Re: crash in pipe_create()

[enami tsugutomo <enami%sm.sony.co.jp@localhost>]

> It happened again. This time I got a crashdump:
> 
> #10 0xc0567b6f in panic (
>     fmt=0xc08699dc "kernel %sassertion \"%s\" failed: file \"%s\", line %d")
>     at ../../../../kern/subr_prf.c:274
> #11 0xc070df6b in __kernassert (t=0xc082933a "diagnostic ",
>     f=0xc082931d "../../../../kern/subr_pool.c", l=454,
>     e=0xc0829810 "ph == NULL || ((pp->pr_roflags & PR_PHINPAGE) != 0) || 
> ((char
> *)ph->ph_page <= (char *)v && (char *)v < (char *)ph->ph_page + pp->pr_alloc->
> pa
> _pagesz)") at ../../../../../../lib/libkern/__assert.c:50

If your kernel is configured with DEBUG both time this panic occurred,
then following change may help.  (not tested though).  If there is
allocation of size 4092 bytes via kmem_alloc and it is free'ed,
something wrong might happen later.

enami.

Index: subr_kmem.c
===================================================================
RCS file: /cvsroot/src/sys/kern/subr_kmem.c,v
retrieving revision 1.23
diff -u -r1.23 subr_kmem.c
--- subr_kmem.c 1 Feb 2009 18:51:07 -0000       1.23
+++ subr_kmem.c 6 Feb 2009 01:19:47 -0000
@@ -250,12 +250,13 @@
        kmem_poison_check((char *)p + size,
            kmem_roundup_size(size + REDZONE_SIZE) - size);
        kmem_poison_fill(p, size);
+       size += REDZONE_SIZE;
        if (size >= kmem_cache_min && size <= kmem_cache_max) {
                kc = &kmem_cache[(size + kmem_cache_mask) >> kmem_cache_shift];
                KASSERT(size <= kc->kc_pa.pa_pagesz);
                pool_cache_put(kc->kc_cache, p);
        } else {
-               vmem_free(kmem_arena, (vmem_addr_t)p, size + REDZONE_SIZE);
+               vmem_free(kmem_arena, (vmem_addr_t)p, size);
        }
 }