5698 panic in mpt_sas: vmem_hash_delete(ffffff1aa3456000, 1, 8): bad free
Review Request #340 — Created Jan. 30, 2017 and submitted — Latest diff uploaded
webrev: http://cr.illumos.org/~webrev/marcel/il-5698-mpt_sas_bad_free_panic/ The panic happens when there is mptsas_restart_ioc() -> mptsas_init_chip() -> mptsas_alloc_sense_bufs() codepath executed, while there is some outstanding command waiting for a reply. In mptsas_alloc_sense_bufs() we rmfreemap/rmallocmap the resource map, including the space used by the pending command (here the "leaked 8 bytes" warning comes from). Once the pending command receives its reply the space used by the command is freed and we hit the panic with the "bad free" string. More details at: https://www.illumos.org/issues/5698#note-14
I ran the following two scripts concurrently for several days on debug build: # while true ; do sg_raw -r 1k /dev/rdsk/c4t5000CCA222CD61A1d0 12 00 00 00 60 00 > /dev/null 2>&1 ; echo -n "$?: "; date ; done # while true ; do time ./mptreset /devices/pci@0,0/pci8086,d138@3/pci1000,3010@0:devctl ; date ; sleep 1 ; done The similar test was ran by Dan Fields too. Dan reproduced bug #7813 during his testing. I confirmed that bug #7813 is reproducible with vanilla illumos too, so it is not introduced by this fix.
Loading file attachments...