This one is a bit harder to track down than the ata one, it just happened while I was sitting in X. It might have been just after resuming, but I can't exactly remember. Note that like the ata panic, we panic'd trying to sync the disks (perhaps we shouldn't try to sync the disks on a panic?) and thus that the real panic is at frame #13.
(kgdb) where #0 dumpsys () at ../../../kern/kern_shutdown.c:488 #1 0xc0202443 in boot (howto=16644) at ../../../kern/kern_shutdown.c:331 #2 0xc0202869 in panic (fmt=0xc03337d9 "bremfree: bp %p not locked") at ../../../kern/kern_shutdown.c:628 #3 0xc0230f6d in bremfree (bp=0xc3b5f974) at ../../../kern/vfs_bio.c:535 #4 0xc02331f1 in getblk (vp=0xcc7a9ec0, blkno=160, size=8192, slpflag=0, slptimeo=0) at ../../../kern/vfs_bio.c:2215 #5 0xc0231044 in breadn (vp=0xcc7a9ec0, blkno=160, size=8192, rablkno=0x0, rabsize=0x0, cnt=0, cred=0x0, bpp=0xccdbfaac) at ../../../kern/vfs_bio.c:593 #6 0xc0231011 in bread (vp=0xcc7a9ec0, blkno=160, size=8192, cred=0x0, bpp=0xccdbfaac) at ../../../kern/vfs_bio.c:575 #7 0xc029ff4f in ffs_update (vp=0xccdaacc0, waitfor=0) at ../../../ufs/ffs/ffs_inode.c:101 #8 0xc02ac9da in ffs_fsync (ap=0xccdbfb20) at ../../../ufs/ffs/ffs_vnops.c:292 #9 0xc02ab1b6 in ffs_sync (mp=0xc141fe00, waitfor=2, cred=0xc0b63e00, td=0xc03e7624) at vnode_if.h:441 #10 0xc023d4a1 in sync (td=0xc03e7624, uap=0x0) at ../../../kern/vfs_syscalls.c:640 #11 0xc020208c in boot (howto=16640) at ../../../kern/kern_shutdown.c:240 #12 0xc0202869 in panic (fmt=0xc034516c "item is not free") at ../../../kern/kern_shutdown.c:628 #13 0xc02c26c7 in zalloc (z=0xc03e5340) at ../../../vm/vm_zone.c:483 #14 0xc02e764a in get_pv_entry () at ../../../i386/i386/pmap.c:1693 #15 0xc02e77bc in pmap_insert_entry (pmap=0xc7fd72cc, va=678203392, mpte=0xc08d0c5c, m=0xc093b480) at ../../../i386/i386/pmap.c:1793 #16 0xc02e86eb in pmap_copy (dst_pmap=0xc7fd72cc, src_pmap=0xc7fd73ac, dst_addr=678182912, len=4624384, src_addr=678182912) at ../../../i386/i386/pmap.c:2845 #17 0xc02b9927 in vm_map_copy_entry (src_map=0xc7fd7340, dst_map=0xc7fd7260, src_entry=0xccdc19c0, dst_entry=0xccdc3b40) at ../../../vm/vm_map.c:2252 #18 0xc02b9b91 in vmspace_fork (vm1=0xc7fd7340) at ../../../vm/vm_map.c:2371 #19 0xc02b64e9 in vm_forkproc (td=0xccd1ef04, p2=0xccd1eb00, flags=20) at ../../../vm/vm_glue.c:247 #20 0xc01f4834 in fork1 (td=0xccd1ef04, flags=20, procp=0xccdbfce8) at ../../../kern/kern_fork.c:624 #21 0xc01f3ad6 in fork (td=0xccd1ef04, uap=0xccdbfd20) at ../../../kern/kern_fork.c:121 #22 0xc02eafe7 in syscall (frame={tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077938084, tf_esi = 686389012, tf_ebp = -1077938028, tf_isp = -857997964, tf_ebx = 686387764, tf_edx = 4, tf_ecx = 686389012, tf_eax = 2, tf_trapno = 12, tf_err = 2, tf_eip = 685007816, tf_cs = 31, tf_eflags = 582, tf_esp = -1077938184, tf_ss = 47}) at ../../../i386/i386/trap.c:1122 (kgdb) frame 13 #13 0xc02c26c7 in zalloc (z=0xc03e5340) at ../../../vm/vm_zone.c:483 483 KASSERT(((void **) item)[1] == ZENTRY_FREE, (kgdb) l 478 } 479 480 item = z->zitems; 481 z->zitems = ((void **) item)[0]; 482 #ifdef INVARIANTS 483 KASSERT(((void **) item)[1] == ZENTRY_FREE, 484 ("item is not free")); 485 ((void **) item)[1] = 0; 486 #endif 487 (kgdb) x/2 item 0xc0ac0ffc: 0xc0ac0fe0 0x12340000 (kgdb) p z->zname $3 = 0xc034ca37 "PV ENTRY" (kgdb) p z->zitems $4 = (void *) 0xc0ac0fe0 ../../../vm/vm_zone.c:#define ZENTRY_FREE (void*)0x12342378 Looks like the lower 2 bytes were cleared. Perhaps a dangling reference to a pv_entry somewhere? typedef struct pv_entry { pmap_t pv_pmap; /* pmap where mapping lies */ vm_offset_t pv_va; /* virtual address for mapping */ TAILQ_ENTRY(pv_entry) pv_list; TAILQ_ENTRY(pv_entry) pv_plist; vm_page_t pv_ptem; /* VM page for pte */ } *pv_entry_t; So it looks like pv_va of a free'd pv_entry was modified perhaps? -- John Baldwin <[EMAIL PROTECTED]> -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message