INVARIANTS panics on RELENG_5 and HEAD

From: Kris Kennaway <kris_at_obsecurity.org>
Date: Wed, 29 Dec 2004 11:17:13 -0800
I'm regularly getting panics of the following form, on both RELENG_5
systems (UP and SMP sparc64) and HEAD (UP amd64):

Memory modified after free 0xfffff8000446c800(504) val=deadc0dd _at_ 0xfffff8000446c920
panic: Most recently used by file desc
cpuid = 2
KDB: enter: panic
Dumping 512 MB (1 chunks)
  chunk at 0: 536870912 bytes |\^H
---
#0  doadump () at ../../../kern/kern_shutdown.c:246
246             savectx(&dumppcb);
(kgdb) bt
#0  doadump () at ../../../kern/kern_shutdown.c:246
#1  0x00000000c005dbf4 in db_fncall (dummy1=0, dummy2=0, dummy3=4, dummy4=0xddb4aaf0 "")
    at ../../../ddb/db_command.c:531
#2  0x00000000c005dde4 in db_command_loop () at ../../../ddb/db_command.c:349
#3  0x00000000c0060808 in db_trap (type=107, code=0) at ../../../ddb/db_main.c:210
#4  0x00000000c015afa8 in kdb_trap (type=107, code=0, tf=0x1) at ../../../kern/subr_kdb.c:418
#5  0x00000000c02ac0e0 in trap (tf=0xddb4aec0) at ../../../sparc64/sparc64/trap.c:308
#6  0x00000000c015a9b8 in kdb_enter (msg=---Can't read userspace from dump, or kernel process---

) at ../../../kern/subr_kdb.c:238
#7  0x00000000c015a9b0 in kdb_enter (msg=0xc0343988 "panic") at ../../../kern/subr_kdb.c:238
#8  0x00000000c013e47c in panic (fmt=0xc035e3a8 "Most recently used by %s\n")
    at ../../../kern/kern_shutdown.c:527
#9  0x00000000c028dd5c in mtrash_ctor (mem=0xc03400b8, size=71748088, arg=0x0, flags=258)
    at ../../../vm/uma_dbg.c:134
#10 0x00000000c028ca8c in uma_zalloc_arg (zone=0xfffff8001e3fcee0, udata=0x0, flags=258)
    at ../../../vm/uma_core.c:1826
#11 0x00000000c0133d68 in malloc (size=5, type=0xc0381118, flags=507507200) at uma.h:274
#12 0x00000000c011d320 in fdinit (fdp=0x689) at ../../../kern/kern_descrip.c:1409
#13 0x00000000c011d4a8 in fdcopy (fdp=0xfffff80016ed2800) at ../../../kern/kern_descrip.c:1462
#14 0x00000000c0128128 in fork1 (td=0xfffff80011d37710, flags=20, pages=0, procp=0xddb4b6a8)
    at ../../../kern/kern_fork.c:432
#15 0x00000000c0128d10 in fork (td=0x40349548, uap=0xddb4b8c0) at ../../../kern/kern_fork.c:97
#16 0x00000000c02ac4a0 in syscall (tf=0xddb4b880) at ../../../sparc64/sparc64/trap.c:593

Memory modified after free 0xffffff001235b000(4088) val=adc0de _at_ 0xffffff001235bac4
panic: Most recently used by subproc
KDB: enter: panic
[thread pid 72540 tid 100233 ]
Stopped at      kdb_enter+0x2f: nop
dbtr
Tracing pid 72540 tid 100233 td 0xffffff0011c8fc80
kdb_enter() at kdb_enter+0x2f
panic() at panic+0x1d2
mtrash_ctor() at mtrash_ctor+0x78
uma_zalloc_arg() at uma_zalloc_arg+0x421
malloc() at malloc+0x9c
sigacts_alloc() at sigacts_alloc+0x1f
fork1() at fork1+0x118a
fork() at fork+0x1c
syscall() at syscall+0x4ab
Xfast_syscall() at Xfast_syscall+0xa8
--- syscall (2, FreeBSD ELF64, fork), rip = 0x8009176c0, rsp = 0x7fffffffe1d8, rbp = 0x527000 ---

Memory modified after free 0xfffff80010400200(504) val=deadc0dd _at_ 0xfffff80010400320
panic: Most recently used by subproc

cpuid = 1
KDB: enter: panic
[thread 100139]
Stopped at      kdb_enter+0x38: ta              %xcc, 1
db> tr
panic() at panic+0x19c
mtrash_ctor() at mtrash_ctor+0x7c
uma_zalloc_arg() at uma_zalloc_arg+0x42c
malloc() at malloc+0xa8
sysarch() at sysarch+0x1b4
syscall() at syscall+0x220
-- syscall (165, FreeBSD ELF64, sysarch) %o7=0x40370a9c --

I'm also getting other panics relating to the filedesc code, on RELENG_5:

panic: fdrop: count < 0
panic messages:
---
panic: fdrop: count < 0
cpuid = 2
KDB: enter: panic
Dumping 512 MB (1 chunks)
  chunk at 0: 536870912 bytes |\^H
---
#0  doadump () at ../../../kern/kern_shutdown.c:246
246             savectx(&dumppcb);
(kgdb) bt
#0  doadump () at ../../../kern/kern_shutdown.c:246
#1  0x00000000c005d9d4 in db_fncall (dummy1=3, dummy2=0, dummy3=-1, dummy4=0xd6918de0 "")
    at ../../../ddb/db_command.c:531
#2  0x00000000c005dbc4 in db_command_loop () at ../../../ddb/db_command.c:349
#3  0x00000000c0060608 in db_trap (type=107, code=0) at ../../../ddb/db_main.c:210
#4  0x00000000c0167dc8 in kdb_trap (type=107, code=0, tf=0x1) at ../../../kern/subr_kdb.c:418
#5  0x00000000c02d30a4 in trap (tf=0xd69191b0) at ../../../sparc64/sparc64/trap.c:308
#6  0x00000000c01677d8 in kdb_enter (msg=---Can't read userspace from dump, or kernel process---

) at ../../../kern/subr_kdb.c:238
#7  0x00000000c01677d0 in kdb_enter (msg=0xc03675c0 "panic") at ../../../kern/subr_kdb.c:238
#8  0x00000000c0148d34 in panic (fmt=0xc0364f80 "fdrop: count < 0") at atomic.h:278
#9  0x00000000c0120804 in fdrop_locked (fp=0xfffff80008c9d730, td=0xfffff8001775b480)
    at ../../../kern/kern_descrip.c:2092
#10 0x00000000c01208a8 in closef (fp=0xfffff80008c9d730, td=0xfffff8001775b480)
    at ../../../kern/kern_descrip.c:1883
#11 0x00000000c0120f54 in close (td=0xfffff8001775b480, uap=0x4) at ../../../kern/kern_descrip.c:997
#12 0x00000000c02d348c in syscall (tf=0xd6919880) at ../../../sparc64/sparc64/trap.c:593
(kgdb)

---
panic: trap: fast data access mmu miss
cpuid = 2
KDB: enter: panic
Dumping 512 MB (1 chunks)
  chunk at 0: 536870912 bytes |\^H
---
#0  doadump () at ../../../kern/kern_shutdown.c:246
246             savectx(&dumppcb);
(kgdb) bt
#0  doadump () at ../../../kern/kern_shutdown.c:246
#1  0x00000000c005d9d4 in db_fncall (dummy1=0, dummy2=0, dummy3=4, dummy4=0xd76a2a70 "")
    at ../../../ddb/db_command.c:531
#2  0x00000000c005dbc4 in db_command_loop () at ../../../ddb/db_command.c:349
#3  0x00000000c0060608 in db_trap (type=107, code=0) at ../../../ddb/db_main.c:210
#4  0x00000000c0167dc8 in kdb_trap (type=107, code=0, tf=0x1) at ../../../kern/subr_kdb.c:418
#5  0x00000000c02d30a4 in trap (tf=0xd76a2e40) at ../../../sparc64/sparc64/trap.c:308
#6  0x00000000c01677d8 in kdb_enter (msg=---Can't read userspace from dump, or kernel process---

) at ../../../kern/subr_kdb.c:238
#7  0x00000000c01677d0 in kdb_enter (msg=0xc03675c0 "panic") at ../../../kern/subr_kdb.c:238
#8  0x00000000c0148d34 in panic (fmt=0xc037f2c8 "trap: %s") at atomic.h:278
#9  0x00000000c02d2fbc in trap (tf=0xd76a3240) at ../../../sparc64/sparc64/trap.c:370
#10 0x00000000c013e2a4 in _mtx_lock_sleep (m=0x0, td=0xfffff800026ee7b0, opts=0, file=0x0, line=0)
    at ../../../kern/kern_mutex.c:531
#11 0x00000000c013e2f0 in _mtx_lock_sleep (m=0xfffff80018e32a48, td=0xfffff800026ee7b0, opts=0,
    file=0x0, line=0) at atomic.h:278
#12 0x00000000c0121938 in fdfree (td=0xfffff800026ee7b0) at ../../../kern/kern_descrip.c:1596
#13 0x00000000c012aad8 in exit1 (td=0xfffff800026ee7b0, rv=0) at ../../../kern/kern_exit.c:231
#14 0x00000000c012bdb0 in sys_exit (td=0xfffff800026ee7b0, uap=0xd76a38c0)
    at ../../../kern/kern_exit.c:94
#15 0x00000000c02d348c in syscall (tf=0xd76a3880) at ../../../sparc64/sparc64/trap.c:593
(kgdb)
Received on Wed Dec 29 2004 - 18:17:19 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:25 UTC