From owner-freebsd-current@FreeBSD.ORG Fri Nov 4 14:31:41 2005 Return-Path: X-Original-To: current@FreeBSD.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50B9716A41F for ; Fri, 4 Nov 2005 14:31:41 +0000 (GMT) (envelope-from andre@freebsd.org) Received: from c00l3r.networx.ch (c00l3r.networx.ch [62.48.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56A2243D58 for ; Fri, 4 Nov 2005 14:31:39 +0000 (GMT) (envelope-from andre@freebsd.org) Received: (qmail 74873 invoked from network); 4 Nov 2005 14:34:20 -0000 Received: from dotat.atdotat.at (HELO [62.48.0.47]) ([62.48.0.47]) (envelope-sender ) by c00l3r.networx.ch (qmail-ldap-1.03) with SMTP for ; 4 Nov 2005 14:34:20 -0000 Message-ID: <436B70FA.3080401@freebsd.org> Date: Fri, 04 Nov 2005 15:32:26 +0100 From: Andre Oppermann User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b) Gecko/20050217 MIME-Version: 1.0 To: Kris Kennaway References: <20051104092724.GA33945@xor.obsecurity.org> In-Reply-To: <20051104092724.GA33945@xor.obsecurity.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: glebius@freebsd.org, current@FreeBSD.org Subject: Re: panic: mb_dtor_pack: ref_cnt != 1 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Nov 2005 14:31:41 -0000 Kris Kennaway wrote: > I got this panic shortly after boot on a freshly-updated amd64 > machine: > > FreeBSD/amd64 (fbsd-amd64.isc.org) (ttyd0) > > login: panic: mb_dtor_pack: ref_cnt != 1 > cpuid = 3 > KDB: enter: panic > [thread pid 1021 tid 100131 ] > Stopped at kdb_enter+0x31: leave > db> wh > Tracing pid 1021 tid 100131 td 0xffffff0323816a40 > kdb_enter() at kdb_enter+0x31 > panic() at panic+0x1e6 > mb_dtor_pack() at mb_dtor_pack+0x103 > uma_zfree_arg() at uma_zfree_arg+0x34 > mb_free_ext() at mb_free_ext+0xe9 > soreceive() at soreceive+0xafb > soo_read() at soo_read+0x5e > dofileread() at dofileread+0x9e > kern_readv() at kern_readv+0x4f > read() at read+0x4b > syscall() at syscall+0x350 > Xfast_syscall() at Xfast_syscall+0xa8 > --- syscall (3, FreeBSD ELF64, read), rip = 0x800b7e23c, rsp = 0x7fffffffe1a8, rbp = 0x400 --- This should fix it. Commit in half an hour. -- Andre Index: kern/uipc_mbuf.c =================================================================== RCS file: /home/ncvs/src/sys/kern/uipc_mbuf.c,v retrieving revision 1.156 diff -u -p -r1.156 uipc_mbuf.c --- kern/uipc_mbuf.c 2 Nov 2005 16:20:35 -0000 1.156 +++ kern/uipc_mbuf.c 4 Nov 2005 14:28:31 -0000 @@ -215,9 +215,11 @@ mb_free_ext(struct mbuf *m) /* Free attached storage if this mbuf is the only reference to it. */ if (*(m->m_ext.ref_cnt) == 1 || - atomic_fetchadd_int(m->m_ext.ref_cnt, -1) == 1) { + atomic_fetchadd_int(m->m_ext.ref_cnt, -1) == 0) { switch (m->m_ext.ext_type) { - case EXT_CLUSTER: + case EXT_CLUSTER: /* The packet zone is special. */ + if (*(m->m_ext.ref_cnt) == 0) + *(m->m_ext.ref_cnt) = 1; uma_zfree(zone_pack, m); return; /* Job done. */ break; Index: kern/kern_mbuf.c =================================================================== RCS file: /home/ncvs/src/sys/kern/kern_mbuf.c,v retrieving revision 1.12 diff -u -p -r1.12 kern_mbuf.c --- kern/kern_mbuf.c 2 Nov 2005 16:20:35 -0000 1.12 +++ kern/kern_mbuf.c 4 Nov 2005 14:28:31 -0000 @@ -395,11 +395,10 @@ mb_ctor_clust(void *mem, int size, void static void mb_dtor_clust(void *mem, int size, void *arg) { - u_int *refcnt; - refcnt = uma_find_refcnt(zone_clust, mem); - KASSERT(*refcnt == 1, ("%s: refcnt incorrect %u", __func__, *refcnt)); - *refcnt = 0; + KASSERT(*(uma_find_refcnt(zone_clust, mem)) == 0 && + *(uma_find_refcnt(zone_clust, mem)) == 1, + ("%s: refcnt incorrect %u", __func__, *refcnt)); #ifdef INVARIANTS trash_dtor(mem, size, arg); #endif