Bug 83761

Summary: [panic] vm-related panic: blst_radix_free: freeing free block
Product: Base System Reporter: Nick Johnson <freebsd>
Component: kernAssignee: Alan Cox <alc>
Status: Closed FIXED    
Severity: Affects Many People CC: cem, markj
Priority: Normal Keywords: crash
Version: CURRENT   
Hardware: Any   
OS: Any   
URL: https://svnweb.freebsd.org/base?view=revision&revision=r340914

Description Nick Johnson 2005-07-20 02:50:21 UTC 
Not sure what happened here, but the box crashed when I exited a vim session that had been running (stopped) for 
a few weeks.  I use vm.swap_enabled, so the entire process was likely swapped out and would have swapped in and then 
been freed after I exited.  From the look of the stack trace, the crash occurred during process exit.

Fortunately I have dumpon in use, although my kernel has no debugging symbols.  Here's the pertinent information from gdb -k:

IdlePTD at physical address 0x0033e000
initial pcb at physical address 0x002a7c00

panicstr: blst_radix_free: freeing free block
panic messages:
---
panic: blst_radix_free: freeing free block

(kgdb) bt
#0  0xc015c81e in dumpsys ()
#1  0xc015c5ef in boot ()
#2  0xc015ca2d in panic ()
#3  0xc0169f53 in blst_leaf_free ()
#4  0xc016a04c in blst_meta_free ()
#5  0xc016a06f in blst_meta_free ()
#6  0xc016a06f in blst_meta_free ()
#7  0xc016a06f in blst_meta_free ()
#8  0xc0169cd2 in blist_free ()
#9  0xc020466a in swp_pager_meta_free_all ()
#10 0xc0203232 in swap_pager_dealloc ()
#11 0xc020fc0f in vm_pager_deallocate ()
#12 0xc020b224 in vm_object_terminate ()
#13 0xc020b0c0 in vm_object_deallocate ()
#14 0xc0208390 in vm_map_entry_delete ()
#15 0xc0208549 in vm_map_delete ()
#16 0xc02085d6 in vm_map_remove ()
#17 0xc01542e4 in exit1 ()
#18 0xc01540b8 in exit1 ()
#19 0xc0236199 in syscall2 ()
#20 0xc0229a75 in Xint0x80_syscall ()
Cannot access memory at address 0xbfbfee90.

Fix: 

Unknown.
How-To-Repeat: 	Unknown.  This is the first time I've witnessed this on this machine in
	3+ years of operation.
Comment 1 K. Macy freebsd_committer freebsd_triage 2007-11-16 01:43:11 UTC 
State Changed
From-To: open->feedback


This is likely stale and 4.x is EOL.
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2008-03-02 02:30:51 UTC 
State Changed
From-To: feedback->closed

Feedback timeout (> 3 months).
Comment 3 Conrad Meyer freebsd_committer freebsd_triage 2018-12-13 07:52:14 UTC 
I hit apparently the same stack and panic in FreeBSD-CURRENT 13.x, r340866.

panic: freeing free block
panic() at panic+0x3c/frame 0xfffffe00b4a59600
blst_meta_free() at blst_meta_free+0x12a/frame 0xfffffe00b4a59640
blst_meta_free() at blst_meta_free+0xd3/frame 0xfffffe00b4a59680
blst_meta_free() at blst_meta_free+0xd3/frame 0xfffffe00b4a596c0
blst_meta_free() at blst_meta_free+0xd3/frame 0xfffffe00b4a59700
blist_free() at blist_free+0x28/frame 0xfffffe00b4a59720
swp_pager_freeswapspace() at swp_pager_freeswapspace+0x102/frame 0xfffffe00b4a59740
swap_pager_dealloc() at swap_pager_dealloc+0x150/frame 0xfffffe00b4a59760
vm_object_terminate() at vm_object_terminate+0x58/frame 0xfffffe00b4a597a0
vm_object_deallocate() at vm_object_deallocate+0x588/frame 0xfffffe00b4a59820
vm_map_entry_deallocate() at vm_map_entry_deallocate+0x44/frame 0xfffffe00b4a59850
vm_map_process_deferred() at vm_map_process_deferred+0x3d/frame 0xfffffe00b4a59870
vm_map_remove() at vm_map_remove+0x48/frame 0xfffffe00b4a598a0
vmspace_exit() at vmspace_exit+0x1c4/frame 0xfffffe00b4a598f0
exit1() at exit1+0x4b5/frame 0xfffffe00b4a59970
sigexit() at sigexit+0x7f/frame 0xfffffe00b4a599a0
postsig() at postsig+0x31d/frame 0xfffffe00b4a59a70
ast() at ast+0x2e7/frame 0xfffffe00b4a59ab0
doreti_ast() at doreti_ast+0x1f/frame 0x7ffffffe0a70

For what it's worth, the system was out of memory at the time and the OOM killer may have been involved.  Still, this is probably not an acceptable outcome.  I have a core and can provide GDB information as-needed, but probably not the core unredacted contents.
Comment 4 Conrad Meyer freebsd_committer freebsd_triage 2018-12-13 08:00:07 UTC 
Notably, my repro is before r341766.  But that commit message does not make it obvious whether or not it is fixing a known panic.
Comment 5 Conrad Meyer freebsd_committer freebsd_triage 2018-12-13 08:01:19 UTC 
#3  0xffffffff80bc8edc in panic (fmt=<optimized out>) at /usr/home/conrad/src/freebsd/sys/kern/kern_shutdown.c:804
#4  0xffffffff80c01aea in blst_leaf_free (scan=<optimized out>, count=<optimized out>, blk=<optimized out>) at /usr/home/conrad/src/freebsd/sys/kern/subr_blist.c:828
#5  blst_meta_free (scan=<optimized out>, freeBlk=<optimized out>, count=<optimized out>, radix=<optimized out>) at /usr/home/conrad/src/freebsd/sys/kern/subr_blist.c:857
#6  0xffffffff80c01a93 in blst_meta_free (scan=<optimized out>, freeBlk=<optimized out>, count=<optimized out>, radix=64, radix@entry=4096) at /usr/home/conrad/src/freebsd/sys/kern/subr_blist.c:869
#7  0xffffffff80c01a93 in blst_meta_free (scan=<optimized out>, freeBlk=<optimized out>, count=<optimized out>, radix=4096, radix@entry=262144) at /usr/home/conrad/src/freebsd/sys/kern/subr_blist.c:869
#8  0xffffffff80c01a93 in blst_meta_free (scan=scan@entry=0xfffffe00a174d020, freeBlk=<optimized out>, count=<optimized out>, count@entry=31, radix=262144) at /usr/home/conrad/src/freebsd/sys/kern/subr_blist.c:869
#9  0xffffffff80c01c88 in blist_free (bl=0xfffffe00a174d000, blkno=<optimized out>, count=count@entry=31) at /usr/home/conrad/src/freebsd/sys/kern/subr_blist.c:336
#10 0xffffffff80f15ad2 in swp_pager_freeswapspace (blk=122803, npages=31) at /usr/home/conrad/src/freebsd/sys/vm/swap_pager.c:815
#11 0xffffffff80f17740 in swp_pager_meta_free_all (object=0xfffff802368db500) at /usr/home/conrad/src/freebsd/sys/vm/swap_pager.c:702
#12 swap_pager_dealloc (object=0xfffff802368db500) at /usr/home/conrad/src/freebsd/sys/vm/swap_pager.c:699
#13 0xffffffff80f34038 in vm_object_terminate (object=object@entry=0xfffff802368db500) at /usr/home/conrad/src/freebsd/sys/vm/vm_object.c:834
#14 0xffffffff80f35e98 in vm_object_deallocate (object=0xfffff802368db500) at /usr/home/conrad/src/freebsd/sys/vm/vm_object.c:685
#15 0xffffffff80f286e4 in vm_map_entry_deallocate (entry=0xfffff8005b99cac8, system_map=system_map@entry=0) at /usr/home/conrad/src/freebsd/sys/vm/vm_map.c:2996
#16 0xffffffff80f2872d in vm_map_process_deferred () at /usr/home/conrad/src/freebsd/sys/vm/vm_map.c:541
#17 0xffffffff80f2cb18 in vm_map_remove (map=map@entry=0xfffff804821d5000, start=<optimized out>, end=<optimized out>) at /usr/home/conrad/src/freebsd/sys/vm/vm_map.c:3194
#18 0xffffffff80f2ccf4 in vmspace_dofree (vm=0xfffff804821d5000) at /usr/home/conrad/src/freebsd/sys/vm/vm_map.c:342
#19 vmspace_exit (td=td@entry=0xfffff804a2dba000) at /usr/home/conrad/src/freebsd/sys/vm/vm_map.c:423
#20 0xffffffff80b81445 in exit1 (td=td@entry=0xfffff804a2dba000, rval=rval@entry=0, signo=signo@entry=9) at /usr/home/conrad/src/freebsd/sys/kern/kern_exit.c:397
#21 0xffffffff80bd036f in sigexit (td=td@entry=0xfffff804a2dba000, sig=sig@entry=9) at /usr/home/conrad/src/freebsd/sys/kern/kern_sig.c:3145
#22 0xffffffff80bd072d in postsig (sig=9) at /usr/home/conrad/src/freebsd/sys/kern/kern_sig.c:3032
#23 0xffffffff80c2baf7 in ast (framep=0xfffffe00b4a59ac0) at /usr/home/conrad/src/freebsd/sys/kern/subr_trap.c:328
#24 0xffffffff8109c489 in doreti_ast () at /usr/home/conrad/src/freebsd/sys/amd64/amd64/exception.S:1065

gdb stack
Comment 6 Mark Johnston freebsd_committer freebsd_triage 2018-12-13 15:44:06 UTC 
I believe r340914 will fix this.  See the last three comments in https://reviews.freebsd.org/D18058 .
Comment 7 Conrad Meyer freebsd_committer freebsd_triage 2018-12-13 17:24:09 UTC 
(In reply to Mark Johnston from comment #6)
Thanks.  Sorry you hit the same bug :-).  I am running r342026+ now and will probably file a new bug if observed again.

Looks like this issue was only present for 1.5 weeks on CURRENT, 340402-340914 — and I just updated at the wrong time.  Unlikely to be the (exact) same issue observed on 4.x in 2005, but I'll marked "FIXED" for the 2018 CURRENT issue.

Is there an UPDATING note about this?  I doubt many people are going to update to a 2.5 week old head at this point, but it probably doesn't hurt.
Comment 8 Mark Johnston freebsd_committer freebsd_triage 2018-12-13 17:26:49 UTC 
(In reply to Conrad Meyer from comment #7)
> Is there an UPDATING note about this?

No, I don't think we've ever documented bug fixes in UPDATING.
Comment 9 Conrad Meyer freebsd_committer freebsd_triage 2018-12-13 17:34:06 UTC 
(In reply to Mark Johnston from comment #8)
That's fair, I don't know why I thought it would be appropriate there.
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2019-06-05 04:17:23 UTC 
Assign to committer that resolved.

^Triage: Not sure if this was MFC'd. If so, please set the correct mfc-stable* flags to match