Date: Wed, 1 Sep 2004 20:16:29 +0200 From: Ulrich Spoerlein <q@uni.de> To: current@freebsd.org Subject: panic: Duplicate free of item 0xc3474084 from zone 0xc1044c60(g_bio) Message-ID: <20040901181629.GB953@galgenberg.net>
next in thread | raw e-mail | index | archive | help
--AqsLC8rIMeq19msA
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hello,
I discovered the following panic yesterday after fiddling with suspend
and lid close on my laptop.
First the odd thing:
After several suspend+resume cycles there were no more ACPI Events.
Pressing Fn+ESC (suspend), closing the lid, even pressing the power
button did nothing. I restarted devd -D -d and it didn't "see" any
events happening.
acpiconf -s 1 still worked, and pressing the power button correctly
resumed the laptop. Even 'sysctl hw.acpi.video.lcd0.active=3D0/1' worked as
expected. It's just that the buttons on the laptop did nothing.
I can't remember what I did next, I think it was after sysctl
hw.acpi.video.lcd0.active=3D1 that the laptop crashed with this message
and trace
panic: Duplicate free of item 0xc3474084 from zone 0xc1044c60(g_bio)
(kgdb) bt
#0 doadump () at pcpu.h:159
#1 0xc048e0bb in db_fncall (dummy1=3D-482686232, dummy2=3D0, dummy3=3D-482=
686332,=20
dummy4=3D0xe33aca80 "z=E0n=C0") at /usr/src/sys/ddb/db_command.c:531
#2 0xc048e45c in db_command_loop () at /usr/src/sys/ddb/db_command.c:349
#3 0xc048fbe1 in db_trap (type=3D3, code=3D0) at /usr/src/sys/ddb/db_main.=
c:221
#4 0xc057a245 in kdb_trap (type=3D3, code=3D0, tf=3D0xe33acba0) at /usr/sr=
c/sys/kern/subr_kdb.c:418
#5 0xc06bb5f3 in trap (frame=3D
{tf_fs =3D -482738152, tf_es =3D -1068040176, tf_ds =3D -1066336240, =
tf_edi =3D 256, tf_esi =3D -1066180656, tf_ebp =3D -482685984, tf_isp =3D -=
482686004, tf_ebx =3D -482685944, tf_edx =3D 0, tf_ecx =3D -1066288042, tf_=
eax =3D -1066296234, tf_trapno =3D 3, tf_err =3D 0, tf_eip =3D -1067999498,=
tf_cs =3D 8, tf_eflags =3D 646, tf_esp =3D -482685956, tf_ss =3D -10680839=
65}) at /usr/src/sys/i386/i386/trap.c:576
#6 0xc06b027a in calltrap () at /usr/src/sys/i386/i386/exception.s:140
#7 0xe33a0018 in ?? ()
#8 0xc0570010 in softclock (dummy=3D0xc0719c56) at /usr/src/sys/kern/kern_=
timeout.c:201
#9 0xc0565503 in panic (fmt=3D---Can't read userspace from dump, or kernel=
process---) at /usr/src/sys/kern/kern_shutdown.c:542
#10 0xc068cd4b in uma_dbg_free (zone=3D0xc1044c60, slab=3D0xc3474f70, item=
=3D0xc3474084) at /usr/src/sys/vm/uma_dbg.c:276
#11 0xc068b7d8 in uma_zfree_arg (zone=3D0xc1044c60, item=3D0xc3474084, udat=
a=3D0x0) at /usr/src/sys/vm/uma_core.c:2228
#12 0xc05323c2 in g_destroy_bio (bp=3D0xc3474084) at uma.h:302
#13 0xc0530b0b in g_disk_done (bp=3D0xc3474084) at /usr/src/sys/geom/geom_d=
isk.c:203
#14 0xc04af06d in ad_done (request=3D0xc25a1000) at /usr/src/sys/dev/ata/at=
a-disk.c:322
#15 0xc04a2fd5 in ata_completed (context=3D0xc25a1000, dummy=3D0) at /usr/s=
rc/sys/dev/ata/ata-queue.c:404
#16 0xc04a30de in ata_timeout (request=3D0xc25a1000) at /usr/src/sys/dev/at=
a/ata-queue.c:442
#17 0xc0570153 in softclock (dummy=3D0x0) at /usr/src/sys/kern/kern_timeout=
=2Ec:259
#18 0xc0554b8b in ithread_loop (arg=3D0xc22d4580) at /usr/src/sys/kern/kern=
_intr.c:546
#19 0xc05540a2 in fork_exit (callout=3D0xc0554a79 <ithread_loop>, arg=3D0xc=
22d4580, frame=3D0xe33acd48) at /usr/src/sys/kern/kern_fork.c:820
#20 0xc06b02dc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:=
209
(kgdb) f 10
#10 0xc068cd4b in uma_dbg_free (zone=3D0xc1044c60, slab=3D0xc3474f70, item=
=3D0xc3474084)
at /usr/src/sys/vm/uma_dbg.c:276
276 panic("Duplicate free of item %p from zone %p(%s)\n=
",
(kgdb) l
271 }
272
273 if (slab->us_freelist[freei].us_item !=3D 255) {
274 printf("Slab at %p, freei %d =3D %d.\n",
275 slab, freei, slab->us_freelist[freei].us_item);
276 panic("Duplicate free of item %p from zone %p(%s)\n=
",
277 item, zone, zone->uz_name);
278 }
279
280 /*
(kgdb) p item
$1 =3D (void *) 0xc3474084
(kgdb) p *item
Attempt to dereference a generic pointer.
(kgdb) p zone
$2 =3D 0xc1044c60
(kgdb) p *zone
$3 =3D {uz_name =3D 0xc0713f19 "g_bio", uz_lock =3D 0xc101e5a8, uz_keg =3D =
0xc101e5a0, uz_link =3D {
le_next =3D 0x0, le_prev =3D 0xc101e5d8}, uz_full_bucket =3D {lh_first =
=3D 0xc362d418},=20
uz_free_bucket =3D {lh_first =3D 0x0}, uz_ctor =3D 0, uz_dtor =3D 0, uz_i=
nit =3D 0, uz_fini =3D 0,=20
uz_allocs =3D 1495977, uz_fills =3D 0, uz_count =3D 128, uz_cpu =3D {{uc_=
freebucket =3D 0xc28d7a3c,=20
uc_allocbucket =3D 0xc3cc0418, uc_allocs =3D 40}}}
I will update to the latest RELENG_5 and try to reproduce this panic.
An older dmesg and the DSDT and ASL can be found here
http://www.galgenberg.net/~q/freebsd/
Ulrich Spoerlein
--=20
PGP Key ID: F0DB9F44 Get it while it's hot!
PGP Fingerprint: F1CE D062 0CA9 ADE3 349B 2FE8 980A C6B5 F0DB 9F44
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin
--AqsLC8rIMeq19msA
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)
iD4DBQFBNhH9mArGtfDbn0QRAkSiAJjWgPCgQ6DBOLfBM8kbMtwq4L9pAKCWD5F5
8qC6Ruf9DqduXQhslVMHkg==
=UqRC
-----END PGP SIGNATURE-----
--AqsLC8rIMeq19msA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040901181629.GB953>