Date: Mon, 2 Nov 1998 21:35:37 -0500 (EST) From: "Larry S. Lile" <lile@stdio.com> To: hackers@FreeBSD.ORG Subject: "panic: free: multiple frees" VM bug? (long) Message-ID: <Pine.BSF.3.96.981102212308.17694B-100000@heathers.stdio.com>
next in thread | raw e-mail | index | archive | help
I am working on a token ring driver and I cannot seem to find
out why this is happening. I contigmalloc buffers for tranmsitting
frames and then free them later when they have been transmitted.
I have to use contigmalloc in order to get buffers below the
16M mark for dma.
Anyone see what is wrong? Should I not do this? Or have I
stumbled over a vm bug?
It looks like a vm bug to me, but I have been wrong before.
All pertinent information below...
Larry Lile
lile@stdio.com
Please ignore the soft-updates panic, I understand that happens
sometimes during a dump.
panicstr: page fault
panic messages:
---
panic: free: multiple frees
syncing disks...
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x30
fault code = supervisor read, page not present
instruction pointer = 0x8:0xf01cdf08
stack pointer = 0x10:0xf024bf14
frame pointer = 0x10:0xf024bf18
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
interrupt mask = net tty bio cam
trap number = 12
panic: page fault
---
#0 boot (howto=260) at ../../kern/kern_shutdown.c:268
268 dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0 boot (howto=260) at ../../kern/kern_shutdown.c:268
#1 0xf014932f in panic (fmt=0xf0242de9 "page fault")
at ../../kern/kern_shutdown.c:430
#2 0xf01f796d in trap_fatal (frame=0xf024bed8) at
../../i386/i386/trap.c:879
#3 0xf01f7648 in trap_pfault (frame=0xf024bed8, usermode=0)
at ../../i386/i386/trap.c:772
#4 0xf01f72a7 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = 0,
tf_esi = -252868608, tf_ebp = -266027240, tf_isp = -266027264,
tf_ebx = -265970844, tf_edx = -1073217472, tf_ecx = 0, tf_eax = 0,
tf_trapno = 12, tf_err = 0, tf_eip = -266543352, tf_cs = 8,
tf_eflags = 66182, tf_esp = -252868608, tf_ss = -266027208})
at ../../i386/i386/trap.c:396
#5 0xf01cdf08 in acquire_lock (lk=0xf0259b64)
at ../../ufs/ffs/ffs_softdep.c:268
#6 0xf01d1929 in softdep_update_inodeblock (ip=0xf0ed8800, bp=0xf368ac30,
waitfor=0) at ../../ufs/ffs/ffs_softdep.c:3482
#7 0xf01ccf1c in ffs_update (vp=0xf5ddc0c0, access=0xf024bfd0,
modify=0xf024bfd0, waitfor=0) at ../../ufs/ffs/ffs_inode.c:109
#8 0xf01d5f59 in ffs_fsync (ap=0xf024c00c) at
../../ufs/ffs/ffs_vnops.c:252
#9 0xf01d4383 in ffs_sync (mp=0xf0e40a00, waitfor=2, cred=0xf0dd3700,
p=0xf028a04c) at vnode_if.h:499
#10 0xf016b2a7 in sync (p=0xf028a04c, uap=0x0) at
../../kern/vfs_syscalls.c:527
#11 0xf0148faa in boot (howto=256) at ../../kern/kern_shutdown.c:201
#12 0xf014932f in panic (fmt=0xf023723e "free: multiple frees")
at ../../kern/kern_shutdown.c:430
#13 0xf0146553 in free (addr=0xf5e62000, type=0xf0251980)
at ../../kern/kern_malloc.c:334
#14 0xf01febe3 in DriverTransmitFrameCompleted (DriverHandle=0x0,
FrameHandle=0xa, TransmitStatus=0) at ../../i386/isa/if_oltr.c:936
#15 0xf022b252 in ReturnCompletedBuffers ()
#16 0x30001 in ?? ()
cannot read proc at 0
(kgdb) up 14
#14 0xf01febe3 in DriverTransmitFrameCompleted (DriverHandle=0x0,
FrameHandle=0xa, TransmitStatus=0) at ../../i386/isa/if_oltr.c:936
936
free(sc->tx_buffer[frame].frame->TransmitFragment[i].VirtualAddress,
M_DEVBUF);
(kgdb) list
931 printf("oltr%d: Unused buffer returned *boggle*\n",
sc->unit);
932 } else {
933 for (i = 0; i < sc->tx_buffer[frame].frame->FragmentCount;
i++) {
934 printf("oltr%d: freeing fragment %d frame %d\n",
sc->unit, i, frame);
935 sc->tx_frags--;
936
free(sc->tx_buffer[frame].frame->TransmitFragment[i].VirtualAddress,
M_DEVBUF);
937 }
938 }
939
940 printf("Oltr%d: %d total frags in use.\n", sc->unit,
sc->tx_frags);
(kgdb)
I know that I have not called free on the same buffer twice by
looking at the debug messages.
Nov 2 21:11:43 anarchy /kernel: oltr0: output frame 0 - 1 fragments (1
fragments in use total)
Nov 2 21:11:43 anarchy /kernel: iso88025_input: Packet queued.
Nov 2 21:11:43 anarchy /kernel: oltr0: transmit complete frame 0 - 1
fragments (1 total fragments in use total)
Nov 2 21:11:43 anarchy /kernel: oltr0: freeing fragment 0 frame 0
Nov 2 21:11:43 anarchy /kernel: Oltr0: 0 total frags in use.
Nov 2 21:11:56 anarchy /kernel: oltr0: output frame 1 - 1 fragments (1
fragments in use total)
Nov 2 21:11:56 anarchy /kernel: iso88025_input: Packet queued.
Nov 2 21:11:56 anarchy /kernel: oltr0: transmit complete frame 1 - 1
fragments (1 total fragments in use total)
Nov 2 21:11:56 anarchy /kernel: oltr0: freeing fragment 0 frame 1
Nov 2 21:11:56 anarchy /kernel: Oltr0: 0 total frags in use.
Nov 2 21:11:56 anarchy /kernel: iso88025_input: Packet queued.
Nov 2 21:11:56 anarchy /kernel: oltr0: output frame 2 - 2 fragments (2
fragments in use total)
Nov 2 21:11:56 anarchy /kernel: oltr0: transmit complete frame 2 - 2
fragments (2 total fragments in use total)
Nov 2 21:11:56 anarchy /kernel: oltr0: freeing fragment 0 frame 2
Nov 2 21:11:56 anarchy /kernel: oltr0: freeing fragment 1 frame 2
Nov 2 21:11:57 anarchy /kernel: Oltr0: 0 total frags in use.
Nov 2 21:11:57 anarchy /kernel: iso88025_input: Packet queued.
Nov 2 21:11:57 anarchy /kernel: oltr0: output frame 3 - 1 fragments (1
fragments in use total)
Nov 2 21:11:57 anarchy /kernel: oltr0: transmit complete frame 3 - 1
fragments (1 total fragments in use total)
Nov 2 21:11:57 anarchy /kernel: oltr0: freeing fragment 0 frame 3
Nov 2 21:11:57 anarchy /kernel: Oltr0: 0 total frags in use.
Nov 2 21:11:59 anarchy /kernel: oltr0: output frame 4 - 2 fragments (2
fragments in use total)
Nov 2 21:11:59 anarchy /kernel: oltr0: transmit complete frame 4 - 2
fragments (2 total fragments in use total)
Nov 2 21:11:59 anarchy /kernel: oltr0: freeing fragment 0 frame 4
Nov 2 21:11:59 anarchy /kernel: oltr0: freeing fragment 1 frame 4
Nov 2 21:11:59 anarchy /kernel: Oltr0: 0 total frags in use.
Nov 2 21:11:59 anarchy /kernel: iso88025_input: Packet queued.
Nov 2 21:11:59 anarchy /kernel: oltr0: output frame 5 - 2 fragments (2
fragments in use total)
Nov 2 21:11:59 anarchy /kernel: oltr0: transmit complete frame 5 - 2
fragments (2 total fragments in use total)
Nov 2 21:11:59 anarchy /kernel: oltr0: freeing fragment 0 frame 5
Nov 2 21:11:59 anarchy /kernel: oltr0: freeing fragment 1 frame 5
Nov 2 21:11:59 anarchy /kernel: Oltr0: 0 total frags in use.
Nov 2 21:11:59 anarchy /kernel: oltr0: output frame 6 - 2 fragments (2
fragments in use total)
Nov 2 21:11:59 anarchy /kernel: oltr0: transmit complete frame 6 - 2
fragments (2 total fragments in use total)
Nov 2 21:11:59 anarchy /kernel: oltr0: freeing fragment 0 frame 6
Nov 2 21:11:59 anarchy /kernel: oltr0: freeing fragment 1 frame 6
Nov 2 21:11:59 anarchy /kernel: Oltr0: 0 total frags in use.
Nov 2 21:11:59 anarchy /kernel: iso88025_input: Packet queued.
Nov 2 21:11:59 anarchy /kernel: oltr0: output frame 7 - 2 fragments (2
fragments in use total)
Nov 2 21:11:59 anarchy /kernel: oltr0: transmit complete frame 7 - 2
fragments (2 total fragments in use total)
Nov 2 21:11:59 anarchy /kernel: oltr0: freeing fragment 0 frame 7
Nov 2 21:11:59 anarchy /kernel: oltr0: freeing fragment 1 frame 7
Nov 2 21:11:59 anarchy /kernel: Oltr0: 0 total frags in use.
How the buffers get allocated:
void *
oltr_malloc(Size, Adapter)
ssize_t Size;
TRlldAdapterConfig_t *Adapter;
{
/* If the adapter needs memory below 16M for DMA then use contigmalloc
*/
if (Adapter->mode & TRLLD_MODE_16M) /* Adapter using ISA DMA buffer
below 16M */
return(contigmalloc(Size, M_DEVBUF, M_NOWAIT, 0ul, 0xfffffful,
1ul, 0x10000ul));
else
return(malloc(Size, M_DEVBUF, M_NOWAIT));
}
Where the frames get built:
static void
oltr_start(ifp)
struct ifnet *ifp;
{
struct oltr_softc *sc = &oltr_softc[ifp->if_unit];
struct mbuf *m0, *m;
struct iso88025_header *th;
int len, i, j, k, rc, s;
/*printf("oltr%d: oltr_start\n", sc->unit);*/
s = splimp();
/* Check to see if we have enough room to transmit */
if (sc->tx_avail <= 0) {
/* No free buffers, hold off the upper layers */
/*printf("oltr%d: transmit queue full.\n", sc->unit);*/
ifp->if_flags |= IFF_OACTIVE;
splx(s);
return;
}
IF_DEQUEUE(&ifp->if_snd, m);
if (m == 0) {
printf("oltr%d: oltr_start NULL packet dequeued.\n", sc->unit);
ifp->if_flags &= ~IFF_OACTIVE;
splx(s);
return;
}
th = mtod(m, struct iso88025_header *);
th->ac = 0x10;
th->fc = 0x40;
/* Keep a pointer to the head of the packet */
m0 = m;
i = (sc->tx_next & TX_LIST_MASK); /* Just to shorten thing up */
if (sc->tx_buffer[i].inuse) {
printf("oltr%d: Transmit ring buffer blown!\n", sc->unit);
oltr_stop(sc);
splx(s);
return;
}
for (len = 0, j = 0; m != 0; m = m->m_next, j++) {
sc->tx_frags++;
sc->tx_buffer[i].frame->TransmitFragment[j].VirtualAddress = (char
*)oltr_malloc(m->m_len, sc->config);
if (!sc->tx_buffer[i].frame->TransmitFragment[j].VirtualAddress) {
printf("oltr%d: unable to allocate memory.\n", sc->unit);
/* Free up the other fragments */
for (k = 0; k < j; k++) {
sc->tx_frags--;
free(sc->tx_buffer[i].frame->TransmitFragment[k].VirtualAddress,
M_DEVBUF);
}
goto bad;
}
sc->tx_buffer[i].frame->TransmitFragment[j].PhysicalAddress =
kvtop(sc->tx_buffer[i].frame->TransmitFragment[j].VirtualAd
dress);
sc->tx_buffer[i].frame->TransmitFragment[j].count = m->m_len;
bcopy(mtod(m, caddr_t),
sc->tx_buffer[i].frame->TransmitFragment[j].VirtualAddress, m->m_len);
len += m->m_len;
}
sc->tx_buffer[i].frame->FragmentCount = j;
sc->tx_buffer[i].inuse = 1;
rc = TRlldTransmitFrame(sc->TRlldAdapter, (TRlldTransmit_t
*)sc->tx_buffer[i].frame, (void *)sc->tx_buffer[i].index);
if (rc != TRLLD_TRANSMIT_OK) {
printf("oltr%d: TRlldTransmitFrame returned (%x)\n", sc->unit,
rc);
ifp->if_oerrors++;
for (j = 0; j < sc->tx_buffer[i].frame->FragmentCount; j++) {
sc->tx_frags--;
free(sc->tx_buffer[i].frame->TransmitFragment[j].VirtualAddress,
M_DEVBUF);
}
sc->tx_buffer[i].inuse = 0;
goto bad;
}
printf("oltr%d: output frame %d - %d fragments (%d fragments in use
total)\n", sc->unit, i, sc->tx_buffer[i].frame->FragmentC
ount, sc->tx_frags);
sc->tx_next++;
sc->tx_avail--;
#if NBPFILTER > 0
if (ifp->if_bpf)
bpf_mtap(ifp, m0);
#endif
bad:
m_freem(m);
splx(s);
return;
}
Where they get freed;
static void
DriverCloseCompleted(DriverHandle)
void *DriverHandle;
{
struct oltr_softc *sc = &oltr_softc[(int)DriverHandle];
/*printf("oltr%d: DriverCloseCompleted\n", sc->unit);*/
untimeout(oltr_timeout, (void *)sc->unit, sc->oltr_ch);
wakeup_one((void *)sc->unit);
if ((sc->hw_state != HW_CLOSING) && (sc->hw_state != HW_CLOSING2) &&
(sc->hw_state != HW_CLOSED)) {
printf("oltr%d: adapter close complete called in wrong state
(%d)\n", sc->unit, sc->hw_state);
return;
}
sc->hw_state = HW_CLOSING2;
if (sc->config->dmalevel != TRLLD_DMA_PIO)
isa_dma_release(sc->config->dmalevel);
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981102212308.17694B-100000>