Re: ata(4) related panic - Memory modified after free [was: Sony V505BX ATA panic]

From: Simon L. Nielsen <simon_at_FreeBSD.org>
Date: Sun, 15 Feb 2004 11:42:37 +0100
On 2004.02.15 10:33:25 +0100, Søren Schmidt wrote:
> Simon L. Nielsen wrote:
> 
> >
> >Memory modified after free 0xc4667200(508) val=1000100 _at_ 0xc4667200
> >
> >
> >Fatal trap 12: page fault while in kernel mode
> >fault virtual address   = 0x1000120
> >fault code              = supervisor read, page not present
> >instruction pointer     = 0x8:0xc06627c2
> >stack pointer           = 0x10:0xc0c21ba4
> >frame pointer           = 0x10:0xc0c21bc0
> >code segment            = base 0x0, limit 0xfffff, type 0x1b
> >                        = DPL 0, pres 1, def32 1, gran 1
> >processor eflags        = interrupt enabled, resume, IOPL = 0
> >current process         = 0 (swapper)
> >kernel: type 12 trap, code=0
> >Stopped at      mtrash_ctor+0x3a:       movl    0x20(%eax),%eax
> >db> trace
> >mtrash_ctor(c4667200,200,0) at mtrash_ctor+0x3a
> >uma_zalloc_arg(c1051cc0,0,1) at uma_zalloc_arg+0x169
> >malloc(1a0,c072a4a0,1,c443dd80,c457b3c0) at malloc+0xb7
> >xpt_alloc_device(c443dd80,c457b3c0,0) at xpt_alloc_device+0x3e
> >xpt_compile_path(c4482bd0,c1985d80,0,2,0) at xpt_compile_path+0x84
> >xpt_create_path(c0c21ca4,c1985d80,0,2,0) at xpt_create_path+0x49
> >xpt_scan_bus(c1985d80,c4661400,c0c21cf0,c043a51d,c443ddc0) at 
> >xpt_scan_bus+0xea
> >xpt_action(c4661400,c4661400,c443dd80,c043a030,c0c21d14) at 
> >xpt_action+0x7e2
> >xpt_finishconfig(c1985d80,c4661400) at xpt_finishconfig+0x30
> >xptconfigfunc(c443dd80,0,c0c21d40,c0439e97,c443dd80) at xptconfigfunc+0x10b
> >xptdefbusfunc(c443dd80,c0c21d54) at xptdefbusfunc+0x15
> >xptbustraverse(0,c043a030,c0c21d54,0,c043d590) at xptbustraverse+0x2b
> >xpt_for_all_busses(c043d590,0) at xpt_for_all_busses+0x29
> >xpt_config(0) at xpt_config+0x74
> >run_interrupt_driven_config_hooks(0,c1ec00,c1e000,0,c0435ad5) at 
> >run_interrupt_driven_config_hooks+0x18
> >mi_startup() at mi_startup+0x96
> >begin() at begin+0x2c
> >db> 
> 
> Loose atapicam, does it work then ? If so please address the atapicam 
> maintainer with the problems ...

I can see that the panic is in cam, but the odd thing is that I don't
have atapicam in the kernel (I double checked - it isn't there).  I do
have normal cam in the kernel (for USB).  To me it seems like some kind
of memory corruption either in ata(4) or somehow masked by ata when
retries is set to 3, but I'm no kernel hacker.

BTW, I tried to disable acpi as suggested by somebody else (sorry forgot
the name right now), but that didn't change anything.

Here is a gdb backtrace, if it makes more sense to somebody (not from
the same time as the ddb trace above) :

#0  0xc06627c2 in mtrash_ctor (mem=0xc4666200, size=-1056882688, arg=0x0)
    at /usr/src/sys/vm/uma_dbg.c:137
#1  0xc06614d5 in uma_zalloc_arg (zone=0xc1051cc0, udata=0x0, flags=1)
    at /usr/src/sys/vm/uma_core.c:1416
#2  0xc053da8b in malloc (size=3238337728, type=0xc072a4a0, flags=1)
    at /usr/src/sys/vm/uma.h:234
#3  0xc043c0be in xpt_alloc_device (bus=0xc443dd80, target=0xc457a3c0, 
    lun_id=0) at /usr/src/sys/cam/cam_xpt.c:4988
#4  0xc043b0b0 in xpt_compile_path (new_path=0xc4685080, perph=0x1000100, 
    path_id=0, target_id=2, lun_id=0) at /usr/src/sys/cam/cam_xpt.c:4056
#5  0xc043b001 in xpt_create_path (new_path_ptr=0x1000100, perph=0xc1985d80, 
    path_id=0, target_id=2, lun_id=0) at /usr/src/sys/cam/cam_xpt.c:4006
#6  0xc043c4a6 in xpt_scan_bus (periph=0xc1985d80, request_ccb=0xc4660400)
    at /usr/src/sys/cam/cam_xpt.c:5243
#7  0xc043a9da in xpt_action (start_ccb=0xc4660400)
    at /usr/src/sys/cam/cam_xpt.c:3522
#8  0xc043d7ac in xpt_finishconfig (periph=0xc1985d80, done_ccb=0xc4660400)
    at /usr/src/sys/cam/cam_xpt.c:6865
#9  0xc043d69b in xptconfigfunc (bus=0xc443dd80, arg=0x0)
    at /usr/src/sys/cam/cam_xpt.c:6774
#10 0xc043a045 in xptdefbusfunc (bus=0x0, arg=0x1000100)
    at /usr/src/sys/cam/cam_xpt.c:2772
#11 0xc0439e97 in xptbustraverse (start_bus=0x0, 
    tr_func=0xc043a030 <xptdefbusfunc>, arg=0xc0c21d54)
    at /usr/src/sys/cam/cam_xpt.c:2630
#12 0xc043a0e5 in xpt_for_all_busses (tr_func=0x1000100, arg=0x1000100)
    at /usr/src/sys/cam/cam_xpt.c:2841
#13 0xc043d720 in xpt_config (arg=0x0) at /usr/src/sys/cam/cam_xpt.c:6825
#14 0xc0557c6c in run_interrupt_driven_config_hooks (dummy=0x0)
    at /usr/src/sys/kern/subr_autoconf.c:76
#15 0xc052620a in mi_startup () at /usr/src/sys/kern/init_main.c:212
(kgdb) list
132     
133             for (p = mem; cnt > 0; cnt--, p++)
134                     if (*p != uma_junk) {
135                             printf("Memory modified after free %p(%d) val=%x _at_ %p\n",
136                                 mem, size, *p, p);
137                             panic("Most recently used by %s\n", (*ksp == NULL)?
138                                 "none" : (*ksp)->ks_shortdesc);
139                     }
140     }
141     


-- 
Simon L. Nielsen
FreeBSD Documentation Team
Received on Sun Feb 15 2004 - 01:42:40 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:43 UTC