Re: data modified on freelist, tmpfs-related?

[Mark Kettenis]

> Date: Wed, 30 Apr 2014 13:39:20 +0100
> From: Stuart Henderson <st...@openbsd.org>
> 
> Seen when running e2fsprogs regression tests with /tmp on tmpfs

I'm not surprised; tmpfs contains some serious bugs.  I recommend not
using it until those are fixed.

> Data modified on freelist: word -35183628471970 of object 0xffff800000d36c00 
> size 0x400 previous type free (invalid addr 0xf40858de1f81cbe9)
> panic: Data modified on freelist: word 4 of object 0xffff800000d36c00 size 
> 0x400 previous type free (0x0 != 0xdeafbead)
> 
> Stopped at      Debugger+0x5:   leave   
> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
> IF RUNNING SMP, USE 'mach ddbcpu <#>' AND 'trace' ON OTHER PROCESSORS, TOO.
> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
> ddb{1}> Debugger() at Debugger+0x5
> panic() at panic+0xfe
> malloc() at malloc+0x697
> hashinit() at hashinit+0x3b
> uao_grow_hash() at uao_grow_hash+0x70
> tmpfs_reg_resize() at tmpfs_reg_resize+0xe4
> tmpfs_write() at tmpfs_write+0xfd
> VOP_WRITE() at VOP_WRITE+0x3f
> vn_write() at vn_write+0x98
> dofilewritev() at dofilewritev+0x1c5
> sys_write() at sys_write+0xaa
> syscall() at syscall+0x297
> --- syscall (number 4) ---
> end of kernel
> end trace frame: 0x7f7ffffcfd50, count: -12
> 0xb25a740770a:
> ddb{1}> ds                             0x296
> es                            0x6930
> fs                            0x6900
> gs                            0xd1ee
> rdi                              0x1
> rsi                            0x296
> rbp               0xffff800033276920
> rbx               0xffffffff817dac70    seltrue_filtops+0xa10
> rdx                                0
> rcx               0xffff8000001c7000
> rax                              0x1
> r8                0xffff800033276840
> r9                                 0
> r10                                0
> r11                                0
> r12                            0x100
> r13               0xffff800033276930
> r14                              0xa
> r15                              0x5
> rip               0xffffffff813403e5    Debugger+0x5
> cs                               0x8
> rflags                         0x202
> rsp               0xffff800033276920
> ss                              0x10
> Debugger+0x5:   leave   
> 
> The end of the dmesg buffer was overwritten by kernel output from
> the following boot, but I have screenshots of bcstats, uvmexp and
> the first page of ps output (active process is gunzip) here:
> 
> https://drive.google.com/folderview?id=0B8t-sinTZPnucERodGdCcTc2Mmc&usp=sharing
> 
> OpenBSD 5.5-current (GENERIC.MP) #6: Sun Apr 27 14:42:50 BST 2014
>     st...@bamboo.spacehopper.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8451125248 (8059MB)
> avail mem = 8217436160 (7836MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdae9c000 (66 entries)
> bios0: vendor LENOVO version "8DET63WW (1.33 )" date 07/19/2012
> bios0: LENOVO 4287CTO
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SLIC SSDT SSDT SSDT HPET APIC MCFG ECDT ASF! TCPA 
> SSDT SSDT UEFI UEFI UEFI
> acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP4(S4) EXP7(S4) EHC1(S3) 
> EHC2(S3) HDEF(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz, 2791.30 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz, 2790.94 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 1, core 0, package 0
> cpu2 at mainbus0: apid 2 (application processor)
> cpu2: Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz, 2790.94 MHz
> cpu2: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 1, package 0
> cpu3 at mainbus0: apid 3 (application processor)
> cpu3: Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz, 2790.94 MHz
> cpu3: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 1, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
> acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63
> acpiec0 at acpi0
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (PEG_)
> acpiprt2 at acpi0: bus 2 (EXP1)
> acpiprt3 at acpi0: bus 3 (EXP2)
> acpiprt4 at acpi0: bus 5 (EXP4)
> acpiprt5 at acpi0: bus 13 (EXP5)
> acpiprt6 at acpi0: bus 14 (EXP7)
> acpicpu0 at acpi0: C3, C1, PSS
> acpicpu1 at acpi0: C3, C1, PSS
> acpicpu2 at acpi0: C3, C1, PSS
> acpicpu3 at acpi0: C3, C1, PSS
> acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
> acpitz0 at acpi0: critical temperature is 99 degC
> acpibtn0 at acpi0: LID_
> acpibtn1 at acpi0: SLPB
> acpibat0 at acpi0: BAT0 model "42T4861" serial 12519 type LION oem "SANYO"
> acpibat1 at acpi0: BAT1 not present
> acpiac0 at acpi0: AC unit online
> acpithinkpad0 at acpi0
> acpidock0 at acpi0: GDCK not docked (0)
> cpu0: Enhanced SpeedStep 2791 MHz: speeds: 2801, 2800, 2600, 2400, 2200, 
> 2000, 1800, 1600, 1400, 1200, 1000, 800 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
> vga1 at pci0 dev 2 function 0 "Intel HD Graphics 3000" rev 0x09
> intagp0 at vga1
> agp0 at intagp0: aperture at 0xe0000000, size 0x10000000
> inteldrm0 at vga1
> drm0 at inteldrm0
> inteldrm0: 1366x768
> wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
> wsdisplay0: screen 1-5 added (std, vt100 emulation)
> "Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
> em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address 
> f0:de:f1:f9:a7:52
> ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 16
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x04: msi
> azalia0: codecs: Conexant/0x506e, Intel/0x2805, using Conexant/0x506e
> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb4: msi
> pci1 at ppb0 bus 2
> ppb1 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb4: msi
> pci2 at ppb1 bus 3
> iwn0 at pci2 dev 0 function 0 "Intel Centrino Advanced-N 6205" rev 0x34: msi, 
> MIMO 2T2R, MoW, address 8c:70:5a:62:b7:f8
> ppb2 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb4: msi
> pci3 at ppb2 bus 5
> ppb3 at pci0 dev 28 function 4 "Intel 6 Series PCIE" rev 0xb4: msi
> pci4 at ppb3 bus 13
> sdhc0 at pci4 dev 0 function 0 "Ricoh 5U822 SD/MMC" rev 0x07: apic 2 int 16
> sdmmc0 at sdhc0
> ppb4 at pci0 dev 28 function 6 "Intel 6 Series PCIE" rev 0xb4: msi
> pci5 at ppb4 bus 14
> "NEC xHCI" rev 0x04 at pci5 dev 0 function 0 not configured
> ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 23
> usb1 at ehci1: USB revision 2.0
> uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> pcib0 at pci0 dev 31 function 0 "Intel QM67 LPC" rev 0x04
> ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x04: msi, AHCI 1.3
> scsibus1 at ahci0: 32 targets
> sd0 at scsibus1 targ 0 lun 0: <ATA, HITACHI HTS72323, EC2Z> SCSI3 0/direct 
> fixed naa.5000cca6d4d8a0f2
> sd0: 305245MB, 512 bytes/sector, 625142448 sectors
> sd1 at scsibus1 targ 2 lun 0: <ATA, OCZ-NOCTI, 2.25> SCSI3 0/direct fixed 
> naa.5e83a97e555f7072
> sd1: 57241MB, 512 bytes/sector, 117231408 sectors, thin
> ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x04: apic 2 int 
> 18
> iic0 at ichiic0
> spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
> spdmem1 at iic0 addr 0x51: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> pckbc0: using irq 12 for aux slot
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> aps0 at isa0 port 0x1600/31
> uhub2 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
> uhub3 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on sd1a (5b1b292fa70c813b.a) swap on sd1b dump on sd1b
> WARNING: / was not properly unmounted
> 
>