Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Oct 2001 08:06:21 -0700 (PDT)
From:      John Baldwin <jhb@FreeBSD.org>
To:        current@FreeBSD.org
Subject:   Panic: zalloc: item is free
Message-ID:  <XFMail.011018080621.jhb@FreeBSD.org>

next in thread | raw e-mail | index | archive | help
This one is a bit harder to track down than the ata one, it just happened while
I was sitting in X.  It might have been just after resuming, but I can't
exactly remember.  Note that like the ata panic, we panic'd trying to sync the
disks (perhaps we shouldn't try to sync the disks on a panic?) and thus that
the real panic is at frame #13.

(kgdb) where
#0  dumpsys () at ../../../kern/kern_shutdown.c:488
#1  0xc0202443 in boot (howto=16644) at ../../../kern/kern_shutdown.c:331
#2  0xc0202869 in panic (fmt=0xc03337d9 "bremfree: bp %p not locked")
    at ../../../kern/kern_shutdown.c:628
#3  0xc0230f6d in bremfree (bp=0xc3b5f974) at ../../../kern/vfs_bio.c:535
#4  0xc02331f1 in getblk (vp=0xcc7a9ec0, blkno=160, size=8192, slpflag=0, 
    slptimeo=0) at ../../../kern/vfs_bio.c:2215
#5  0xc0231044 in breadn (vp=0xcc7a9ec0, blkno=160, size=8192, rablkno=0x0, 
    rabsize=0x0, cnt=0, cred=0x0, bpp=0xccdbfaac)
    at ../../../kern/vfs_bio.c:593
#6  0xc0231011 in bread (vp=0xcc7a9ec0, blkno=160, size=8192, cred=0x0, 
    bpp=0xccdbfaac) at ../../../kern/vfs_bio.c:575
#7  0xc029ff4f in ffs_update (vp=0xccdaacc0, waitfor=0)
    at ../../../ufs/ffs/ffs_inode.c:101
#8  0xc02ac9da in ffs_fsync (ap=0xccdbfb20) at ../../../ufs/ffs/ffs_vnops.c:292
#9  0xc02ab1b6 in ffs_sync (mp=0xc141fe00, waitfor=2, cred=0xc0b63e00, 
    td=0xc03e7624) at vnode_if.h:441
#10 0xc023d4a1 in sync (td=0xc03e7624, uap=0x0)
    at ../../../kern/vfs_syscalls.c:640
#11 0xc020208c in boot (howto=16640) at ../../../kern/kern_shutdown.c:240
#12 0xc0202869 in panic (fmt=0xc034516c "item is not free")
    at ../../../kern/kern_shutdown.c:628
#13 0xc02c26c7 in zalloc (z=0xc03e5340) at ../../../vm/vm_zone.c:483
#14 0xc02e764a in get_pv_entry () at ../../../i386/i386/pmap.c:1693
#15 0xc02e77bc in pmap_insert_entry (pmap=0xc7fd72cc, va=678203392, 
    mpte=0xc08d0c5c, m=0xc093b480) at ../../../i386/i386/pmap.c:1793
#16 0xc02e86eb in pmap_copy (dst_pmap=0xc7fd72cc, src_pmap=0xc7fd73ac, 
    dst_addr=678182912, len=4624384, src_addr=678182912)
    at ../../../i386/i386/pmap.c:2845
#17 0xc02b9927 in vm_map_copy_entry (src_map=0xc7fd7340, dst_map=0xc7fd7260, 
    src_entry=0xccdc19c0, dst_entry=0xccdc3b40) at ../../../vm/vm_map.c:2252
#18 0xc02b9b91 in vmspace_fork (vm1=0xc7fd7340) at ../../../vm/vm_map.c:2371
#19 0xc02b64e9 in vm_forkproc (td=0xccd1ef04, p2=0xccd1eb00, flags=20)
    at ../../../vm/vm_glue.c:247
#20 0xc01f4834 in fork1 (td=0xccd1ef04, flags=20, procp=0xccdbfce8)
    at ../../../kern/kern_fork.c:624
#21 0xc01f3ad6 in fork (td=0xccd1ef04, uap=0xccdbfd20)
    at ../../../kern/kern_fork.c:121
#22 0xc02eafe7 in syscall (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, 
      tf_edi = -1077938084, tf_esi = 686389012, tf_ebp = -1077938028, 
      tf_isp = -857997964, tf_ebx = 686387764, tf_edx = 4, tf_ecx = 686389012, 
      tf_eax = 2, tf_trapno = 12, tf_err = 2, tf_eip = 685007816, tf_cs = 31, 
      tf_eflags = 582, tf_esp = -1077938184, tf_ss = 47})
    at ../../../i386/i386/trap.c:1122
(kgdb) frame 13
#13 0xc02c26c7 in zalloc (z=0xc03e5340) at ../../../vm/vm_zone.c:483
483             KASSERT(((void **) item)[1] == ZENTRY_FREE,
(kgdb) l
478             }
479     
480             item = z->zitems;
481             z->zitems = ((void **) item)[0];
482     #ifdef INVARIANTS
483             KASSERT(((void **) item)[1] == ZENTRY_FREE,
484                 ("item is not free"));
485             ((void **) item)[1] = 0;
486     #endif
487     
(kgdb) x/2 item
0xc0ac0ffc:     0xc0ac0fe0      0x12340000
(kgdb) p z->zname
$3 = 0xc034ca37 "PV ENTRY"
(kgdb) p z->zitems
$4 = (void *) 0xc0ac0fe0
../../../vm/vm_zone.c:#define ZENTRY_FREE               (void*)0x12342378

Looks like the lower 2 bytes were cleared.  Perhaps a dangling reference to a
pv_entry somewhere?

typedef struct pv_entry {
        pmap_t          pv_pmap;        /* pmap where mapping lies */
        vm_offset_t     pv_va;          /* virtual address for mapping */
        TAILQ_ENTRY(pv_entry)   pv_list;
        TAILQ_ENTRY(pv_entry)   pv_plist;
        vm_page_t       pv_ptem;        /* VM page for pte */
} *pv_entry_t;

So it looks like pv_va of a free'd pv_entry was modified perhaps?

-- 

John Baldwin <john@baldwin.cx> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.baldwin.cx/~john/pgpkey.asc
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.011018080621.jhb>