hiren panchasara
2014-May-29 23:12 UTC
Stable/10 panic: uma_zfree: Freeing to non free bucket index.
We are at stable/10 r261579. On a Xeon E5-2670 with 64GB ram, we saw this panic:
Unread portion of the kernel message buffer:
panic: uma_zfree: Freeing to non free bucket index.
cpuid = 1
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe106e49a6e0
kdb_backtrace() at kdb_backtrace+0x39/frame 0xfffffe106e49a790
vpanic() at vpanic+0x126/frame 0xfffffe106e49a7d0
kassert_panic() at kassert_panic+0x136/frame 0xfffffe106e49a840
uma_zfree_arg() at uma_zfree_arg+0x3cd/frame 0xfffffe106e49a8a0
_fdrop() at _fdrop+0x63/frame 0xfffffe106e49a8c0
closef() at closef+0x1d1/frame 0xfffffe106e49a950
closefp() at closefp+0xa0/frame 0xfffffe106e49a9a0
ia32_syscall() at ia32_syscall+0x255/frame 0xfffffe106e49aab0
Xint0x80_syscall() at Xint0x80_syscall+0x95/frame 0xfffffe106e49aab0
--- syscall (6, FreeBSD ELF32, sys_close), rip = 0x63594804, rsp 0xffff6684, rbp
= 0xffff66b0 ---
Uptime: 5d10h19m35s
I can provide more info if needed.
(kgdb) bt
#0 doadump (textdump=1) at pcpu.h:219
#1 0xffffffff805fb2f7 in kern_reboot (howto=260) at
../../../kern/kern_shutdown.c:452
#2 0xffffffff805fb805 in vpanic (fmt=<value optimized out>, ap=<value
optimized out>) at ../../../kern/kern_shutdown.c:759
#3 0xffffffff805fb696 in kassert_panic (fmt=<value optimized out>) at
../../../kern/kern_shutdown.c:647
#4 0xffffffff807e7aed in uma_zfree_arg (zone=<value optimized out>,
item=0xfffff80108a3f8c0, udata=0x0) at ../../../vm/uma_core.c:2706
#5 0xffffffff805b8813 in _fdrop (fp=0xfffff80108a3f8c0, td=<value
optimized out>) at uma.h:364
#6 0xffffffff805bb131 in closef (fp=0xfffff80108a3f8c0,
td=0xfffff8015f53b000) at ../../../kern/kern_descrip.c:2415
#7 0xffffffff805b8c40 in closefp (fdp=0xfffff802727f1800, fd=<value
optimized out>, fp=0xfffff80108a3f8c0, td=0xfffff8015f53b000,
holdleaders=<value optimized out>) at
../../../kern/kern_descrip.c:1257
#8 0xffffffff80a34b65 in ia32_syscall (frame=0xfffffe106e49aac0) at
subr_syscall.c:135
#9 0xffffffff8095e675 in Xint0x80_syscall () at ia32_exception.S:73
#10 0x0000000063594804 in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language: auto; currently minimal
(kgdb) f 4
#4 0xffffffff807e7aed in uma_zfree_arg (zone=<value optimized out>,
item=0xfffff80108a3f8c0, udata=0x0) at ../../../vm/uma_core.c:2706
2706 ../../../vm/uma_core.c: No such file or directory.
in ../../../vm/uma_core.c
(kgdb) l
2701 in ../../../vm/uma_core.c
(kgdb)
2696. zfree_start:
2697. /*
2698. * Try to free into the allocbucket first to give LIFO ordering
2699. * for cache-hot datastructures. Spill over into the freebucket
2700. * if necessary. Alloc will swap them if one runs dry.
2701. */
2702. bucket = cache->uc_allocbucket;
2703. if (bucket == NULL || bucket->ub_cnt >= bucket->ub_entries)
2704. bucket = cache->uc_freebucket;
2705. if (bucket != NULL && bucket->ub_cnt <
bucket->ub_entries) {
2706. KASSERT(bucket->ub_bucket[bucket->ub_cnt] == NULL,
2707. ("uma_zfree: Freeing to non free bucket
index."));
2708. bucket->ub_bucket[bucket->ub_cnt] = item;
2709. bucket->ub_cnt++;
2710. cache->uc_frees++;
2711. critical_exit();
2712. return;
2713. }
Thanks,
Hiren
John Baldwin
2014-May-30 15:09 UTC
Stable/10 panic: uma_zfree: Freeing to non free bucket index.
On Thursday, May 29, 2014 7:12:02 pm hiren panchasara wrote:> We are at stable/10 r261579. On a Xeon E5-2670 with 64GB ram, we saw thispanic:> > Unread portion of the kernel message buffer: > panic: uma_zfree: Freeing to non free bucket index.A double free? When I was at Y! there was a fairly common fdrop panic due to the ref count underflowing on 7. I suspect this is the same bug, just being caught differently. I was never able to find the culprit of the double free. :( -- John Baldwin