Date: Mon, 22 Jan 1996 09:46:13 -0500 From: Denis.Fortin@dmr.ca To: FreeBSD-gnats-submit@freebsd.org Subject: kern/965: 2.0.5 daily crash: multiple frees in if_ppp.c Message-ID: <199601221446.JAA02908@poterne.mtl.dmr.ca> Resent-Message-ID: <199601221450.GAA17463@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 965
>Category: kern
>Synopsis: 2.0.5: system crashes daily because of "multiple frees" in if_ppp.c
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Jan 22 06:50:01 PST 1996
>Last-Modified:
>Originator: Denis Fortin
>Organization:
DMR Group Inc, +1 (514) 877-3301
>Release: FreeBSD 2.0-BUILT-19950603 i386
>Environment:
Internet gateway used daily by 250 people for PPP and SLIP connections
connections (about 150 connections/day). System has 8 modems available
on a BocaBoard BB-2016 multi-port board, and the connections traffic
is regular (i.e. people keep coming and going constantly).
System is a 80486 @ 33MHz with 64MB RAM and 2 GB disk space; here
is the output from 'dmesg':
--->>> CUT HERE <<<---
FreeBSD 2.0.5-RELEASE #0: Wed Jan 3 09:39:27 EST 1996
fortinde@poterne.mtl.dmr.ca:/usr/src/sys/compile/DMR
CPU: i486DX (486-class CPU)
real memory = 66715648 (16288 pages)
avail memory = 63037440 (15390 pages)
Probing for devices on the ISA bus:
sc0 at 0x60-0x6f irq 1 on motherboard
sc0: VGA color <16 virtual consoles, flags=0x0>
ed0 at 0x280-0x29f irq 10 on isa
ed0: address 00:00:1b:4a:89:27, type NE2000 (16 bit)
ed1 at 0x300-0x30f irq 5 maddr 0xd8000 msize 8192 on isa
ed1: address 02:60:8c:45:44:e7, type 3c503 (8 bit)
sio0 at 0x3f8-0x3ff irq 4 on isa
sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16550A
sio2 at 0x100-0x107 flags 0x1105 on isa
sio2: type 16550A (multiport)
sio3 at 0x108-0x10f flags 0x1105 on isa
sio3: type 16550A (multiport)
sio4 at 0x110-0x117 flags 0x1105 on isa
sio4: type 16550A (multiport)
sio5 at 0x118-0x11f flags 0x1105 on isa
sio5: type 16550A (multiport)
sio6 at 0x120-0x127 flags 0x1105 on isa
sio6: type 16550A (multiport)
sio7 at 0x128-0x12f flags 0x1105 on isa
sio7: type 16550A (multiport)
sio8 at 0x130-0x137 flags 0x1105 on isa
sio8: type 16550A (multiport)
sio9 at 0x138-0x13f flags 0x1105 on isa
sio9: type 16550A (multiport)
sio10 at 0x140-0x147 flags 0x1105 on isa
sio10: type 16550A (multiport)
sio11 at 0x148-0x14f flags 0x1105 on isa
sio11: type 16550A (multiport)
sio12 at 0x150-0x157 flags 0x1105 on isa
sio12: type 16550A (multiport)
sio13 at 0x158-0x15f flags 0x1105 on isa
sio13: type 16550A (multiport)
sio14 at 0x160-0x167 flags 0x1105 on isa
sio14: type 16550A (multiport)
sio15 at 0x168-0x16f flags 0x1105 on isa
sio15: type 16550A (multiport)
sio16 at 0x170-0x177 flags 0x1105 on isa
sio16: type 16550A (multiport)
sio17 at 0x178-0x17f irq 12 flags 0x1105 on isa
sio17: type 16550A (multiport master)
lpt0 at 0x378-0x37f irq 7 on isa
lpt0: Interrupt-driven port
lp0: TCP/IP capable interface
lpt1 at 0x278-0x27f on isa
lpt2 not found at 0xffffffff
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: NEC 72065B
fd0: 1.44MB 3.5in
wdc0 not found at 0x1f0
ahb0: reading board settings, int=11
ahb0 at 0x1000-0x10ff irq 11 on eisa slot 1
ahb0 waiting for scsi devices to settle
(ahb0:0:0): "MICROP 1598-15MD1066701 DD24" type 0 fixed SCSI 1
sd0(ahb0:0:0): Direct-Access 991MB (2031554 512 byte sectors)
(ahb0:1:0): "MICROP 1598-15MD1066701 DD24" type 0 fixed SCSI 1
sd1(ahb0:1:0): Direct-Access 991MB (2031554 512 byte sectors)
(ahb0:2:0): "TANDBERG TDC 3800 -03:" type 1 removable SCSI 1
st0(ahb0:2:0): Sequential-Access density code 0x0, drive empty
scd0 not found at 0x230
npx0 on motherboard
npx0: INT 16 interface
changing root device to sd0a
--->>> CUT HERE <<<---
>Description:
System crashes a few times a week (2-5) and reboots. This is Most
Annoying since the BB-2016 then seems to require a manual "shutdown -r"
about 50% of the time or it isn't properly reset (i.e. the machine
stops answering the phone).
Finally got a crashdump and produced the following traceback info
--->>> CUT HERE <<<---
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd),
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 1f0000
current pcb at 1c3f70
panic: free: multiple frees
#0 boot (arghowto=256) at ../../i386/i386/machdep.c:870
870 dumppcb.pcb_ptd = rcr3();
(kgdb) bt
#0 boot (arghowto=256) at ../../i386/i386/machdep.c:870
#1 0xf0112843 in panic (fmt=0xf010b9b2 "free: multiple frees")
at ../../kern/subr_prf.c:128
#2 0xf010ba93 in free (addr=0xf1520180, type=1)
at ../../kern/kern_malloc.c:337
#3 0xf013582e in pppstart (tp=0xf01c23e4) at ../../net/if_ppp.c:1028
#4 0xf01a84fc in siopoll () at ../../i386/isa/sio.c:1569
#5 0xf018e667 in doreti_swi ()
#6 0xf019688c in cpu_switch ()
(kgdb) up
#1 0xf0112843 in panic (fmt=0xf010b9b2 "free: multiple frees")
at ../../kern/subr_prf.c:128
128 boot(bootopt);
(kgdb) up
#2 0xf010ba93 in free (addr=0xf1520180, type=1)
at ../../kern/kern_malloc.c:337
337 panic("free: multiple frees");
(kgdb) l
332 #endif /* DIAGNOSTIC */
333 #ifdef KMEMSTATS
334 kup->ku_freecnt++;
335 if (kup->ku_freecnt >= kbp->kb_elmpercl)
336 if (kup->ku_freecnt > kbp->kb_elmpercl)
337 panic("free: multiple frees");
338 else if (kbp->kb_totalfree > kbp->kb_highwat)
339 kbp->kb_couldfree++;
340 kbp->kb_totalfree++;
341 ksp->ks_memuse -= size;
(kgdb) info locals
kbp = (struct kmembuckets *) 0xf01dc65c
kup = (struct kmemusage *) 0xf0f34794
freep = (struct freelist *) 0xf1520180
size = 0
s = -1073676288
ksp = (struct kmemstats *) 0xf01dd114
(kgdb) quit
--->>> CUT HERE <<<---
>How-To-Repeat:
Just letting the system run seems to produce the problem almost
daily (but not quite).
>Fix:
No workaround known. Now that I know that the problem is in
if_ppp.c, I might try looking around in there.
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601221446.JAA02908>