Power to Serve!" - http://www.FreeBSD.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.011018080621.jhb>