[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-bugs
Subject: system/3007: VLAN interfaces cause 'Data modified on freelist' errors/panic
From: Jason Ackley <jason () ackley ! net>
Date: 2002-11-30 17:59:10
[Download RAW message or body]
> Number: 3007
> Category: system
> Synopsis: VLAN interfaces cause 'Data modified on freelist' errors/panic
> Confidential: no
> Severity: serious
> Priority: medium
> Responsible: bugs
> State: open
> Quarter:
> Keywords:
> Date-Required:
> Class: sw-bug
> Submitter-Id: net
> Arrival-Date: Sun Dec 01 12:03:34 MST 2002
> Closed-Date:
> Last-Modified:
> Originator: Jason Ackley
> Release: if_vlan.c 1.32 if_vlan_var.h 1.8
> Organization:
net
> Environment:
System : OpenBSD 3.2-current
Architecture: OpenBSD.i386
Machine : i386
> Description:
When configuring vlan interfaces, malloc errors appear on the
console. The system becomes unstable and eventually panics (in
random locations).
Example console errors:
Data modified on freelist: word 0 of object 0xd0fa1840 size 0x14
previous type free (0x1000000 != 0xdeadbeef)
Data modified on freelist: word 0 of object 0xd0e8c460 size 0x1c
previous type free (0x5d8b01ff != 0xdeadbeef)
Data modified on freelist: word 0 of object 0xd0fa3ca0 size 0x20
previous type free (0x1000000 != 0xdeadbeef)
Data modified on freelist: word 0 of object 0xd0fa3ce0 size 0x20
previous type free (0x572ab3cd != 0xdeadbeef)
The machine eventually panics, some examples:
[...]
Nov 30 08:04:26 twizzler su: jason to root on /dev/ttyp0
Data modified on freelist: word 0 of object 0xd0fa1840 size 0x14 previous type free \
(0x1000000 != 0xdeadbeef)
kernel: page fault trap, code=0
Stopped at _nd6_timer+0x80: movl 0(%ebx),%edx
ddb> ps
PID PPID PGRP UID S FLAGS WAIT COMMAND
27080 8750 27080 0 3 0x4086 ttyin bash
8750 6061 8750 100 3 0x4086 wait bash
6061 26019 26019 100 3 0x184 select sshd
26019 13676 26019 0 3 0x84 netio sshd
13706 1 13706 0 3 0x4086 ttyin getty
7351 1 7351 0 3 0x4086 ttyin getty
455 1 455 0 3 0x4086 ttyin getty
19602 1 19602 0 3 0x4086 ttyin getty
10144 1 10144 0 3 0x4086 ttyin getty
15432 1 15432 0 3 0x40184 select sendmail
31551 1 31551 0 3 0x84 select cron
13676 1 13676 0 3 0x84 select sshd
13281 1 13281 0 3 0x84 select syslogd
14743 1 14743 0 3 0x84 mfsidl mount_mfs
8 0 0 0 3 0x100204 usbevt usb0
7 0 0 0 3 0x100204 crypto_wa crypto
6 0 0 0 3 0x100204 aiodoned aiodoned
5 0 0 0 3 0x100204 syncer update
4 0 0 0 3 0x100204 cleaner cleaner
3 0 0 0 3 0x100204 reaper reaper
2 0 0 0 3 0x100204 pgdaemon pagedaemon
1 0 1 0 3 0x4084 wait init
0 -1 0 0 3 0x80204 scheduler swapper
ddb> trace
_nd6_timer(0,d044dca5,e7d51d60,e7cba004) at _nd6_timer+0x80
_softclock(10,10,e7cba004,e7cba004,e7d51de8) at _softclock+0x1fe
Bad frame pointer: 0xe7d51d5c
ddb>
[...]
standard daemons: cron.
Sat Nov 30 08:23:23 PST 2002
Data modified on freelist: word 0 of object 0xd0fa2a20 size 0x14 previous type free \
(0x1000000 != 0xdeadbeef) Data modified on freelist: word 0 of object 0xd0e8b3c0 size \
0x20 previous type free (0x572ab3cd != 0xdeadbeef) Data modified on freelist: word 0 \
of object 0xd0fa2a40 size 0x20 previous type free (0x1000000 != 0xdeadbeef) Data \
modified on freelist: word 0 of object 0xd0fa2760 size 0x20 previous type free \
(0x1000000 != 0xdeadbeef) Data modified on freelist: word 0 of object 0xd0fa2220 size \
0x20 previous type free (0x572ab3cd != 0xdeadbeef) Data modified on freelist: word 0 \
of object 0xd0fa2280 size 0x20 previous type free (0x572ab3cd != 0xdeadbeef) Data \
modified on freelist: word 0 of object 0xd0fa2c40 size 0x20 previous type free \
(0x5d8b01ff != 0xdeadbeef)
kernel: page fault trap, code=0
Stopped at _nd6_timer+0x80: movl 0(%ebx),%edx
ddb> ps
PID PPID PGRP UID S FLAGS WAIT COMMAND
308 26811 308 100 3 0x4086 ttyin bash
26811 5734 5734 100 3 0x184 select sshd
5734 31193 5734 0 3 0x84 netio sshd
26892 1 26892 0 3 0x4086 ttyin getty
28928 1 28928 0 3 0x4086 ttyin getty
20976 1 20976 0 3 0x4086 ttyin getty
4225 1 4225 0 3 0x4086 ttyin getty
11314 1 11314 0 3 0x4086 ttyin getty
25625 1 25625 0 3 0x40184 select sendmail
3405 1 3405 0 3 0x84 select cron
31193 1 31193 0 3 0x84 select sshd
10909 1 10909 0 3 0x84 select syslogd
1614 1 1614 0 3 0x84 mfsidl mount_mfs
8 0 0 0 3 0x100204 usbevt usb0
7 0 0 0 3 0x100204 crypto_wa crypto
6 0 0 0 3 0x100204 aiodoned aiodoned
5 0 0 0 3 0x100204 syncer update
4 0 0 0 3 0x100204 cleaner cleaner
3 0 0 0 3 0x100204 reaper reaper
2 0 0 0 3 0x100204 pgdaemon pagedaemon
1 0 1 0 3 0x4084 wait init
0 -1 0 0 3 0x80204 scheduler swapper
ddb> trace
_nd6_timer(0,d044dca5,e7d56c20,e7cba9e4) at _nd6_timer+0x80
_softclock(10,e7d50010,e7cba9e4,e7cba9e4,e7d56ca8) at _softclock+0x1fe
Bad frame pointer: 0xe7d56c1c
ddb>
Sometimes it will panic if you try a 'reboot':
Sat Nov 30 08:12:13 PST 2002
Data modified on freelist: word 0 of object 0xd0faaae0 size 0x20 previous type free \
(0x572ab3cd != 0xdeadbeef) Data modified on freelist: word 0 of object 0xd0faa840 \
size 0x20 previous type free (0x572ab3cd != 0xdeadbeef) Data modified on freelist: \
word 0 of object 0xd0faa660 size 0x20 previous type free (0x5d8b01ff != 0xdeadbeef) \
Nov 30 08:20:54 twizzl/etc/rc.shutdown in progress...
/etc/rc.shutdown complete.
uvm_fault(0xd052aac0, 0x572ab000, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at _amap_wipeout+0x24: movl 0(%eax),%edx
ddb> ps
PID PPID PGRP UID S FLAGS WAIT COMMAND
3649 28101 3649 0 2 0x4006 reboot
28101 1 28101 100 2 0x4086 bash
29191 1 29191 0 2 0x4086 getty
2483 1 2483 0 2 0x4086 getty
22327 1 22327 0 2 0x4086 getty
26329 1 26329 0 2 0x4086 getty
30159 1 30159 0 2 0x4086 getty
6794 1 6794 0 2 0x40184 sendmail
31932 1 31932 0 2 0x84 cron
18996 1 18996 0 2 0x84 sshd
3324 1 3324 0 2 0x84 syslogd
7842 1 7842 0 2 0x84 mount_mfs
8 0 0 0 3 0x100204 usbevt usb0
7 0 0 0 3 0x100204 crypto_wa crypto
6 0 0 0 3 0x100204 aiodoned aiodoned
5 0 0 0 3 0x100204 syncer update
4 0 0 0 3 0x100204 cleaner cleaner
* 3 0 0 0 2 0x100204 reaper
2 0 0 0 3 0x100204 pgdaemon pagedaemon
1 0 1 0 2 0x4084 init
0 -1 0 0 3 0x80204 scheduler swapper
7702 18996 7702 0 6 0x2004 sshd
17244 1 7702 100 5 0x2100 sshd
ddb> trace
_amap_wipeout(e7d462fc,e,e7c76ea4,d01d0598,e7d453d0) at _amap_wipeout+0x24
_amap_unref(e7d462fc,0,6,0) at _amap_unref+0x23
_uvm_unmap_detach(e7d45320,0,cfbfe000,e7c76f10) at _uvm_unmap_detach+0x57
_uvmspace_free(e7c70774,52c7f,e7c76f44,d01c9d31,e7cb94f4) at _uvmspace_free+0xd
8
_uvm_exit(e7cb94f4,4,e7c76f84,d01bfd95,e7cb94f4,14,0,0) at _uvm_exit+0x1c
_reaper(0,0,d061fe88,d010034b,e7c6d278) at _reaper+0x5a
_start_reaper(e7c6d278) at _start_reaper+0xb
Bad frame pointer: 0xd061fe88
ddb>
> How-To-Repeat:
Using a GENERIC -current kernel config, bring up a
vlan interfaces. (I used fxp(4) parent interfaces)
Sometimes it takes a while to cause the error message
to appear, you may need to bump the number of vlan interfaces
in the kernel to 4 or more.
I have been able to reproduce this on 2 i386 machines. (one
running GENERIC, one running non-GENERIC).
> Fix:
Rolling if_vlan.c back to 1.31 and if_vlan_var.h to 1.7
appear to fix this problem, I was able to configure 8
vlan interfaces without any problems or error messages
(change made to GENERIC with config -e)
??Appears to be related to the import of the NetBSD vlan
multicast code?? I tried this with vlans that have multicast
traffic (VRRP) and without any traffic (just STP frames)
Machine can be rebooted anytime to test out patches/diffs etc.
> Release-Note:
> Audit-Trail:
> Unformatted:
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic