[releng_6] mpt(4) Memory modified after free panic

From: Pawel Worach <pawel.worach_at_gmail.com>
Date: Mon, 26 Sep 2005 23:55:53 +0200
Trying to use a mpt controller with only one disk attached so it's not
possible to configure a RAID-1 volume.
Trying to boot 6.0-BETA1 install cd results in this panic. Should it
possible to use a single disk behind an mpt(4) with the updated driver? This
configuration works fine on 5.4.

GDB: no debug ports present
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.0-BETA1 #0: Tue Jul 12 18:05:55 UTC 2005
root_at_x64.samsco.home:/usr/obj/usr/src/sys/GENERIC
WARNING: WITNESS option enabled, expect reduced performance.
ACPI APIC Table: <IBM SERONYXP>
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Xeon(TM) CPU 2.80GHz (2793.90-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf27 Stepping = 7
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,C
MOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
Features2=0x4400<CNTX-ID,<b14>>
Hyperthreading: 2 logical CPUs
...
mpt0: <LSILogic 1030 Ultra4 Adapter> port 0x2700-0x27ff mem
0xf9ff0000-0xf9fffff
f,0xf9fe0000-0xf9feffff irq 27 at device 7.0 on pci8
mpt0: [GIANT-LOCKED]
mpt0: MPI Version=1.2.15.0 <http://1.2.15.0>
mpt0: Unhandled Event Notify Frame. Event 0xa.
mpt0: Capabilities: ( RAID-1 SAFTE )
mpt0: 0 Active Volumes (1 Max)
mpt0: 0 Hidden Drive Members (6 Max)
mpt1: <LSILogic 1030 Ultra4 Adapter> port 0x2800-0x28ff mem
0xf9fd0000-0xf9fdfff
f,0xf9fc0000-0xf9fcffff irq 28 at device 7.1 on pci8
mpt1: [GIANT-LOCKED]
mpt1: MPI Version=1.2.15.0 <http://1.2.15.0>
mpt1: Unhandled Event Notify Frame. Event 0xa.
mpt1: Capabilities: ( RAID-1 SAFTE )
mpt1: 0 Active Volumes (1 Max)
mpt1: 0 Hidden Drive Members (6 Max)
Memory modified after free 0xc28a5710(12) val=0 _at_ 0xc28a5710
panic: Most recently used by bus

cpuid = 0
KDB: enter: panic
[thread pid 0 tid 0 ]
Stopped at kdb_enter+0x2b: nop
db> tr
Tracing pid 0 tid 0 td 0xc091bca0
kdb_enter(c0854b84) at kdb_enter+0x2b
panic(c086f463,c08328ac,c086f434,c28a5710,c) at panic+0x127
mtrash_ctor(c28a5710,10,0,1) at mtrash_ctor+0x4d
uma_zalloc_arg(c145a420,0,1) at uma_zalloc_arg+0x10f
malloc(8,c08b79e0,1,1030200,c28b6000) at malloc+0xae
mpt_read_config_info_ioc(c28b6000) at mpt_read_config_info_ioc+0x464
mpt_configure_ioc(c28b6000,c0897a80,0,c1020b28,c05639f2) at
mpt_configure_ioc+0x
2ea
mpt_core_attach(c28b6000,c289d780,c28b6000,c289d680,c1020b58) at
mpt_core_attach
+0xb6
mpt_attach(c28b6000) at mpt_attach+0x2a
mpt_pci_attach(c289d680) at mpt_pci_attach+0x4c9
device_attach(c289d680,c26b8700,c289d680,c289d780,0) at device_attach+0x58
device_probe_and_attach(c289d680) at device_probe_and_attach+0xe0
bus_generic_attach(c289d780,6,c26b8700,1,c0ee0258) at
bus_generic_attach+0x16
acpi_pci_attach(c289d780) at acpi_pci_attach+0xd0
device_attach(c289d780,c2807b78,c289d780,0,c275ea00) at device_attach+0x58
device_probe_and_attach(c289d780) at device_probe_and_attach+0xe0
bus_generic_attach(c275ea00,c275ea00,0,c26b8700,c28a6100) at
bus_generic_attach+
0x16
acpi_pcib_attach(c275ea00,c28a6114,8,c06456a5,c275d180) at
acpi_pcib_attach+0x13
0
acpi_pcib_acpi_attach(c275ea00) at acpi_pcib_acpi_attach+0xcf
device_attach(c275ea00,c2832280,c275ea00,c2833ac0,c275d180) at
device_attach+0x5
8
device_probe_and_attach(c275ea00) at device_probe_and_attach+0xe0
bus_generic_attach(c275d180,ffffffff,fec00000,c2820288,3) at
bus_generic_attach+
0x16
acpi_attach(c275d180) at acpi_attach+0x631
device_attach(c275d180,0,c275d180,c275d880,0) at device_attach+0x58
device_probe_and_attach(c275d180) at device_probe_and_attach+0xe0
bus_generic_attach(c275d880,c275d880,c275d880,c1020d40,c06461a8) at
bus_generic_
attach+0x16
nexus_attach(c275d880) at nexus_attach+0x13
device_attach(c275d880,c06293fa,c275d880,c08f3d90,1028000) at
device_attach+0x58
device_probe_and_attach(c275d880) at device_probe_and_attach+0xe0
root_bus_configure(c1020d88,c060adc6,0,101ec00,101e000) at
root_bus_configure+0x
16
configure(0,101ec00,101e000,0,c04453b5) at configure+0x9
mi_startup() at mi_startup+0x96
begin() at begin+0x2c

(kgdb) l *mpt_read_config_info_ioc+0x464
0xc05631bc is in mpt_read_config_info_ioc (/usr/src/sys/dev/mpt/mpt.c:1558).
1553 hdr.PageVersion, hdr.PageLength, hdr.PageNumber, hdr.PageType);
1554
1555 if (mpt->ioc_page3 != NULL)
1556 free(mpt->ioc_page3, M_DEVBUF);
1557 len = hdr.PageLength * sizeof(uint32_t);
1558 mpt->ioc_page3 = malloc(len, M_DEVBUF, M_NOWAIT);
1559 if (mpt->ioc_page3 == NULL)
1560 return (-1);
1561 memset(mpt->ioc_page3, 0, sizeof(*mpt->ioc_page3));
1562 memcpy(&mpt->ioc_page3->Header, &hdr, sizeof(hdr));

--
Pawel
Received on Mon Sep 26 2005 - 19:55:55 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:44 UTC