kern/145211: Memory modified after free

Nathaniel Filardo nwf at
Tue Mar 30 15:50:04 UTC 2010

>Number:         145211
>Category:       kern
>Synopsis:       Memory modified after free
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 30 15:50:03 UTC 2010
>Originator:     Nathaniel Filardo
>Release:        9.0-CURRENT
FreeBSD 9.0-CURRENT FreeBSD 9.0-CURRENT #19: Mon Mar 29 18:21:58 EDT 2010     root at  sparc64

Kernel panic.  No dump to disk is made.  Moreover, despite having KDB turned on, the system did not drop to a db> prompt.

login: Memory modified after free 0xfffff80019f97000(2048) val=dead0003 @ 0xfffff80019f97000
Memory modified after free 0xfffff8000569f000(2048) val=dead0003 @ 0xfffff8000569f000       
Memory modified after free 0xfffff80005686800(2048) val=dead0003 @ 0xfffff80005686800       
Memory modified after free 0xfffff800056dd800(2048) val=dead0003 @ 0xfffff800056dd800       
Memory modified after free 0xfffff800054ba800(2048) val=dead0003 @ 0xfffff800054ba800       
Memory modified after free 0xfffff8000565b000(2048) val=dead0003 @ 0xfffff8000565b000       
Memory modified after free 0xfffff80005609800(2048) val=dead0003 @ 0xfffff80005609800       
Memory modified after free 0xfffff80005608000(2048) val=dead0003 @ 0xfffff80005608000       
Memory modified after free 0xfffff80005695800(2048) val=dead0003 @ 0xfffff80005695800       
Memory modified after free 0xfffff8000563e800(2048) val=dead0003 @ 0xfffff8000563e800       
Memory modified after free 0xfffff800055c2000(2048) val=dead0003 @ 0xfffff800055c2000       
Memory modified after free 0xfffff80019f77800(2048) val=dead0003 @ 0xfffff80019f77800       
Memory modified after free 0xfffff8001920b000(2048) val=dead0003 @ 0xfffff8001920b000       
Memory modified after free 0xfffff80019fae000(2048) val=dead0003 @ 0xfffff80019fae000       
Memory modified after free 0xfffff800055a6800(2048) val=dead0003 @ 0xfffff800055a6800       
Memory modified after free 0xfffff8000565e000(2048) val=dead0003 @ 0xfffff8000565e000       
Memory modified after free 0xfffff80005641800(2048) val=dead0003 @ 0xfffff80005641800       
Memory modified after free 0xfffff80005675000(2048) val=dead0003 @ 0xfffff80005675000       
Memory modified after free 0xfffff8000564c800(2048) val=dead0003 @ 0xfffff8000564c800       
panic: pcib: PCI bus B error AFAR 0 AFSR 0 PCI CSR 0x10730b2aff IOMMU 0x3060003 STATUS 0x2a0
cpuid = 1

On pcib bus B I seem to have the following devices:

pcib0: <Sun Host-PCI bridge> mem 0x4000ff00000-0x4000ff0afff,0x4000fc10000-0x4000fc1701f,0x7f600000000-0x7f6000000ff,0x4000ff80000-0x4000ff8ffff irq 2035,2032,2033,2036,2019 on nexus0
pcib0: Tomatillo, version 4, IGN 0x1f, bus B, 66MHz
pcib0: DVMA map: 0xc0000000 to 0xdfffffff 65536 entries
pci0: <OFW PCI bus> on pcib0
pci0: <OFW PCI bus> on pcib0
bge0: <Broadcom BCM5704 A3, ASIC rev. 0x002003> mem 0x200000-0x20ffff,0x110000-0x11ffff at device 2.0 on pci0
bge1: <Broadcom BCM5704 A3, ASIC rev. 0x002003> mem 0x400000-0x40ffff,0x120000-0x12ffff at device 2.1 on pci0
atapci0: <AcerLabs M5229 UDMA100 controller> port 0x900-0x907,0x918-0x91b,0x910-0x917,0x908-0x90b,0x920-0x92f at device 13.0 on pci1
atapci0: [ITHREAD]
atapci0: using PIO transfers above 137GB as workaround for 48bit DMA access bug, expect reduced performance

There's only a DVD drive attached to atapci0, and the driver for that is not loaded.

pcib3: <Sun Host-PCI bridge> mem 0x4000ef00000-0x4000ef0afff,0x4000ec10000-0x4000ec1701f,0x7c600000000-0x7c6000000ff,0x4000ef80000-0x4000ef8ffff irq 1907,1904,1905,1908,1893 on nexus0
pcib3: Tomatillo, version 4, IGN 0x1d, bus B, 66MHz
pcib3: DVMA map: 0xc0000000 to 0xdfffffff 65536 entries
pci3: <OFW PCI bus> on pcib3
bge2: <Broadcom BCM5704 A3, ASIC rev. 0x002003> mem 0x200000-0x20ffff,0x110000-0x11ffff at device 2.0 on pci3
bge3: <Broadcom BCM5704 A3, ASIC rev. 0x002003> mem 0x400000-0x40ffff,0x120000-0x12ffff at device 2.1 on pci3
atapci1: <Marvell 88SX6081 SATA300 controller> port 0x300-0x3ff mem 0x600000-0x6fffff,0x800000-0xbfffff at device 1.0 on pci3
ata8: <ATA channel 4> on atapci1
ata9: <ATA channel 5> on atapci1
ata10: <ATA channel 6> on atapci1
ata11: <ATA channel 7> on atapci1
ad0: 715404MB <WDC WD7500AADS-00L5B1 01.01A01> at ata8-master UDMA100 SATA 3Gb/s
ad1: 715404MB <WDC WD7500AADS-00L5B1 01.01A01> at ata9-master UDMA100 SATA 3Gb/s
ad2: 715404MB <WDC WD7500AADS-00L5B1 01.01A01> at ata10-master UDMA100 SATA 3Gb/s
ad3: 715404MB <WDC WD7500AADS-00L5B1 01.01A01> at ata11-master UDMA100 SATA 3Gb/s

These four disks form a RAIDZ.

Kernel configuration options that seem relevant:

options         SMP
options         KDB
options         INVARIANTS
options         INVARIANT_SUPPORT
options         WITNESS
options         WITNESS_SKIPSPIN
device          ata
device          atadisk
nodevice        atapicd
nodevice        atapifd
nodevice        atapist
device          atamarvell

What more would be useful to know?
Unknown; the crash has happened twice so far, once with a kernel from January after weeks of uptime and once with a kernel from yesterday after only a few hours.  The system routinely survives multiple zfs scrubs of the four disks hanging off of pci3, so if it's an ATA bug it's a funny one.


More information about the freebsd-bugs mailing list