panic: Duplicate free of item 0xc3474084 from zone 0xc1044c60(g_bio)

From: Ulrich Spoerlein <q_at_uni.de> Date: Wed, 1 Sep 2004 20:16:29 +0200 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:10 UTC

Hello,

I discovered the following panic yesterday after fiddling with suspend
and lid close on my laptop.

First the odd thing:
After several suspend+resume cycles there were no more ACPI Events.
Pressing Fn+ESC (suspend), closing the lid, even pressing the power
button did nothing. I restarted devd -D -d and it didn't "see" any
events happening.

acpiconf -s 1 still worked, and pressing the power button correctly
resumed the laptop. Even 'sysctl hw.acpi.video.lcd0.active=0/1' worked as
expected. It's just that the buttons on the laptop did nothing.

I can't remember what I did next, I think it was after sysctl
hw.acpi.video.lcd0.active=1 that the laptop crashed with this message
and trace

panic: Duplicate free of item 0xc3474084 from zone 0xc1044c60(g_bio)
(kgdb) bt
#0  doadump () at pcpu.h:159
#1  0xc048e0bb in db_fncall (dummy1=-482686232, dummy2=0, dummy3=-482686332, 
    dummy4=0xe33aca80 "zànÀ") at /usr/src/sys/ddb/db_command.c:531
#2  0xc048e45c in db_command_loop () at /usr/src/sys/ddb/db_command.c:349
#3  0xc048fbe1 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:221
#4  0xc057a245 in kdb_trap (type=3, code=0, tf=0xe33acba0) at /usr/src/sys/kern/subr_kdb.c:418
#5  0xc06bb5f3 in trap (frame=
      {tf_fs = -482738152, tf_es = -1068040176, tf_ds = -1066336240, tf_edi = 256, tf_esi = -1066180656, tf_ebp = -482685984, tf_isp = -482686004, tf_ebx = -482685944, tf_edx = 0, tf_ecx = -1066288042, tf_eax = -1066296234, tf_trapno = 3, tf_err = 0, tf_eip = -1067999498, tf_cs = 8, tf_eflags = 646, tf_esp = -482685956, tf_ss = -1068083965}) at /usr/src/sys/i386/i386/trap.c:576
#6  0xc06b027a in calltrap () at /usr/src/sys/i386/i386/exception.s:140
#7  0xe33a0018 in ?? ()
#8  0xc0570010 in softclock (dummy=0xc0719c56) at /usr/src/sys/kern/kern_timeout.c:201
#9  0xc0565503 in panic (fmt=---Can't read userspace from dump, or kernel process---) at /usr/src/sys/kern/kern_shutdown.c:542
#10 0xc068cd4b in uma_dbg_free (zone=0xc1044c60, slab=0xc3474f70, item=0xc3474084) at /usr/src/sys/vm/uma_dbg.c:276
#11 0xc068b7d8 in uma_zfree_arg (zone=0xc1044c60, item=0xc3474084, udata=0x0) at /usr/src/sys/vm/uma_core.c:2228
#12 0xc05323c2 in g_destroy_bio (bp=0xc3474084) at uma.h:302
#13 0xc0530b0b in g_disk_done (bp=0xc3474084) at /usr/src/sys/geom/geom_disk.c:203
#14 0xc04af06d in ad_done (request=0xc25a1000) at /usr/src/sys/dev/ata/ata-disk.c:322
#15 0xc04a2fd5 in ata_completed (context=0xc25a1000, dummy=0) at /usr/src/sys/dev/ata/ata-queue.c:404
#16 0xc04a30de in ata_timeout (request=0xc25a1000) at /usr/src/sys/dev/ata/ata-queue.c:442
#17 0xc0570153 in softclock (dummy=0x0) at /usr/src/sys/kern/kern_timeout.c:259
#18 0xc0554b8b in ithread_loop (arg=0xc22d4580) at /usr/src/sys/kern/kern_intr.c:546
#19 0xc05540a2 in fork_exit (callout=0xc0554a79 <ithread_loop>, arg=0xc22d4580, frame=0xe33acd48) at /usr/src/sys/kern/kern_fork.c:820
#20 0xc06b02dc in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:209
(kgdb) f 10
#10 0xc068cd4b in uma_dbg_free (zone=0xc1044c60, slab=0xc3474f70, item=0xc3474084)
    at /usr/src/sys/vm/uma_dbg.c:276
276                     panic("Duplicate free of item %p from zone %p(%s)\n",
(kgdb) l
271             }
272
273             if (slab->us_freelist[freei].us_item != 255) {
274                     printf("Slab at %p, freei %d = %d.\n",
275                         slab, freei, slab->us_freelist[freei].us_item);
276                     panic("Duplicate free of item %p from zone %p(%s)\n",
277                         item, zone, zone->uz_name);
278             }
279
280             /*
(kgdb) p item
$1 = (void *) 0xc3474084
(kgdb) p *item
Attempt to dereference a generic pointer.
(kgdb) p zone
$2 = 0xc1044c60
(kgdb) p *zone
$3 = {uz_name = 0xc0713f19 "g_bio", uz_lock = 0xc101e5a8, uz_keg = 0xc101e5a0, uz_link = {
    le_next = 0x0, le_prev = 0xc101e5d8}, uz_full_bucket = {lh_first = 0xc362d418}, 
  uz_free_bucket = {lh_first = 0x0}, uz_ctor = 0, uz_dtor = 0, uz_init = 0, uz_fini = 0, 
  uz_allocs = 1495977, uz_fills = 0, uz_count = 128, uz_cpu = {{uc_freebucket = 0xc28d7a3c, 
      uc_allocbucket = 0xc3cc0418, uc_allocs = 40}}}

I will update to the latest RELENG_5 and try to reproduce this panic.

An older dmesg and the DSDT and ASL can be found here
http://www.galgenberg.net/~q/freebsd/

Ulrich Spoerlein
-- 
PGP Key ID: F0DB9F44				Get it while it's hot!
PGP Fingerprint: F1CE D062 0CA9 ADE3 349B  2FE8 980A C6B5 F0DB 9F44
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."	-- Benjamin Franklin