From owner-freebsd-current@FreeBSD.ORG Wed Dec 29 19:17:19 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 419A316A4CE for ; Wed, 29 Dec 2004 19:17:19 +0000 (GMT) Received: from obsecurity.dyndns.org (CPE0050040655c8-CM00111ae02aac.cpe.net.cable.rogers.com [69.199.47.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0B1143D46 for ; Wed, 29 Dec 2004 19:17:18 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C182051194; Wed, 29 Dec 2004 11:17:13 -0800 (PST) Date: Wed, 29 Dec 2004 11:17:13 -0800 From: Kris Kennaway To: current@FreeBSD.org Message-ID: <20041229191713.GA24848@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: INVARIANTS panics on RELENG_5 and HEAD X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Dec 2004 19:17:19 -0000 --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I'm regularly getting panics of the following form, on both RELENG_5 systems (UP and SMP sparc64) and HEAD (UP amd64): Memory modified after free 0xfffff8000446c800(504) val=deadc0dd @ 0xfffff8000446c920 panic: Most recently used by file desc cpuid = 2 KDB: enter: panic Dumping 512 MB (1 chunks) chunk at 0: 536870912 bytes |\^H --- #0 doadump () at ../../../kern/kern_shutdown.c:246 246 savectx(&dumppcb); (kgdb) bt #0 doadump () at ../../../kern/kern_shutdown.c:246 #1 0x00000000c005dbf4 in db_fncall (dummy1=0, dummy2=0, dummy3=4, dummy4=0xddb4aaf0 "") at ../../../ddb/db_command.c:531 #2 0x00000000c005dde4 in db_command_loop () at ../../../ddb/db_command.c:349 #3 0x00000000c0060808 in db_trap (type=107, code=0) at ../../../ddb/db_main.c:210 #4 0x00000000c015afa8 in kdb_trap (type=107, code=0, tf=0x1) at ../../../kern/subr_kdb.c:418 #5 0x00000000c02ac0e0 in trap (tf=0xddb4aec0) at ../../../sparc64/sparc64/trap.c:308 #6 0x00000000c015a9b8 in kdb_enter (msg=---Can't read userspace from dump, or kernel process--- ) at ../../../kern/subr_kdb.c:238 #7 0x00000000c015a9b0 in kdb_enter (msg=0xc0343988 "panic") at ../../../kern/subr_kdb.c:238 #8 0x00000000c013e47c in panic (fmt=0xc035e3a8 "Most recently used by %s\n") at ../../../kern/kern_shutdown.c:527 #9 0x00000000c028dd5c in mtrash_ctor (mem=0xc03400b8, size=71748088, arg=0x0, flags=258) at ../../../vm/uma_dbg.c:134 #10 0x00000000c028ca8c in uma_zalloc_arg (zone=0xfffff8001e3fcee0, udata=0x0, flags=258) at ../../../vm/uma_core.c:1826 #11 0x00000000c0133d68 in malloc (size=5, type=0xc0381118, flags=507507200) at uma.h:274 #12 0x00000000c011d320 in fdinit (fdp=0x689) at ../../../kern/kern_descrip.c:1409 #13 0x00000000c011d4a8 in fdcopy (fdp=0xfffff80016ed2800) at ../../../kern/kern_descrip.c:1462 #14 0x00000000c0128128 in fork1 (td=0xfffff80011d37710, flags=20, pages=0, procp=0xddb4b6a8) at ../../../kern/kern_fork.c:432 #15 0x00000000c0128d10 in fork (td=0x40349548, uap=0xddb4b8c0) at ../../../kern/kern_fork.c:97 #16 0x00000000c02ac4a0 in syscall (tf=0xddb4b880) at ../../../sparc64/sparc64/trap.c:593 Memory modified after free 0xffffff001235b000(4088) val=adc0de @ 0xffffff001235bac4 panic: Most recently used by subproc KDB: enter: panic [thread pid 72540 tid 100233 ] Stopped at kdb_enter+0x2f: nop dbtr Tracing pid 72540 tid 100233 td 0xffffff0011c8fc80 kdb_enter() at kdb_enter+0x2f panic() at panic+0x1d2 mtrash_ctor() at mtrash_ctor+0x78 uma_zalloc_arg() at uma_zalloc_arg+0x421 malloc() at malloc+0x9c sigacts_alloc() at sigacts_alloc+0x1f fork1() at fork1+0x118a fork() at fork+0x1c syscall() at syscall+0x4ab Xfast_syscall() at Xfast_syscall+0xa8 --- syscall (2, FreeBSD ELF64, fork), rip = 0x8009176c0, rsp = 0x7fffffffe1d8, rbp = 0x527000 --- Memory modified after free 0xfffff80010400200(504) val=deadc0dd @ 0xfffff80010400320 panic: Most recently used by subproc cpuid = 1 KDB: enter: panic [thread 100139] Stopped at kdb_enter+0x38: ta %xcc, 1 db> tr panic() at panic+0x19c mtrash_ctor() at mtrash_ctor+0x7c uma_zalloc_arg() at uma_zalloc_arg+0x42c malloc() at malloc+0xa8 sysarch() at sysarch+0x1b4 syscall() at syscall+0x220 -- syscall (165, FreeBSD ELF64, sysarch) %o7=0x40370a9c -- I'm also getting other panics relating to the filedesc code, on RELENG_5: panic: fdrop: count < 0 panic messages: --- panic: fdrop: count < 0 cpuid = 2 KDB: enter: panic Dumping 512 MB (1 chunks) chunk at 0: 536870912 bytes |\^H --- #0 doadump () at ../../../kern/kern_shutdown.c:246 246 savectx(&dumppcb); (kgdb) bt #0 doadump () at ../../../kern/kern_shutdown.c:246 #1 0x00000000c005d9d4 in db_fncall (dummy1=3, dummy2=0, dummy3=-1, dummy4=0xd6918de0 "") at ../../../ddb/db_command.c:531 #2 0x00000000c005dbc4 in db_command_loop () at ../../../ddb/db_command.c:349 #3 0x00000000c0060608 in db_trap (type=107, code=0) at ../../../ddb/db_main.c:210 #4 0x00000000c0167dc8 in kdb_trap (type=107, code=0, tf=0x1) at ../../../kern/subr_kdb.c:418 #5 0x00000000c02d30a4 in trap (tf=0xd69191b0) at ../../../sparc64/sparc64/trap.c:308 #6 0x00000000c01677d8 in kdb_enter (msg=---Can't read userspace from dump, or kernel process--- ) at ../../../kern/subr_kdb.c:238 #7 0x00000000c01677d0 in kdb_enter (msg=0xc03675c0 "panic") at ../../../kern/subr_kdb.c:238 #8 0x00000000c0148d34 in panic (fmt=0xc0364f80 "fdrop: count < 0") at atomic.h:278 #9 0x00000000c0120804 in fdrop_locked (fp=0xfffff80008c9d730, td=0xfffff8001775b480) at ../../../kern/kern_descrip.c:2092 #10 0x00000000c01208a8 in closef (fp=0xfffff80008c9d730, td=0xfffff8001775b480) at ../../../kern/kern_descrip.c:1883 #11 0x00000000c0120f54 in close (td=0xfffff8001775b480, uap=0x4) at ../../../kern/kern_descrip.c:997 #12 0x00000000c02d348c in syscall (tf=0xd6919880) at ../../../sparc64/sparc64/trap.c:593 (kgdb) --- panic: trap: fast data access mmu miss cpuid = 2 KDB: enter: panic Dumping 512 MB (1 chunks) chunk at 0: 536870912 bytes |\^H --- #0 doadump () at ../../../kern/kern_shutdown.c:246 246 savectx(&dumppcb); (kgdb) bt #0 doadump () at ../../../kern/kern_shutdown.c:246 #1 0x00000000c005d9d4 in db_fncall (dummy1=0, dummy2=0, dummy3=4, dummy4=0xd76a2a70 "") at ../../../ddb/db_command.c:531 #2 0x00000000c005dbc4 in db_command_loop () at ../../../ddb/db_command.c:349 #3 0x00000000c0060608 in db_trap (type=107, code=0) at ../../../ddb/db_main.c:210 #4 0x00000000c0167dc8 in kdb_trap (type=107, code=0, tf=0x1) at ../../../kern/subr_kdb.c:418 #5 0x00000000c02d30a4 in trap (tf=0xd76a2e40) at ../../../sparc64/sparc64/trap.c:308 #6 0x00000000c01677d8 in kdb_enter (msg=---Can't read userspace from dump, or kernel process--- ) at ../../../kern/subr_kdb.c:238 #7 0x00000000c01677d0 in kdb_enter (msg=0xc03675c0 "panic") at ../../../kern/subr_kdb.c:238 #8 0x00000000c0148d34 in panic (fmt=0xc037f2c8 "trap: %s") at atomic.h:278 #9 0x00000000c02d2fbc in trap (tf=0xd76a3240) at ../../../sparc64/sparc64/trap.c:370 #10 0x00000000c013e2a4 in _mtx_lock_sleep (m=0x0, td=0xfffff800026ee7b0, opts=0, file=0x0, line=0) at ../../../kern/kern_mutex.c:531 #11 0x00000000c013e2f0 in _mtx_lock_sleep (m=0xfffff80018e32a48, td=0xfffff800026ee7b0, opts=0, file=0x0, line=0) at atomic.h:278 #12 0x00000000c0121938 in fdfree (td=0xfffff800026ee7b0) at ../../../kern/kern_descrip.c:1596 #13 0x00000000c012aad8 in exit1 (td=0xfffff800026ee7b0, rv=0) at ../../../kern/kern_exit.c:231 #14 0x00000000c012bdb0 in sys_exit (td=0xfffff800026ee7b0, uap=0xd76a38c0) at ../../../kern/kern_exit.c:94 #15 0x00000000c02d348c in syscall (tf=0xd76a3880) at ../../../sparc64/sparc64/trap.c:593 (kgdb) --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFB0wK5Wry0BWjoQKURAn8oAKDKhfndkeJlRVafE4ss8IFKUcjuqACcDsoj OKozgQtWnH5zmfskUoKOsmk= =3N1q -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+--