Date: Sun, 15 Feb 2004 11:42:37 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: =?iso-8859-1?Q?S=F8ren?= Schmidt <sos@DeepCore.dk> Cc: sos@FreeBSD.org Subject: Re: ata(4) related panic - Memory modified after free [was: Sony V505BX ATA panic] Message-ID: <20040215104236.GA722@arthur.nitro.dk> In-Reply-To: <402F3CE5.7090407@DeepCore.dk> References: <20040214192736.C23696@news1.macomnet.ru> <20040214203557.GE888@arthur.nitro.dk> <402E874D.8080909@DeepCore.dk> <20040214204918.GF888@arthur.nitro.dk> <402E8A19.70808@DeepCore.dk> <20040214214411.GA726@arthur.nitro.dk> <402F3CE5.7090407@DeepCore.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2004.02.15 10:33:25 +0100, S=F8ren Schmidt wrote:
> Simon L. Nielsen wrote:
>=20
> >
> >Memory modified after free 0xc4667200(508) val=3D1000100 @ 0xc4667200
> >
> >
> >Fatal trap 12: page fault while in kernel mode
> >fault virtual address =3D 0x1000120
> >fault code =3D supervisor read, page not present
> >instruction pointer =3D 0x8:0xc06627c2
> >stack pointer =3D 0x10:0xc0c21ba4
> >frame pointer =3D 0x10:0xc0c21bc0
> >code segment =3D base 0x0, limit 0xfffff, type 0x1b
> > =3D DPL 0, pres 1, def32 1, gran 1
> >processor eflags =3D interrupt enabled, resume, IOPL =3D 0
> >current process =3D 0 (swapper)
> >kernel: type 12 trap, code=3D0
> >Stopped at mtrash_ctor+0x3a: movl 0x20(%eax),%eax
> >db> trace
> >mtrash_ctor(c4667200,200,0) at mtrash_ctor+0x3a
> >uma_zalloc_arg(c1051cc0,0,1) at uma_zalloc_arg+0x169
> >malloc(1a0,c072a4a0,1,c443dd80,c457b3c0) at malloc+0xb7
> >xpt_alloc_device(c443dd80,c457b3c0,0) at xpt_alloc_device+0x3e
> >xpt_compile_path(c4482bd0,c1985d80,0,2,0) at xpt_compile_path+0x84
> >xpt_create_path(c0c21ca4,c1985d80,0,2,0) at xpt_create_path+0x49
> >xpt_scan_bus(c1985d80,c4661400,c0c21cf0,c043a51d,c443ddc0) at=20
> >xpt_scan_bus+0xea
> >xpt_action(c4661400,c4661400,c443dd80,c043a030,c0c21d14) at=20
> >xpt_action+0x7e2
> >xpt_finishconfig(c1985d80,c4661400) at xpt_finishconfig+0x30
> >xptconfigfunc(c443dd80,0,c0c21d40,c0439e97,c443dd80) at xptconfigfunc+0x=
10b
> >xptdefbusfunc(c443dd80,c0c21d54) at xptdefbusfunc+0x15
> >xptbustraverse(0,c043a030,c0c21d54,0,c043d590) at xptbustraverse+0x2b
> >xpt_for_all_busses(c043d590,0) at xpt_for_all_busses+0x29
> >xpt_config(0) at xpt_config+0x74
> >run_interrupt_driven_config_hooks(0,c1ec00,c1e000,0,c0435ad5) at=20
> >run_interrupt_driven_config_hooks+0x18
> >mi_startup() at mi_startup+0x96
> >begin() at begin+0x2c
> >db>=20
>=20
> Loose atapicam, does it work then ? If so please address the atapicam=20
> maintainer with the problems ...
I can see that the panic is in cam, but the odd thing is that I don't
have atapicam in the kernel (I double checked - it isn't there). I do
have normal cam in the kernel (for USB). To me it seems like some kind
of memory corruption either in ata(4) or somehow masked by ata when
retries is set to 3, but I'm no kernel hacker.
BTW, I tried to disable acpi as suggested by somebody else (sorry forgot
the name right now), but that didn't change anything.
Here is a gdb backtrace, if it makes more sense to somebody (not from
the same time as the ddb trace above) :
#0 0xc06627c2 in mtrash_ctor (mem=3D0xc4666200, size=3D-1056882688, arg=3D=
0x0)
at /usr/src/sys/vm/uma_dbg.c:137
#1 0xc06614d5 in uma_zalloc_arg (zone=3D0xc1051cc0, udata=3D0x0, flags=3D1)
at /usr/src/sys/vm/uma_core.c:1416
#2 0xc053da8b in malloc (size=3D3238337728, type=3D0xc072a4a0, flags=3D1)
at /usr/src/sys/vm/uma.h:234
#3 0xc043c0be in xpt_alloc_device (bus=3D0xc443dd80, target=3D0xc457a3c0,=
=20
lun_id=3D0) at /usr/src/sys/cam/cam_xpt.c:4988
#4 0xc043b0b0 in xpt_compile_path (new_path=3D0xc4685080, perph=3D0x100010=
0,=20
path_id=3D0, target_id=3D2, lun_id=3D0) at /usr/src/sys/cam/cam_xpt.c:4=
056
#5 0xc043b001 in xpt_create_path (new_path_ptr=3D0x1000100, perph=3D0xc198=
5d80,=20
path_id=3D0, target_id=3D2, lun_id=3D0) at /usr/src/sys/cam/cam_xpt.c:4=
006
#6 0xc043c4a6 in xpt_scan_bus (periph=3D0xc1985d80, request_ccb=3D0xc46604=
00)
at /usr/src/sys/cam/cam_xpt.c:5243
#7 0xc043a9da in xpt_action (start_ccb=3D0xc4660400)
at /usr/src/sys/cam/cam_xpt.c:3522
#8 0xc043d7ac in xpt_finishconfig (periph=3D0xc1985d80, done_ccb=3D0xc4660=
400)
at /usr/src/sys/cam/cam_xpt.c:6865
#9 0xc043d69b in xptconfigfunc (bus=3D0xc443dd80, arg=3D0x0)
at /usr/src/sys/cam/cam_xpt.c:6774
#10 0xc043a045 in xptdefbusfunc (bus=3D0x0, arg=3D0x1000100)
at /usr/src/sys/cam/cam_xpt.c:2772
#11 0xc0439e97 in xptbustraverse (start_bus=3D0x0,=20
tr_func=3D0xc043a030 <xptdefbusfunc>, arg=3D0xc0c21d54)
at /usr/src/sys/cam/cam_xpt.c:2630
#12 0xc043a0e5 in xpt_for_all_busses (tr_func=3D0x1000100, arg=3D0x1000100)
at /usr/src/sys/cam/cam_xpt.c:2841
#13 0xc043d720 in xpt_config (arg=3D0x0) at /usr/src/sys/cam/cam_xpt.c:6825
#14 0xc0557c6c in run_interrupt_driven_config_hooks (dummy=3D0x0)
at /usr/src/sys/kern/subr_autoconf.c:76
#15 0xc052620a in mi_startup () at /usr/src/sys/kern/init_main.c:212
(kgdb) list
132 =20
133 for (p =3D mem; cnt > 0; cnt--, p++)
134 if (*p !=3D uma_junk) {
135 printf("Memory modified after free %p(%d) v=
al=3D%x @ %p\n",
136 mem, size, *p, p);
137 panic("Most recently used by %s\n", (*ksp =
=3D=3D NULL)?
138 "none" : (*ksp)->ks_shortdesc);
139 }
140 }
141 =20
--=20
Simon L. Nielsen
FreeBSD Documentation Team
--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQFAL00bh9pcDSc1mlERArDLAKCtZGoOnbN1duSERKtWqrZyoyHcogCgwdqM
tK5FXdWv1WrcwPnALvm2ppk=
=iN3J
-----END PGP SIGNATURE-----
--jI8keyz6grp/JLjh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040215104236.GA722>