[Bug 279243] panic: Memory modified after free, Most recently used by solaris

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=279243

            Bug ID: 279243
           Summary: panic: Memory modified after free, Most recently used
                    by solaris
           Product: Base System
           Version: 14.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: avg@FreeBSD.org

This happens on every other boot for me.
When it happens it always happens when loading nvidia driver.

<118>Mounting local filesystems:.
<118>Mounting ZFS filesystems: (354/354)
<118>Loading kernel modules:
nvidia0: <NVIDIA GeForce GTX 1660> on vgapci0
vgapci0: child nvidia0 requested pci_enable_io
vgapci0: child nvidia0 requested pci_enable_io
<6>nvidia-modeset: Loading NVIDIA Kernel Mode Setting Driver for UNIX platforms
 550.54.14  Thu Feb 22 01:05:40 UTC 2024
sysctl_warn_reuse: can't re-use a leaf (hw.dri.debug)!
<6>[drm] [nvidia-drm] [GPU ID 0x00000100] Loading driver
Memory modified after free 0xfffff800207cf900(376) val=1010000 @
0xfffff800207cf900
panic: Most recently used by solaris

cpuid = 2
time = 1716443221
KDB: stack backtrace:
db_trace_self_wrapper() at 0xffffffff80614c2b =
db_trace_self_wrapper+0x2b/frame 0xfffffe01985cc060
kdb_backtrace() at 0xffffffff8094a037 = kdb_backtrace+0x37/frame
0xfffffe01985cc110
vpanic() at 0xffffffff808fba29 = vpanic+0x169/frame 0xfffffe01985cc250
panic() at 0xffffffff808fb803 = panic+0x43/frame 0xfffffe01985cc2b0
mtrash_ctor() at 0xffffffff80bb25ee = mtrash_ctor+0x7e/frame 0xfffffe01985cc2d0
item_ctor() at 0xffffffff80bb1818 = item_ctor+0x108/frame 0xfffffe01985cc320
uma_zalloc_arg() at 0xffffffff80baac3b = uma_zalloc_arg+0x10b/frame
0xfffffe01985cc360
malloc() at 0xffffffff808d4f60 = malloc+0x70/frame 0xfffffe01985cc3a0
os_alloc_mem() at 0xffffffff857de5f7 = os_alloc_mem+0x37/frame
0xfffffe01985cc3c0
_nv013606rm() at 0xffffffff854fc874 = _nv013606rm+0x34/frame 0xfffffe01a322fc00
Uptime: 42s

"Most recently used by solaris" makes me think that the problem is in ZFS.
Also, because the module loading happens right after mounting ZFS filesystems.

The zone is "malloc-384".
24 initial bytes are affected:

(kgdb) x/48a item
0xfffff800207cf900:     0x1010000       0x0
0xfffff800207cf910:     0x0     0xdeadc0dedeadc0de
0xfffff800207cf920:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf930:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf940:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf950:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf960:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf970:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf980:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf990:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf9a0:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf9b0:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf9c0:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf9d0:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf9e0:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cf9f0:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cfa00:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cfa10:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cfa20:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cfa30:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cfa40:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cfa50:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cfa60:     0xdeadc0dedeadc0de      0xdeadc0dedeadc0de
0xfffff800207cfa70:     0xdeadc0dedeadc0de      0xffffffff8121a800 <M_SOLARIS>

-- 
You are receiving this mail because:
You are the assignee for the bug.