netbsd-bugs: kern/8995: Panic: free list modified

Subject: kern/8995: Panic: free list modified
To: None <gnats-bugs@gnats.netbsd.org>
From: None <Reinoud.Zandijk@rangerover.netbsd.org>
List: netbsd-bugs
Date: 12/15/1999 14:54:49
>Number:         8995
>Category:       kern
>Synopsis:       Panic: free list modified
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Dec 15 14:54:01 1999
>Last-Modified:
>Originator:     Reinoud Zandijk
>Organization:
	
>Release:        NetBSD -current 19991215 <NetBSD-current source date>
>Environment:
NetBSD ismaelda 1.4P NetBSD 1.4P (config.ismaelda) #1: Wed Dec 15 15:52:29 CET 1999     reinoud@kabel065013.kabel.utwente.nl:/usr/sources/imago-port/syssrc/sys/arch/arm32/compile/config.ismaelda arm32

ARM 710, 26 Mb RAM, Atomwide ether 3 (ea0)

NetBSD-current 19991215 + patch port-arm32/8480 :

root@rangerover 25> cvs diff -r NetBSD
cvs diff: Diffing .
Index: pmap.c
===================================================================
RCS file: /cvsroot//syssrc/sys/arch/arm32/arm32/pmap.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -r1.1.1.1 -r1.2
2765a2766
>  * 
2771a2773,2799
>       PDEBUG(0, printf("pmap_collect : pmap = %p\n", pmap));
> 
>       /*
>        * Copied directly from mac68k.... only changed VM_MAX_ADDRESS to
>        * VM_MAXUSER_ADDRESS. This architecture seems to have a slightly
>        * different memory configuration -> using VM_MAX_ADDRESS freezes
>        * the machine.
>        */
> 
>       if (pmap == pmap_kernel()) {
>               /* kernel mappings seem to be different / difficult; skipping for now */
>               PDEBUG(0, printf("pmap_collect : kernel pages, skipping\n"));
>               return;
>       } else {
>               /* 
>                * This process is about to be swapped out; free all of
>                * the PT pages by removing the physical mappings for its
>                * entire address space.  Note: pmap_remove() performs
>                * all necessary locking.
>                  */
>               pmap_remove(pmap, VM_MIN_ADDRESS, VM_MAXUSER_ADDRESS);
>       }
> 
> #if 0
>       /* Go compact and garbage-collect the pv_table. */
>       pmap_collect_pv();
> #endif
root@rangerover 26> 

	


>Description:
After running some time on a relatively busy network, the machine recieved some packets it dropped after where it at some time crashes... it looks related to UDP packet recieval. Just wrote lost of stuff, to make it easy :-)

On screen : "
rx packet size error len=7812
ismaelda /netbsd: rx packet packet size error len=7812
rx packet error (0c) - dropping packet
ismaelda /netbsd: rx packet error (0c) - dropping packet
rx packet size size error len=18301
ismaelda /netbsd: rx packet size error len=18301
rx packet error (0d) - dropping packet
ismaelda /netbsd: rx packet error (0d) - dropping packet
rx packet error (06) - dropping packet
ismaelda /netbsd: rx packet error (06) - dropping packet
rx packet error (05) - dropping packet
ismaelda /netbsd: rx packet error (05) - dropping packet
.... snip a 15 mins of silence ...
ismaelda /netbsd: portmap[ ]... a few times rstatd/rusersd
panic: pool_get(mbpl): free list modified: magic=5000000; page 0xf107b000; item addr 0xf107ba80

Stopped at     _cpu_Debugger+0x10:   ldmdb   r11, {r11, r13, r15}
db>

Trace gives :
_cpu_Debugger(_cpu_Debugger+0x10)
_panic(_panic+0x14)
__pool_get(__pool_get+0x10)
_sbappendaddr(_sbappendaddr+0x10)
_udp_input(_udp_input+0x2f0)
_udp_input(_udp_input+0x3e4)
_udp_input(_udp_input+0x14)
_ip_input(_ip_input+0x10)
_ipintr(_ipintr+0x10)
_dosoftints(_dosoftints+0x10)
_mi_switch(_mi_switch(_mi_switch+0x10)
_tsleep(_tsleep+0x10)
_sys_poll(_sys_poll+0x10)
_syscall(_syscall+0x10)
bd>
db> reboot 0x100
(snip)
syncing disks... pool mbpl: reentrency at file ../../../../arch/arm32/podulebus/if_ea.c line 1376
     previous entry at file ../../../../kern/uipc_socket2.c line 597
panic: pr_enter

db> show object 0xf107b000
OBJECT 0xf107b000: pgops=0xf107b500, npages=1, refs=0
db> show object 0xf107ba80
OBJECT 0xf107ba80: pgops=0x0, npages=0, refs=-20162806576
db> examine 0xf107ba80
0xf107ba80:	5000000
db> examine 0xf107b000
0xf107b000:	deadbeef
db> sync
(snip)
duping to dev ....
dump 0 panic: pmap_remove_pv: lost entry
"


	
>How-To-Repeat:
... just wait?

	
>Fix:
No fix known...
	<how to correct or work around the problem, if known (multiple lines)>

>Audit-Trail:
>Unformatted: