Date: Wed, 1 Feb 2006 10:47:52 -0500 From: Andrew Gallatin <gallatin@cs.duke.edu> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: cvs-src@FreeBSD.org, src-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/kern kern_malloc.c src/share/man/man9 Makefile redzone.9 src/sys/vm redzone.c redzone.h src/sys/conf NOTES files options Message-ID: <20060201104752.A68774@grasshopper.cs.duke.edu> In-Reply-To: <200601311109.k0VB9MRq025366@repoman.freebsd.org>; from pjd@FreeBSD.org on Tue, Jan 31, 2006 at 11:09:22AM %2B0000 References: <200601311109.k0VB9MRq025366@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek [pjd@FreeBSD.org] wrote: > pjd 2006-01-31 11:09:22 UTC > > FreeBSD src repository > > Modified files: > sys/kern kern_malloc.c > share/man/man9 Makefile > sys/conf NOTES files options > Added files: > share/man/man9 redzone.9 > sys/vm redzone.c redzone.h > Log: > Add buffer corruption protection (RedZone) for kernel's malloc(9). > It detects both: buffer underflows and buffer overflows bugs at runtime > (on free(9) and realloc(9)) and prints backtraces from where memory was > allocated and from where it was freed. > If I enable DEBUG_REDZONE on an amd64 machine (UP, 512MB ram), I get this panic on startup: FreeBSD 7.0-CURRENT #0: Tue Jan 31 17:17:41 EST 2006 gallatin@venice:/usr/src/sys/amd64/compile/VENICEW WARNING: WITNESS option enabled, expect reduced performance. Memory modified after free 0xffffff0000006d00(248) val=5 @ 0xffffff0000006dd0 kernel trap 9 with interrupts disabled Fatal trap 9: general protection fault while in kernel mode instruction pointer = 0x8:0xffffffff80302bd0 stack pointer = 0x10:0xffffffff8075c9f0 frame pointer = 0x10:0xffffffff8075cb10 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = resume, IOPL = 0 current process = 0 () [thread pid 0 tid 0 ] Stopped at strlen: cmpb $0,0(%rdi) db> tr Tracing pid 0 tid 0 td 0xffffffff805d70a0 strlen() at strlen vsnprintf() at vsnprintf+0x2e panic() at panic+0x18c mtrash_ctor() at mtrash_ctor+0x78 uma_zalloc_arg() at uma_zalloc_arg+0x306 malloc() at malloc+0xb0 init_dynamic_kenv() at init_dynamic_kenv+0x6b mi_startup() at mi_startup+0xd3 btext() at btext+0x2c db> The place where it tried to panic is: (gdb) l *mtrash_ctor +0x78 0xffffffff8039b128 is at ../../../vm/uma_dbg.c:137. 132 133 for (p = mem; cnt > 0; cnt--, p++) 134 if (*p != uma_junk) { 135 printf("Memory modified after free %p(%d) val=%x @ %p\n", 136 mem, size, *p, p); 137 panic("Most recently used by %s\n", (*ksp == NULL)? 138 "none" : (*ksp)->ks_shortdesc); 139 } 140 return (0); 141 } Removing DEBUG_REDZONE allows me to boot again. Does DEBUG_REDZONE not work on amd64, or is there a bad interaction in general with the mtrash'ing done by INVARIANTS, or is this something else entirely? Drew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060201104752.A68774>