From fortinde@dmr.ca  Mon Jan 22 06:46:29 1996
Received: from poterne.mtl.dmr.ca (poterne.mtl.dmr.ca [198.168.83.201])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id GAA17206
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Jan 1996 06:46:24 -0800 (PST)
Received: (from fortinde@localhost) by poterne.mtl.dmr.ca (8.6.11/8.6.6a) id JAA02908; Mon, 22 Jan 1996 09:46:13 -0500
Message-Id: <199601221446.JAA02908@poterne.mtl.dmr.ca>
Date: Mon, 22 Jan 1996 09:46:13 -0500
From: Denis.Fortin@dmr.ca
Reply-To: fortin@zap.qc.ca
To: FreeBSD-gnats-submit@freebsd.org
Subject: 2.0.5 daily crash: multiple frees in if_ppp.c
X-Send-Pr-Version: 3.2

>Number:         965
>Category:       kern
>Synopsis:       2.0.5: system crashes daily because of "multiple frees" in if_ppp.c
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bde
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jan 22 06:50:01 PST 1996
>Closed-Date:    Sat Apr 11 03:41:08 PDT 1998
>Last-Modified:  Sat Apr 11 03:41:32 PDT 1998
>Originator:     Denis Fortin
>Release:        FreeBSD 2.0-BUILT-19950603 i386
>Organization:
DMR Group Inc, +1 (514) 877-3301
>Environment:

	Internet gateway used daily by 250 people for PPP and SLIP connections
	connections (about 150 connections/day).  System has 8 modems available
	on a BocaBoard BB-2016 multi-port board, and the connections traffic
	is regular (i.e. people keep coming and going constantly).

	System is a 80486 @ 33MHz with 64MB RAM and 2 GB disk space; here
	is the output from 'dmesg':

	--->>> CUT HERE <<<---
	FreeBSD 2.0.5-RELEASE #0: Wed Jan  3 09:39:27 EST 1996
	    fortinde@poterne.mtl.dmr.ca:/usr/src/sys/compile/DMR
	CPU: i486DX (486-class CPU)
	real memory  = 66715648 (16288 pages)
	avail memory = 63037440 (15390 pages)
	Probing for devices on the ISA bus:
	sc0 at 0x60-0x6f irq 1 on motherboard
	sc0: VGA color <16 virtual consoles, flags=0x0>
	ed0 at 0x280-0x29f irq 10 on isa
	ed0: address 00:00:1b:4a:89:27, type NE2000 (16 bit) 
	ed1 at 0x300-0x30f irq 5 maddr 0xd8000 msize 8192 on isa
	ed1: address 02:60:8c:45:44:e7, type 3c503 (8 bit) 
	sio0 at 0x3f8-0x3ff irq 4 on isa
	sio0: type 16550A
	sio1 at 0x2f8-0x2ff irq 3 on isa
	sio1: type 16550A
	sio2 at 0x100-0x107 flags 0x1105 on isa
	sio2: type 16550A (multiport)
	sio3 at 0x108-0x10f flags 0x1105 on isa
	sio3: type 16550A (multiport)
	sio4 at 0x110-0x117 flags 0x1105 on isa
	sio4: type 16550A (multiport)
	sio5 at 0x118-0x11f flags 0x1105 on isa
	sio5: type 16550A (multiport)
	sio6 at 0x120-0x127 flags 0x1105 on isa
	sio6: type 16550A (multiport)
	sio7 at 0x128-0x12f flags 0x1105 on isa
	sio7: type 16550A (multiport)
	sio8 at 0x130-0x137 flags 0x1105 on isa
	sio8: type 16550A (multiport)
	sio9 at 0x138-0x13f flags 0x1105 on isa
	sio9: type 16550A (multiport)
	sio10 at 0x140-0x147 flags 0x1105 on isa
	sio10: type 16550A (multiport)
	sio11 at 0x148-0x14f flags 0x1105 on isa
	sio11: type 16550A (multiport)
	sio12 at 0x150-0x157 flags 0x1105 on isa
	sio12: type 16550A (multiport)
	sio13 at 0x158-0x15f flags 0x1105 on isa
	sio13: type 16550A (multiport)
	sio14 at 0x160-0x167 flags 0x1105 on isa
	sio14: type 16550A (multiport)
	sio15 at 0x168-0x16f flags 0x1105 on isa
	sio15: type 16550A (multiport)
	sio16 at 0x170-0x177 flags 0x1105 on isa
	sio16: type 16550A (multiport)
	sio17 at 0x178-0x17f irq 12 flags 0x1105 on isa
	sio17: type 16550A (multiport master)
	lpt0 at 0x378-0x37f irq 7 on isa
	lpt0: Interrupt-driven port
	lp0: TCP/IP capable interface
	lpt1 at 0x278-0x27f on isa
	lpt2 not found at 0xffffffff
	fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
	fdc0: NEC 72065B
	fd0: 1.44MB 3.5in
	wdc0 not found at 0x1f0
	ahb0: reading board settings, int=11
	ahb0 at 0x1000-0x10ff irq 11 on eisa slot 1
	ahb0 waiting for scsi devices to settle
	(ahb0:0:0): "MICROP 1598-15MD1066701 DD24" type 0 fixed SCSI 1
	sd0(ahb0:0:0): Direct-Access 991MB (2031554 512 byte sectors)
	(ahb0:1:0): "MICROP 1598-15MD1066701 DD24" type 0 fixed SCSI 1
	sd1(ahb0:1:0): Direct-Access 991MB (2031554 512 byte sectors)
	(ahb0:2:0): "TANDBERG  TDC 3800 -03:" type 1 removable SCSI 1
	st0(ahb0:2:0): Sequential-Access density code 0x0,  drive empty
	scd0 not found at 0x230
	npx0 on motherboard
	npx0: INT 16 interface
	changing root device to sd0a
	--->>> CUT HERE <<<---

>Description:

	System crashes a few times a week (2-5) and reboots.  This is Most 
	Annoying since the BB-2016 then seems to require a manual "shutdown -r"
	about 50% of the time or it isn't properly reset (i.e. the machine 
	stops answering the phone).

	Finally got a crashdump and produced the following traceback info

	--->>> CUT HERE <<<---
	GDB is free software and you are welcome to distribute copies of it
	 under certain conditions; type "show copying" to see the conditions.
	There is absolutely no warranty for GDB; type "show warranty" for details.
	GDB 4.13 (i386-unknown-freebsd), 
	Copyright 1994 Free Software Foundation, Inc...
	IdlePTD 1f0000
	current pcb at 1c3f70
	panic: free: multiple frees
	#0  boot (arghowto=256) at ../../i386/i386/machdep.c:870
	870				dumppcb.pcb_ptd = rcr3();
	(kgdb) bt
	#0  boot (arghowto=256) at ../../i386/i386/machdep.c:870
	#1  0xf0112843 in panic (fmt=0xf010b9b2 "free: multiple frees")
	    at ../../kern/subr_prf.c:128
	#2  0xf010ba93 in free (addr=0xf1520180, type=1)
	    at ../../kern/kern_malloc.c:337
	#3  0xf013582e in pppstart (tp=0xf01c23e4) at ../../net/if_ppp.c:1028
	#4  0xf01a84fc in siopoll () at ../../i386/isa/sio.c:1569
	#5  0xf018e667 in doreti_swi ()
	#6  0xf019688c in cpu_switch ()
	(kgdb) up
	#1  0xf0112843 in panic (fmt=0xf010b9b2 "free: multiple frees")
	    at ../../kern/subr_prf.c:128
	128		boot(bootopt);
	(kgdb) up
	#2  0xf010ba93 in free (addr=0xf1520180, type=1)
	    at ../../kern/kern_malloc.c:337
	337				panic("free: multiple frees");
	(kgdb) l
	332	#endif /* DIAGNOSTIC */
	333	#ifdef KMEMSTATS
	334		kup->ku_freecnt++;
	335		if (kup->ku_freecnt >= kbp->kb_elmpercl)
	336			if (kup->ku_freecnt > kbp->kb_elmpercl)
	337				panic("free: multiple frees");
	338			else if (kbp->kb_totalfree > kbp->kb_highwat)
	339				kbp->kb_couldfree++;
	340		kbp->kb_totalfree++;
	341		ksp->ks_memuse -= size;
	(kgdb) info locals
	kbp = (struct kmembuckets *) 0xf01dc65c
	kup = (struct kmemusage *) 0xf0f34794
	freep = (struct freelist *) 0xf1520180
	size = 0
	s = -1073676288
	ksp = (struct kmemstats *) 0xf01dd114
	(kgdb) quit
	--->>> CUT HERE <<<---

>How-To-Repeat:

	Just letting the system run seems to produce the problem almost
	daily (but not quite).

>Fix:
	
	No workaround known.  Now that I know that the problem is in
	if_ppp.c, I might try looking around in there.
>Release-Note:
>Audit-Trail:

From: Nate Williams <nate@sri.MT.net>
To: fortin@zap.qc.ca
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/965: 2.0.5 daily crash: multiple frees in if_ppp.c
Date: Mon, 22 Jan 1996 10:34:29 -0700

 > >Number:         965
 > >Category:       kern
 > >Synopsis:       2.0.5: system crashes daily because of "multiple frees" in if_ppp.c
 
 Can you upgrade this box to 2.1?  I'm running a 2.1 box with 2 full-time
 PPP connections (one incoming, one outgoing) and it had a 30+ day uptime
 until I rebooted it to install the arp-patch Bill Fenner made Friday.
 
 2.1 has worked very well for me, but I'm also not seeing the kind of
 loads you're seeing.
 
 
 Nate

From: Bruce Evans <bde@zeta.org.au>
To: Denis.Fortin@dmr.ca, FreeBSD-gnats-submit@freebsd.org
Cc:  Subject: Re: kern/965: 2.0.5 daily crash: multiple frees in if_ppp.c
Date: Tue, 23 Jan 1996 08:24:24 +1100

 >	System crashes a few times a week (2-5) and reboots.  This is Most 
 
 This may be fixed in rev.1.12 (1995/10/30) of spl.h which is in -stable.
 See also PR 798.
 
 >	Annoying since the BB-2016 then seems to require a manual "shutdown -r"
 >	about 50% of the time or it isn't properly reset (i.e. the machine 
 >	stops answering the phone).
 
 This is probably caused by some of the devices on the BB being active at
 crash time and warm boots not resetting them.  The UART IRQs are ORed
 together, so they must all be inactive or all except one must be
 disconnected for that one to be probed.  Since they aren't disconnected
 until they are probed, the probes sometimes fail.  This was fixed for
 some multiport boards (probably for BB's and not for AST's) in rev.1.123
 (1995/11/29) of sio.c but isn't fixed in -stable.
 
 Possible workaround:
 Repeat all probes by duplicating the block of 16 BB config lines in your
 kernel config file.
 
 Bruce
State-Changed-From-To: open->analyzed 
State-Changed-By: pst 
State-Changed-When: Wed Feb 7 16:05:33 PST 1996 
State-Changed-Why:  
Bruce, your comment is that this hasn't made it into stable. 
Should it be placed in stable? 
What about fixing AST cards? 


Responsible-Changed-From-To: freebsd-bugs->bde 
Responsible-Changed-By: pst 
Responsible-Changed-When: Wed Feb 7 16:05:33 PST 1996 
Responsible-Changed-Why:  
State-Changed-From-To: analyzed->closed 
State-Changed-By: phk 
State-Changed-When: Sat Apr 11 03:41:08 PDT 1998 
State-Changed-Why:  
dead PR. 
>Unformatted:
