Date: Fri, 24 Jun 2005 19:59:32 +0300 From: Alex Lyashkov <umka@sevinter.net> To: Peter Holm <peter@holm.cc> Cc: current@freebsd.org, Thierry Herbelot <thierry@herbelot.com> Subject: Re: panic: Memory modified after free Message-ID: <1119632271.20635.2.camel@berloga.shadowland> In-Reply-To: <20050624164430.GA14074@peter.osted.lan> References: <200506241626.57469.thierry@herbelot.com> <20050624164430.GA14074@peter.osted.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
I got a simular panic with RELENG_5. - #2 0xc04a562a in panic (fmt=3D0xc0602beb "sbappendstream 1") at /usr/src/sys/kern/kern_shutdown.c:566 #3 0xc04ddd3a in sbappendstream_locked (sb=3D0xc1838bb4, m=3D0xc1084600) a= t /usr/src/sys/kern/uipc_socket2.c:739 #4 0xc0541978 in tcp_input (m=3D0xc1084600, off0=3D40) at /usr/src/sys/netinet/tcp_input.c:1295 #5 0xc053b011 in ip_input (m=3D0xc1084600) at /usr/src/sys/netinet/ip_input.c:776 #6 0xc050e016 in netisr_processqueue (ni=3D0xc067af38) at /usr/src/sys/net/netisr.c:233 #7 0xc050e1c4 in swi_net (dummy=3D0x0) at /usr/src/sys/net/netisr.c:340 #8 0xc0493e98 in ithread_loop (arg=3D0xc0fd9500) at /usr/src/sys/kern/kern_intr.c:547 #9 0xc049330c in fork_exit (callout=3D0xc0493d74 <ithread_loop>, arg=3D0xc0fd9500, frame=3D0xc99add38) -- =D0=92 =D0=9F=D1=82=D0=BD, 24.06.2005, =D0=B2 19:44, Peter Holm =D0=BF=D0= =B8=D1=88=D0=B5=D1=82: > On Fri, Jun 24, 2005 at 04:26:55PM +0200, Thierry Herbelot wrote: > >=20 > > This is with an SMP machine (oldish BP6) > >=20 >=20 > It seems as thou I got the same one: >=20 > panic: Memory modified after free 0xc216d500(256) val=3Dc1d5e100 @ 0xc216= d500 >=20 > cpuid =3D 0 > KDB: enter: panic > [thread pid 37 tid 100020 ] > Stopped at kdb_enter+0x2b: nop > db> where > Tracing pid 37 tid 100020 td 0xc1540480 > kdb_enter(c0852679) at kdb_enter+0x2b > panic(c086d47e,c216d500,100,c1d5e100,c216d500) at panic+0x14b > trash_ctor(c216d500,100,cbfa0b04,1,c104a9d8) at trash_ctor+0x2f > mb_ctor_mbuf(c216d500,100,cbfa0b04,1) at mb_ctor_mbuf+0x18 > uma_zalloc_arg(c104a9a0,cbfa0b04,1) at uma_zalloc_arg+0x10f > m_copym(c1739300,16a0,5a8,1,5cef834) at m_copym+0x11c > tcp_output(c1fe78fc) at tcp_output+0xa42 > tcp_input(c178ab00,14,c178ab00,0,0) at tcp_input+0x2b0f > ip_input(c178ab00) at ip_input+0x511 > netisr_processqueue(c099eb38) at netisr_processqueue+0x6e > swi_net(0) at swi_net+0xbe > ithread_loop(c1573480,cbfa0d38,...) at ithread_loop+0x11c > fork_exit(c061bba0,c1573480,cbfa0d38) at fork_exit+0xa0 > fork_trampoline() at fork_trampoline+0x8 >=20 > Details at http://www.holm.cc/stress/log/cons136.html >=20 > - Peter >=20 > >=20 > > multi-cur# kgdb kernel.debug /files3/tmp/vmcore.154 > > [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db= .so:=20 > > Undefined symbol "ps_pglobal_lookup"] > > GNU gdb 6.1.1 [FreeBSD] > > Copyright 2004 Free Software Foundation, Inc. > > GDB is free software, covered by the GNU General Public License, and yo= u are > > welcome to change it and/or distribute copies of it under certain condi= tions. > > Type "show copying" to see the conditions. > > There is absolutely no warranty for GDB. Type "show warranty" for deta= ils. > > This GDB was configured as "i386-marcel-freebsd". > > #0 doadump () at pcpu.h:165 > > 165 __asm __volatile("movl %%fs:0,%0" : "=3Dr" (td)); > > (kgdb) bt > > #0 doadump () at pcpu.h:165 > > #1 0xc046897a in db_fncall (dummy1=3D0, dummy2=3D0, dummy3=3D-10671661= 01, > > dummy4=3D0xcc89d8d4 "\b=C3=99\211=C3=8C") at /usr/src/sys/ddb/db_co= mmand.c:531 > > #2 0xc0468788 in db_command (last_cmdp=3D0xc08fc464, cmd_table=3D0x0,=20 > > aux_cmd_tablep=3D0xc0879f00, > > aux_cmd_tablep_end=3D0xc0879f1c) at /usr/src/sys/ddb/db_command.c:3= 49 > > #3 0xc0468850 in db_command_loop () at /usr/src/sys/ddb/db_command.c:4= 55 > > #4 0xc046a3d5 in db_trap (type=3D3, code=3D0) at /usr/src/sys/ddb/db_m= ain.c:221 > > #5 0xc0645904 in kdb_trap (type=3D3, code=3D0, tf=3D0xcc89da18)=20 > > at /usr/src/sys/kern/subr_kdb.c:471 > > #6 0xc07e7cbc in trap (frame=3D > > {tf_fs =3D -863436792, tf_es =3D -1067188184, tf_ds =3D -10650254= 96, tf_edi =3D=20 > > -1064921604, tf_esi =3D 1, tf_ebp =3D -863380904, tf_isp =3D -863380924= , tf_ebx =3D=20 > > -863380860, tf_edx =3D 0, tf_ecx =3D -1056755712, tf_eax =3D 18, tf_tra= pno =3D 3,=20 > > tf_err =3D 0, tf_eip =3D -1067166101, tf_cs =3D 32, tf_eflags =3D 642, = tf_esp =3D=20 > > -863380872, tf_ss =3D -1067263353}) at /usr/src/sys/i386/i386/trap.c:59= 8 > > #7 0xc07d583a in calltrap () at /usr/src/sys/i386/i386/exception.s:139 > > #8 0xcc890008 in ?? () > > #9 0xc0640028 in blst_radix_init (scan=3D0xc084ecf5,=20 > > radix=3D-4516961442427043584, > > skip=3D-1050930176, count=3DUnhandled dwarf expression opcode 0x93 > > ) at /usr/src/sys/kern/subr_blist.c:885 > > #10 0xc062da87 in panic (fmt=3D0x282 <Address 0x282 out of bounds>) > > at /usr/src/sys/kern/kern_shutdown.c:537 > > #11 0xc077be53 in trash_ctor (mem=3D0xc15c1400, size=3D0, arg=3D0xcc89d= b40, flags=3D1) > > at /usr/src/sys/vm/uma_dbg.c:72 > > #12 0xc0624bd8 in mb_ctor_mbuf (mem=3D0xc15c1400, size=3D256, arg=3D0xc= c89db40,=20 > > how=3D1) > > at /usr/src/sys/kern/kern_mbuf.c:204 > > #13 0xc077a85f in uma_zalloc_arg (zone=3D0xc104a9a0, udata=3D0xcc89db40= , flags=3D1) > > at /usr/src/sys/vm/uma_core.c:1839 > > #14 0xc06c66ed in tcp_output (tp=3D0xc165eac8) at mbuf.h:392 > > ---Type <return> to continue, or q <return> to quit---q > > Quit > > (kgdb) frame 11 > > #11 0xc077be53 in trash_ctor (mem=3D0xc15c1400, size=3D0, arg=3D0xcc89d= b40, flags=3D1) > > at /usr/src/sys/vm/uma_dbg.c:72 > > 72 panic("Memory modified after free %p(%d= )=20 > > val=3D%x @ %p\n", > > (kgdb) list > > 67 > > 68 cnt =3D size / sizeof(uma_junk); > > 69 > > 70 for (p =3D mem; cnt > 0; cnt--, p++) > > 71 if (*p !=3D uma_junk) > > 72 panic("Memory modified after free %p(%d= )=20 > > val=3D%x @ %p\n", > > 73 mem, size, *p, p); > > 74 return (0); > > 75 } > > 76 > > (kgdb) frame 13 > > #13 0xc077a85f in uma_zalloc_arg (zone=3D0xc104a9a0, udata=3D0xcc89db40= , flags=3D1) > > at /usr/src/sys/vm/uma_core.c:1839 > > 1839 if (zone->uz_ctor(item,=20 > > zone->uz_keg->uk_size, > > (kgdb) list > > 1834 ZONE_LOCK(zone); > > 1835 uma_dbg_alloc(zone, NULL, item); > > 1836 ZONE_UNLOCK(zone); > > 1837 #endif > > 1838 if (zone->uz_ctor !=3D NULL) { > > 1839 if (zone->uz_ctor(item,=20 > > zone->uz_keg->uk_size, > > 1840 udata, flags) !=3D 0) { > > 1841 uma_zfree_internal(zone= , item,=20 > > udata, > > 1842 SKIP_DTOR); > > 1843 return (NULL); > > (kgdb) print *zone > > $1 =3D {uz_name =3D 0xc084d5b0 "Mbuf", uz_lock =3D 0xc10443c8, uz_keg = =3D 0xc10443c0,=20 > > uz_link =3D { > > le_next =3D 0xc104ac60, le_prev =3D 0xc10443f8}, uz_full_bucket =3D= {lh_first =3D=20 > > 0x0}, > > uz_free_bucket =3D {lh_first =3D 0x0}, uz_ctor =3D 0xc0624bc0 <mb_cto= r_mbuf>, > > uz_dtor =3D 0xc0624c30 <mb_dtor_mbuf>, uz_init =3D 0, uz_fini =3D 0, = uz_allocs =3D=20 > > 1993622, > > uz_fills =3D 0, uz_count =3D 128, uz_cpu =3D {{uc_freebucket =3D 0xc1= 5b820c, > > uc_allocbucket =3D 0xc103d20c, uc_allocs =3D 3}}} > >=20 > > multi-cur# ident kernel.debug | grep uma_dbg.c > > $FreeBSD: src/sys/vm/uma_dbg.c,v 1.19 2005/02/16 21:45:59 bmilekic= Exp $ > > multi-cur# ident kernel.debug | grep kern_mbuf.c > > $FreeBSD: src/sys/kern/kern_mbuf.c,v 1.8 2005/06/23 04:33:39 silby= Exp $ > > multi-cur# ident kernel.debug | grep uma_core.c > > $FreeBSD: src/sys/vm/uma_core.c,v 1.119 2005/04/29 18:56:36 rwatso= n Exp $ > > _______________________________________________ > > freebsd-current@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-current > > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.o= rg" > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org= " --=20 Alex Lyashkov <umka@sevinter.net> Home
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1119632271.20635.2.camel>