device driver memory leak in 5.1-20030726?

Mark Blackman mark at exonetric.com
Sat Jul 26 13:48:31 PDT 2003


A backtrace: (where and where full) for those who can decipher them
uma_core.c seems to have been the trigger.

(kgdb) where
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
#1  0xc032cc4c in boot (howto=260) at  
/usr/src/sys/kern/kern_shutdown.c:372
#2  0xc032cfd7 in panic () at /usr/src/sys/kern/kern_shutdown.c:550
#3  0xc0163e22 in db_panic () at /usr/src/sys/ddb/db_command.c:449
#4  0xc0163da2 in db_command (last_cmdp=0xc05c6b40, cmd_table=0x0,
     aux_cmd_tablep=0xc054de7c, aux_cmd_tablep_end=0xc054de94)
     at /usr/src/sys/ddb/db_command.c:346
#5  0xc0163ec5 in db_command_loop () at  
/usr/src/sys/ddb/db_command.c:471
#6  0xc0166dc5 in db_trap (type=3, code=0) at  
/usr/src/sys/ddb/db_trap.c:73
#7  0xc04b454c in kdb_trap (type=3, code=0, regs=0xcc464aa4)
     at /usr/src/sys/i386/i386/db_interface.c:172
#8  0xc04c5e1d in trap (frame=
       {tf_fs = -1047855080, tf_es = -867827696, tf_ds = 16, tf_edi = 1,  
tf_esi = -1068224493, tf_ebp = -867808528, tf_isp = -867808560, tf_ebx  
= 0, tf_edx = 0, tf_ecx = -1067232032, tf_eax = 18, tf_trapno = 3,  
tf_err = 0, tf_eip = -1068808188, tf_cs = 8, tf_eflags = 646, tf_esp =  
-1068208597, tf_ss = -1068312245})
     at /usr/src/sys/i386/i386/trap.c:580
#9  0xc04b5f38 in calltrap () at {standard input}:102
#10 0xc032cf65 in panic (
     fmt=0xc0543013 "kmem_malloc(%ld): kmem_map too small: %ld total  
allocated")
     at /usr/src/sys/kern/kern_shutdown.c:534
#11 0xc047dee0 in kmem_malloc (map=0xc082f0b0, size=4096, flags=2)
     at /usr/src/sys/vm/vm_kern.c:339
#12 0xc048ee87 in page_alloc (zone=0xc083aee0, bytes=0, pflag=0x0,  
wait=0)
---Type <return> to continue, or q <return> to quit---
     at /usr/src/sys/vm/uma_core.c:806
#13 0xc048ebbf in slab_zalloc (zone=0xc083aee0, wait=2)
     at /usr/src/sys/vm/uma_core.c:711
#14 0xc048fd58 in uma_zone_slab (zone=0xc083aee0, flags=258)
     at /usr/src/sys/vm/uma_core.c:1503
#15 0xc048ff96 in uma_zalloc_bucket (zone=0xc083aee0, flags=258)
     at /usr/src/sys/vm/uma_core.c:1606
#16 0xc048fbf9 in uma_zalloc_arg (zone=0xc083aee0, udata=0x0, flags=258)
     at /usr/src/sys/vm/uma_core.c:1434
#17 0xc0321543 in malloc (size=3229855456, type=0xc0583a80, flags=258)
     at /usr/src/sys/vm/uma.h:229
#18 0xc03325f5 in sigacts_alloc () at /usr/src/sys/kern/kern_sig.c:2719
#19 0xc03173ce in fork1 (td=0xc18bce40, flags=20, pages=0,  
procp=0xcc464cd8)
     at /usr/src/sys/kern/kern_fork.c:414
#20 0xc0316c2b in fork (td=0xc18bce40, uap=0xcc464d10)
     at /usr/src/sys/kern/kern_fork.c:102
#21 0xc04c6753 in syscall (frame=
       {tf_fs = 134938671, tf_es = 134873135, tf_ds = -1078001617,  
tf_edi = 6, tf_esi = 135030952, tf_ebp = -1077937480, tf_isp =  
-867807884, tf_ebx = 135016448, tf_edx = 3, tf_ecx = -1077937680,  
tf_eax = 2, tf_trapno = 12, tf_err = 2, tf_eip = 673679423, tf_cs = 31,  
tf_eflags = 531, tf_esp = -1077937732, tf_ss = 47})
     at /usr/src/sys/i386/i386/trap.c:1008
#22 0xc04b5f8d in Xint0x80_syscall () at {standard input}:144
---Can't read userspace from dump, or kernel process---

(kgdb) where full
#0  doadump () at /usr/src/sys/kern/kern_shutdown.c:240
No locals.
#1  0xc032cc4c in boot (howto=260) at  
/usr/src/sys/kern/kern_shutdown.c:372
No locals.
#2  0xc032cfd7 in panic () at /usr/src/sys/kern/kern_shutdown.c:550
	td = (struct thread *) 0xc18bce40
	bootopt = 260
	newpanic = 0
	ap = 0xcc464924 "‹IFâ=\026¿\004HK¿"
	buf = "kmem_malloc(4096): kmem_map too small: 112951296 total  
allocated", '\0' <repeats 191 times>
#3  0xc0163e22 in db_panic () at /usr/src/sys/ddb/db_command.c:449
No locals.
#4  0xc0163da2 in db_command (last_cmdp=0xc05c6b40, cmd_table=0x0,
     aux_cmd_tablep=0xc054de7c, aux_cmd_tablep_end=0xc054de94)
     at /usr/src/sys/ddb/db_command.c:346
	cmd = (struct command *) 0xc04dedfc
	t = 0
	modif =  
"\0t\\¿hid¿lIFÃ\r\0\0\0‡Tc¿\r\0\0\0\001\0\0\0\214IFÃF£J¿‡:b¿\aK\0  
`Uc¿‡]a¿†t\\¿x\0\0\0†t\\¿hid¿∞IFÃa[\026¿\222ZP¿PZ\026¿\0\0\0\0\020\0\0\0 
hid¿†t\\¿∂S\026¿†t\\¿–l\\¿x\0\0\0\003\0\0"
	addr = -1068808188
	count = -1
	have_addr = 0
---Type <return> to continue, or q <return> to quit---
	result = 0
#5  0xc0163ec5 in db_command_loop () at  
/usr/src/sys/ddb/db_command.c:471
No locals.
#6  0xc0166dc5 in db_trap (type=3, code=0) at  
/usr/src/sys/ddb/db_trap.c:73
	bkpt = 0
#7  0xc04b454c in kdb_trap (type=3, code=0, regs=0xcc464aa4)
     at /usr/src/sys/i386/i386/db_interface.c:172
	ef = 70
	ddb_mode = 1
#8  0xc04c5e1d in trap (frame=
       {tf_fs = -1047855080, tf_es = -867827696, tf_ds = 16, tf_edi = 1,  
tf_esi = -1068224493, tf_ebp = -867808528, tf_isp = -867808560, tf_ebx  
= 0, tf_edx = 0, tf_ecx = -1067232032, tf_eax = 18, tf_trapno = 3,  
tf_err = 0, tf_eip = -1068808188, tf_cs = 8, tf_eflags = 646, tf_esp =  
-1068208597, tf_ss = -1068312245})
     at /usr/src/sys/i386/i386/trap.c:580
	td = (struct thread *) 0xc18bce40
	p = (struct proc *) 0xc19c7d3c
	sticks = 3224514865
	i = 0
	ucode = 0
	type = 3
	code = 0
	eva = 0
#9  0xc04b5f38 in calltrap () at {standard input}:102
---Type <return> to continue, or q <return> to quit---
No locals.
#10 0xc032cf65 in panic (
     fmt=0xc0543013 "kmem_malloc(%ld): kmem_map too small: %ld total  
allocated")
     at /usr/src/sys/kern/kern_shutdown.c:534
	td = (struct thread *) 0xc18bce40
	bootopt = 256
	newpanic = 1
	ap = 0x0
	buf = "kmem_malloc(4096): kmem_map too small: 112951296 total  
allocated", '\0' <repeats 191 times>
#11 0xc047dee0 in kmem_malloc (map=0xc082f0b0, size=4096, flags=2)
     at /usr/src/sys/vm/vm_kern.c:339
	offset = 710
	i = 3229855456
	entry = 0xcc464b7c
	addr = 3233144832
	m = 0x2
	pflags = -1065111820
#12 0xc048ee87 in page_alloc (zone=0xc083aee0, bytes=0, pflag=0x0,  
wait=0)
     at /usr/src/sys/vm/uma_core.c:806
	p = (void *) 0x0
#13 0xc048ebbf in slab_zalloc (zone=0xc083aee0, wait=2)
     at /usr/src/sys/vm/uma_core.c:711
	slab = 0xc76f24c8
---Type <return> to continue, or q <return> to quit---
	mem = (u_int8_t *) 0xc083aef4 "¨7X¿\227uO¿\235IT¿"
	flags = 2 '\002'
	i = 2
#14 0xc048fd58 in uma_zone_slab (zone=0xc083aee0, flags=258)
     at /usr/src/sys/vm/uma_core.c:1503
	slab = 0x0
#15 0xc048ff96 in uma_zalloc_bucket (zone=0xc083aee0, flags=258)
     at /usr/src/sys/vm/uma_core.c:1606
	bucket = 0xc192d400
	slab = 0xc083aef4
#16 0xc048fbf9 in uma_zalloc_arg (zone=0xc083aee0, udata=0x0, flags=258)
     at /usr/src/sys/vm/uma_core.c:1434
	item = (void *) 0xc18bce40
	cache = 0xc083afa8
	bucket = 0x0
	cpu = 0
#17 0xc0321543 in malloc (size=3229855456, type=0xc0583a80, flags=258)
     at /usr/src/sys/vm/uma.h:229
	indx = 8
	va = 0xc05eff60 "LHX¿¶“R¿¶“R¿"
	zone = 0xc083aee0
	ksp = (struct malloc_type *) 0xc0583a80
#18 0xc03325f5 in sigacts_alloc () at /usr/src/sys/kern/kern_sig.c:2719
No locals.
---Type <return> to continue, or q <return> to quit---
#19 0xc03173ce in fork1 (td=0xc18bce40, flags=20, pages=0,  
procp=0xcc464cd8)
     at /usr/src/sys/kern/kern_fork.c:414
	p2 = (struct proc *) 0xc1920974
	pptr = (struct proc *) 0x0
	uid = 3247573364
	newproc = (struct proc *) 0xc1920974
	trypid = 669
	ok = 669
	curfail = 0
	pidchecked = 99999
	lastfail = {tv_sec = 0, tv_usec = 0}
	fd = (struct filedesc *) 0xc19c7da8
	fdtol = (struct filedesc_to_leader *) 0x165
	p1 = (struct proc *) 0xc19c7d3c
	td2 = (struct thread *) 0x246
	ke2 = (struct kse *) 0x29d
	kg2 = (struct ksegrp *) 0x23
	newsigacts = (struct sigacts *) 0x0
	error = 35
#20 0xc0316c2b in fork (td=0xc18bce40, uap=0xcc464d10)
     at /usr/src/sys/kern/kern_fork.c:102
	error = 0
	p2 = (struct proc *) 0xc18bce40
#21 0xc04c6753 in syscall (frame=
---Type <return> to continue, or q <return> to quit---
       {tf_fs = 134938671, tf_es = 134873135, tf_ds = -1078001617,  
tf_edi = 6, tf_esi = 135030952, tf_ebp = -1077937480, tf_isp =  
-867807884, tf_ebx = 135016448, tf_edx = 3, tf_ecx = -1077937680,  
tf_eax = 2, tf_trapno = 12, tf_err = 2, tf_eip = 673679423, tf_cs = 31,  
tf_eflags = 531, tf_esp = -1077937732, tf_ss = 47})
     at /usr/src/sys/i386/i386/trap.c:1008
	params = 0xbfbff9c0---Can't read userspace from dump, or kernel  
process---

(kgdb)
(kgdb) quit

On Saturday, July 26, 2003, at 09:06 PM, Mark Blackman wrote:

> Hi all,
>
> I'm seeing the same 'kmem_malloc(4096): kmem_map too small: XXXXX  
> total allocated'
> messages that a few other have reported.
>
> Now, I understand that setting kern.vm.kmem.size larger is supposed to
> help, but I'm using a 128M Celeron-650 i386 system with no unusual
> devices (expect perhaps a Speedtouch ADSL modem) and I've progressively
> set the kern.vm.kmem.size to larger and larger values, starting at
> 64MB, then 96MB and finally 128MB.
>
> As I approached the physical memory size of the machine (128MB),
> the panic problem failed to reappear, but I got another problem  
> whereby the kernel
> appeared to take over all of memory (i.e. processes were gradually
> all getting swapped out, but no other process seemed to be taking
> the memory) within about 30 minutes of boot-up.
>
> I noticed in the final minutes of the case where kmem.size=128MB (i.e.  
> all
> of physical RAM), that kern.malloc was reporting 100M of 'devbuf'  
> memory
> allocations and that it was gradually increasing at about 25k per
> second. I can't believe this is normal behaviour, but I'm no
> expert. I believe the devbuf allocations are specifically for
> device drivers.
>
> From these symptoms, I'm speculating that one or more device drivers
> are producing kernel memory leaks and either triggering the
> 'kmem_map too small' messages or pushing all of the userland processes
> out of the way. Is this a reasonable interpretation?
>
> Does anyone else see symptoms that might lead to this conclusion?
>
> As a side note, I also briefly witnessed scrolling
> errors like 'ad0: out of memory in start'.
>
> I have no idea if this implies the 'ad' driver is an issue.
>
> Regards,
> Mark Blackman
> Exonetric Consulting
>



More information about the freebsd-current mailing list