Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 May 2014 16:12:02 -0700
From:      hiren panchasara <hiren@FreeBSD.org>
To:        freebsd-stable@freebsd.org, Jeff Roberson <jeff@freebsd.org>
Subject:   Stable/10 panic: uma_zfree: Freeing to non free bucket index.
Message-ID:  <CALCpEUGQvtUytPDHOZeKy__czng7DLY=eVTzA=Tp22JAkgUa3Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
We are at stable/10 r261579. On a Xeon E5-2670 with 64GB ram, we saw this panic:

Unread portion of the kernel message buffer:
panic: uma_zfree: Freeing to non free bucket index.
cpuid = 1
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe106e49a6e0
kdb_backtrace() at kdb_backtrace+0x39/frame 0xfffffe106e49a790
vpanic() at vpanic+0x126/frame 0xfffffe106e49a7d0
kassert_panic() at kassert_panic+0x136/frame 0xfffffe106e49a840
uma_zfree_arg() at uma_zfree_arg+0x3cd/frame 0xfffffe106e49a8a0
_fdrop() at _fdrop+0x63/frame 0xfffffe106e49a8c0
closef() at closef+0x1d1/frame 0xfffffe106e49a950
closefp() at closefp+0xa0/frame 0xfffffe106e49a9a0
ia32_syscall() at ia32_syscall+0x255/frame 0xfffffe106e49aab0
Xint0x80_syscall() at Xint0x80_syscall+0x95/frame 0xfffffe106e49aab0
--- syscall (6, FreeBSD ELF32, sys_close), rip = 0x63594804, rsp =
0xffff6684, rbp = 0xffff66b0 ---
Uptime: 5d10h19m35s

I can provide more info if needed.

(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:219
#1  0xffffffff805fb2f7 in kern_reboot (howto=260) at
../../../kern/kern_shutdown.c:452
#2  0xffffffff805fb805 in vpanic (fmt=<value optimized out>, ap=<value
optimized out>) at ../../../kern/kern_shutdown.c:759
#3  0xffffffff805fb696 in kassert_panic (fmt=<value optimized out>) at
../../../kern/kern_shutdown.c:647
#4  0xffffffff807e7aed in uma_zfree_arg (zone=<value optimized out>,
item=0xfffff80108a3f8c0, udata=0x0) at ../../../vm/uma_core.c:2706
#5  0xffffffff805b8813 in _fdrop (fp=0xfffff80108a3f8c0, td=<value
optimized out>) at uma.h:364
#6  0xffffffff805bb131 in closef (fp=0xfffff80108a3f8c0,
td=0xfffff8015f53b000) at ../../../kern/kern_descrip.c:2415
#7  0xffffffff805b8c40 in closefp (fdp=0xfffff802727f1800, fd=<value
optimized out>, fp=0xfffff80108a3f8c0, td=0xfffff8015f53b000,
    holdleaders=<value optimized out>) at ../../../kern/kern_descrip.c:1257
#8  0xffffffff80a34b65 in ia32_syscall (frame=0xfffffe106e49aac0) at
subr_syscall.c:135
#9  0xffffffff8095e675 in Xint0x80_syscall () at ia32_exception.S:73
#10 0x0000000063594804 in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal
(kgdb) f 4
#4  0xffffffff807e7aed in uma_zfree_arg (zone=<value optimized out>,
item=0xfffff80108a3f8c0, udata=0x0) at ../../../vm/uma_core.c:2706
2706    ../../../vm/uma_core.c: No such file or directory.
        in ../../../vm/uma_core.c
(kgdb) l
2701    in ../../../vm/uma_core.c
(kgdb)

 2696. zfree_start:
 2697. /*
 2698. * Try to free into the allocbucket first to give LIFO ordering
 2699. * for cache-hot datastructures.  Spill over into the freebucket
 2700. * if necessary.  Alloc will swap them if one runs dry.
 2701. */
 2702. bucket = cache->uc_allocbucket;
 2703. if (bucket == NULL || bucket->ub_cnt >= bucket->ub_entries)
 2704.         bucket = cache->uc_freebucket;
 2705. if (bucket != NULL && bucket->ub_cnt < bucket->ub_entries) {
 2706.          KASSERT(bucket->ub_bucket[bucket->ub_cnt] == NULL,
 2707.                    ("uma_zfree: Freeing to non free bucket index."));
 2708.          bucket->ub_bucket[bucket->ub_cnt] = item;
 2709.          bucket->ub_cnt++;
 2710.          cache->uc_frees++;
 2711.          critical_exit();
 2712.          return;
 2713. }

Thanks,
Hiren

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALCpEUGQvtUytPDHOZeKy__czng7DLY=eVTzA=Tp22JAkgUa3Q>