From nobody@FreeBSD.org  Mon May 28 15:17:19 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2610B106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 May 2012 15:17:19 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id EBA518FC08
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 May 2012 15:17:18 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q4SFHIRV022133
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 28 May 2012 15:17:18 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q4SFHI8n022132;
	Mon, 28 May 2012 15:17:18 GMT
	(envelope-from nobody)
Message-Id: <201205281517.q4SFHI8n022132@red.freebsd.org>
Date: Mon, 28 May 2012 15:17:18 GMT
From: Peter Holm <pho@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [vm] [panic] uma_find_refcnt(): zone possibly not UMA_ZONE_REFCNT
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         168411
>Category:       kern
>Synopsis:       [vm] [panic] uma_find_refcnt(): zone possibly not UMA_ZONE_REFCNT
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 28 15:20:02 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     Peter Holm
>Release:        Current
>Organization:
>Environment:
FreeBSD x4.osted.lan 10.0-CURRENT FreeBSD 10.0-CURRENT #3 r235885M: Mon May 28 13:08:23 CEST 2012     pho@x4.osted.lan:/usr/src/sys/i386/compile/MEMGUARD  i386
>Description:
Memory modified after free 0xc7c07000(4096) val=0 @ 0xc7c07000
panic: uma_find_refcnt(): zone possibly not UMA_ZONE_REFCNT
cpuid = 1
KDB: enter: panic
[ thread pid 1202 tid 100126 ]
Stopped at      kdb_enter+0x3a: movl    $0,kdb_why
db> bt
Tracing pid 1202 tid 100126 td 0xce5065c0
kdb_enter(c0fd42cc,c0fd42cc,c100f113,f27efa04,1,...) at kdb_enter+0x3a
panic(c100f113,ce9e9800,1000,f27efa34,c0a7351c,...) at panic+0x18c
uma_find_refcnt(c1ba9b60,c7c07000,ce9e9800,2,3,...) at uma_find_refcnt+0x71
mb_ctor_clust(c7c07000,1000,ce9e9800,2,c0ad7284,...) at mb_ctor_clust+0xbc
uma_zalloc_arg(c1ba9b60,ce9e9800,2,500001,0,...) at uma_zalloc_arg+0xd7
m_getm2(0,d70,2,1,0,...) at m_getm2+0xca
m_uiotombuf(f27efc1c,2,d70,0,0,...) at m_uiotombuf+0x77
sosend_generic(ce8a19c0,0,f27efc1c,0,0,...) at sosend_generic+0x432
sosend(ce8a19c0,0,f27efc1c,0,0,...) at sosend+0x3f
soo_write(ce539c78,f27efc1c,ceea1880,0,ce5065c0,...) at soo_write+0x63
dofilewrite(f27efc1c,ffffffff,ffffffff,0,f27efbf8,...) at dofilewrite+0x95
kern_writev(ce5065c0,3,f27efc1c,f27efc3c,1,...) at kern_writev+0x68
sys_write(ce5065c0,f27efccc,c102843c,c0fdcd77,c10299f0,...) at sys_write+0x4f
syscall(f27efd08) at syscall+0x2fe

during a simple "ls -lR /tmp" over ssh.

More details @ http://people.freebsd.org/~pho/stress/log/memguard3.txt

>How-To-Repeat:
Compile kernel with:

$ cat /usr/src/sys/i386/conf/MEMGUARD 
include GENERIC

ident           PHO-GENERIC

options         BREAK_TO_DEBUGGER
options         SW_WATCHDOG
options         DEBUG_LOCKS
options         DEBUG_VFS_LOCKS
options         DIAGNOSTIC

options         DEBUG_MEMGUARD
options         DEBUG_REDZONE
$ 

Perform "sysctl vm.memguard.options=7"

Run "ls -lR /tmp" over ssh
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:
