From owner-freebsd-bugs Mon Jan 22 06:50:05 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id GAA17472 for bugs-outgoing; Mon, 22 Jan 1996 06:50:05 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id GAA17463 Mon, 22 Jan 1996 06:50:03 -0800 (PST) Resent-Date: Mon, 22 Jan 1996 06:50:03 -0800 (PST) Resent-Message-Id: <199601221450.GAA17463@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, fortin@zap.qc.ca Received: from poterne.mtl.dmr.ca (poterne.mtl.dmr.ca [198.168.83.201]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id GAA17206 for ; Mon, 22 Jan 1996 06:46:24 -0800 (PST) Received: (from fortinde@localhost) by poterne.mtl.dmr.ca (8.6.11/8.6.6a) id JAA02908; Mon, 22 Jan 1996 09:46:13 -0500 Message-Id: <199601221446.JAA02908@poterne.mtl.dmr.ca> Date: Mon, 22 Jan 1996 09:46:13 -0500 From: Denis.Fortin@dmr.ca Reply-To: fortin@zap.qc.ca To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/965: 2.0.5 daily crash: multiple frees in if_ppp.c Sender: owner-bugs@freebsd.org Precedence: bulk >Number: 965 >Category: kern >Synopsis: 2.0.5: system crashes daily because of "multiple frees" in if_ppp.c >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jan 22 06:50:01 PST 1996 >Last-Modified: >Originator: Denis Fortin >Organization: DMR Group Inc, +1 (514) 877-3301 >Release: FreeBSD 2.0-BUILT-19950603 i386 >Environment: Internet gateway used daily by 250 people for PPP and SLIP connections connections (about 150 connections/day). System has 8 modems available on a BocaBoard BB-2016 multi-port board, and the connections traffic is regular (i.e. people keep coming and going constantly). System is a 80486 @ 33MHz with 64MB RAM and 2 GB disk space; here is the output from 'dmesg': --->>> CUT HERE <<<--- FreeBSD 2.0.5-RELEASE #0: Wed Jan 3 09:39:27 EST 1996 fortinde@poterne.mtl.dmr.ca:/usr/src/sys/compile/DMR CPU: i486DX (486-class CPU) real memory = 66715648 (16288 pages) avail memory = 63037440 (15390 pages) Probing for devices on the ISA bus: sc0 at 0x60-0x6f irq 1 on motherboard sc0: VGA color <16 virtual consoles, flags=0x0> ed0 at 0x280-0x29f irq 10 on isa ed0: address 00:00:1b:4a:89:27, type NE2000 (16 bit) ed1 at 0x300-0x30f irq 5 maddr 0xd8000 msize 8192 on isa ed1: address 02:60:8c:45:44:e7, type 3c503 (8 bit) sio0 at 0x3f8-0x3ff irq 4 on isa sio0: type 16550A sio1 at 0x2f8-0x2ff irq 3 on isa sio1: type 16550A sio2 at 0x100-0x107 flags 0x1105 on isa sio2: type 16550A (multiport) sio3 at 0x108-0x10f flags 0x1105 on isa sio3: type 16550A (multiport) sio4 at 0x110-0x117 flags 0x1105 on isa sio4: type 16550A (multiport) sio5 at 0x118-0x11f flags 0x1105 on isa sio5: type 16550A (multiport) sio6 at 0x120-0x127 flags 0x1105 on isa sio6: type 16550A (multiport) sio7 at 0x128-0x12f flags 0x1105 on isa sio7: type 16550A (multiport) sio8 at 0x130-0x137 flags 0x1105 on isa sio8: type 16550A (multiport) sio9 at 0x138-0x13f flags 0x1105 on isa sio9: type 16550A (multiport) sio10 at 0x140-0x147 flags 0x1105 on isa sio10: type 16550A (multiport) sio11 at 0x148-0x14f flags 0x1105 on isa sio11: type 16550A (multiport) sio12 at 0x150-0x157 flags 0x1105 on isa sio12: type 16550A (multiport) sio13 at 0x158-0x15f flags 0x1105 on isa sio13: type 16550A (multiport) sio14 at 0x160-0x167 flags 0x1105 on isa sio14: type 16550A (multiport) sio15 at 0x168-0x16f flags 0x1105 on isa sio15: type 16550A (multiport) sio16 at 0x170-0x177 flags 0x1105 on isa sio16: type 16550A (multiport) sio17 at 0x178-0x17f irq 12 flags 0x1105 on isa sio17: type 16550A (multiport master) lpt0 at 0x378-0x37f irq 7 on isa lpt0: Interrupt-driven port lp0: TCP/IP capable interface lpt1 at 0x278-0x27f on isa lpt2 not found at 0xffffffff fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa fdc0: NEC 72065B fd0: 1.44MB 3.5in wdc0 not found at 0x1f0 ahb0: reading board settings, int=11 ahb0 at 0x1000-0x10ff irq 11 on eisa slot 1 ahb0 waiting for scsi devices to settle (ahb0:0:0): "MICROP 1598-15MD1066701 DD24" type 0 fixed SCSI 1 sd0(ahb0:0:0): Direct-Access 991MB (2031554 512 byte sectors) (ahb0:1:0): "MICROP 1598-15MD1066701 DD24" type 0 fixed SCSI 1 sd1(ahb0:1:0): Direct-Access 991MB (2031554 512 byte sectors) (ahb0:2:0): "TANDBERG TDC 3800 -03:" type 1 removable SCSI 1 st0(ahb0:2:0): Sequential-Access density code 0x0, drive empty scd0 not found at 0x230 npx0 on motherboard npx0: INT 16 interface changing root device to sd0a --->>> CUT HERE <<<--- >Description: System crashes a few times a week (2-5) and reboots. This is Most Annoying since the BB-2016 then seems to require a manual "shutdown -r" about 50% of the time or it isn't properly reset (i.e. the machine stops answering the phone). Finally got a crashdump and produced the following traceback info --->>> CUT HERE <<<--- GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.13 (i386-unknown-freebsd), Copyright 1994 Free Software Foundation, Inc... IdlePTD 1f0000 current pcb at 1c3f70 panic: free: multiple frees #0 boot (arghowto=256) at ../../i386/i386/machdep.c:870 870 dumppcb.pcb_ptd = rcr3(); (kgdb) bt #0 boot (arghowto=256) at ../../i386/i386/machdep.c:870 #1 0xf0112843 in panic (fmt=0xf010b9b2 "free: multiple frees") at ../../kern/subr_prf.c:128 #2 0xf010ba93 in free (addr=0xf1520180, type=1) at ../../kern/kern_malloc.c:337 #3 0xf013582e in pppstart (tp=0xf01c23e4) at ../../net/if_ppp.c:1028 #4 0xf01a84fc in siopoll () at ../../i386/isa/sio.c:1569 #5 0xf018e667 in doreti_swi () #6 0xf019688c in cpu_switch () (kgdb) up #1 0xf0112843 in panic (fmt=0xf010b9b2 "free: multiple frees") at ../../kern/subr_prf.c:128 128 boot(bootopt); (kgdb) up #2 0xf010ba93 in free (addr=0xf1520180, type=1) at ../../kern/kern_malloc.c:337 337 panic("free: multiple frees"); (kgdb) l 332 #endif /* DIAGNOSTIC */ 333 #ifdef KMEMSTATS 334 kup->ku_freecnt++; 335 if (kup->ku_freecnt >= kbp->kb_elmpercl) 336 if (kup->ku_freecnt > kbp->kb_elmpercl) 337 panic("free: multiple frees"); 338 else if (kbp->kb_totalfree > kbp->kb_highwat) 339 kbp->kb_couldfree++; 340 kbp->kb_totalfree++; 341 ksp->ks_memuse -= size; (kgdb) info locals kbp = (struct kmembuckets *) 0xf01dc65c kup = (struct kmemusage *) 0xf0f34794 freep = (struct freelist *) 0xf1520180 size = 0 s = -1073676288 ksp = (struct kmemstats *) 0xf01dd114 (kgdb) quit --->>> CUT HERE <<<--- >How-To-Repeat: Just letting the system run seems to produce the problem almost daily (but not quite). >Fix: No workaround known. Now that I know that the problem is in if_ppp.c, I might try looking around in there. >Audit-Trail: >Unformatted: