5698 panic in mpt_sas: vmem_hash_delete(ffffff1aa3456000, 1, 8): bad free

Review Request #340 — Created Jan. 30, 2017 and submitted — Latest diff uploaded

marcel
illumos-gate
master
5698
ca5a84a...
general
webrev: http://cr.illumos.org/~webrev/marcel/il-5698-mpt_sas_bad_free_panic/

The panic happens when there is mptsas_restart_ioc() -> mptsas_init_chip() -> mptsas_alloc_sense_bufs() codepath executed, while there is some outstanding command waiting for a reply. In mptsas_alloc_sense_bufs() we rmfreemap/rmallocmap the resource map, including the space used by the pending command (here the "leaked 8 bytes" warning comes from). Once the pending command receives its reply the space used by the command is freed and we hit the panic with the "bad free" string.

More details at: https://www.illumos.org/issues/5698#note-14
I ran the following two scripts concurrently for several days on debug build:

# while true ; do sg_raw -r 1k /dev/rdsk/c4t5000CCA222CD61A1d0 12 00 00 00 60 00 > /dev/null 2>&1 ; echo -n "$?: "; date ; done
# while true ; do time ./mptreset /devices/pci@0,0/pci8086,d138@3/pci1000,3010@0:devctl ; date ; sleep 1 ; done

The similar test was ran by Dan Fields too.  Dan reproduced bug #7813 during
his testing.  I confirmed that bug #7813 is reproducible with vanilla illumos 
too, so it is not introduced by this fix.
Loading...