>Number:         37065
>Category:       kern
>Synopsis:       callout on free()'d struct callout?
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 05 17:05:00 +0000 2007
>Originator:     Martin Husemann
>Release:        NetBSD 4.99.31
>Organization:
>Environment:
System: NetBSD nelly.aprisoft.de 4.99.31 NetBSD 4.99.31 (NELLY) #22: Fri Oct 5 17:47:35 CEST 2007 martin@emmas.aprisoft.de:/nelly/usr/src/sys/arch/sparc64/compile/NELLY sparc64
Architecture: sparc64
Machine: sparc64
>Description:

I run a kernel with options MALLOC_DEBUG and 

struct malloc_type *debug_malloc_type = M_TEMP;
int debug_malloc_size = 128;
int debug_malloc_size_lo = -1;
int debug_malloc_size_hi = -1;

for completely unrelated (or so I think) reasons. This, however, caught
a problem due to struct callout being 128 bytes as well on this machine:

I get a kernel data fault on read with this backtrace:

mutex_vector_enter()
sched_pstats()+0x12c  (sys/lwp.h:303)
callout_softclock() 
sparc_interrupt()   
sodopenendfree()+0x8
soreceive()+0x51c
soo_read()+0x1c  
dofileread()+0x94
sys_read()+0x64
syscall_plain()

so something is accessing a free'd callout?

>How-To-Repeat:
s/a
>Fix:
no idea yet