Date: Sun, 21 Oct 2012 13:23:46 -0700 From: David Wolfskill <david@catwhisker.org> To: Alexander Motin <mav@freebsd.org> Cc: stable@freebsd.org Subject: Re: stable/9 @r241776 panic: REDZONE: Buffer underflow detected... Message-ID: <20121021202346.GB1609@albert.catwhisker.org> In-Reply-To: <50843EB6.8030407@FreeBSD.org> References: <20121020141019.GW1817@albert.catwhisker.org> <20121021121356.GJ35915@deviant.kiev.zoral.com.ua> <20121021163322.GB1730@albert.catwhisker.org> <20121021164634.GC1730@albert.catwhisker.org> <20121021174054.GM35915@deviant.kiev.zoral.com.ua> <50843EB6.8030407@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--1ccMZA6j1vT5UqiK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Oct 21, 2012 at 09:28:06PM +0300, Alexander Motin wrote:
> ...
> I am curious, how to interpret phrase "42=3D94966796 bytes allocated" in=
=20
> log. May be it is just corrupted output, but the number still seems=20
> quite big, especially for i386 system, making me think about some=20
> integer overflow. David, could you write down that part once more?
>=20
> Having few more lines of "Allocation backtrace:" could also be useful.
>=20
> Could you show your kernel config? I can try to run it on my tests=20
> system, hoping to reproduce the problem.
> ...
I was unable to get serial console to work, even with the USB<=3D>serial
dongle.
However, I did find that the ddb "dump" command appears to have operated
appropriately, and so I now have a dump. That, as well as the core.txt
and additinal copies of the kernel config ("CANARY") and dmesg.boot have
been copied, and are now accessible from
<http://www.catwhisker.org/~david/FreeBSD/stable_9/>.
For a quick reality check, here's the stuff (cut/pasted from core.txt.4)
that I had hand-written in my initial message:
<118>Starting devd.
REDZONE: Buffer underflow detected. 1 byte corrupted before 0xced40080 (429=
4966796 bytes allocated).
Allocation backtrace:
#0 0xc0ceaa8f at redzone_setup+0xcf
#1 0xc0a5d5c9 at malloc+0x1d9
#2 0xc0a9ead0 at devctl_queue_data_f+0x40
#3 0xc0aa3fba at devaddq+0x20a
#4 0xc0aa098d at device_probe+0xad
#5 0xc0aa1c9f at bus_generic_attach+0x1f
#6 0xc07bcb1a at vga_pci_attach+0x4a
#7 0xc0aa0de4 at device_attach+0x3b4
#8 0xc0aa1cab at bus_generic_attach+0x2b
#9 0xc0531865 at acpi_pci_attach+0x185
#10 0xc0aa0de4 at device_attach+0x3b4
#11 0xc0aa1cab at bus_generic_attach+0x2b
#12 0xc05339c2 at acpi_pcib_attach+0x262
#13 0xc0534cbf at acpi_pcib_pci_attach+0x9f
#14 0xc0aa0de4 at device_attach+0x3b4
#15 0xc0aa1cab at bus_generic_attach+0x2b
#16 0xc0531865 at acpi_pci_attach+0x185
#17 0xc0aa0de4 at device_attach+0x3b4
Free backtrace:
#0 0xc0cead4a at redzone_check+0x1ca
#1 0xc0a5d618 at free+0x38
#2 0xc0a9e956 at devread+0x1a6
#3 0xc0a28807 at giant_read+0x87
#4 0xc09710c6 at devfs_read_f+0xc6
#5 0xc0aba8d9 at dofileread+0x99
#6 0xc0aba4f8 at sys_read+0x98
#7 0xc0ddf977 at syscall+0x387
#8 0xc0dc87d1 at Xint0x80_syscall+0x21
REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xced3fe8c (429=
4966796 bytes allocated).
Allocation backtrace:
#0 0xc0ceaa8f at redzone_setup+0xcf
#1 0xc0a5d5c9 at malloc+0x1d9
#2 0xc0a9ead0 at devctl_queue_data_f+0x40
#3 0xc0aa3fba at devaddq+0x20a
#4 0xc0aa098d at device_probe+0xad
#5 0xc0aa1c9f at bus_generic_attach+0x1f
#6 0xc07bcb1a at vga_pci_attach+0x4a
#7 0xc0aa0de4 at device_attach+0x3b4
#8 0xc0aa1cab at bus_generic_attach+0x2b
#9 0xc0531865 at acpi_pci_attach+0x185
#10 0xc0aa0de4 at device_attach+0x3b4
#11 0xc0aa1cab at bus_generic_attach+0x2b
#12 0xc05339c2 at acpi_pcib_attach+0x262
#13 0xc0534cbf at acpi_pcib_pci_attach+0x9f
#14 0xc0aa0de4 at device_attach+0x3b4
#15 0xc0aa1cab at bus_generic_attach+0x2b
#16 0xc0531865 at acpi_pci_attach+0x185
#17 0xc0aa0de4 at device_attach+0x3b4
Free backtrace:
#0 0xc0ceae92 at redzone_check+0x312
#1 0xc0a5d618 at free+0x38
#2 0xc0a9e956 at devread+0x1a6
#3 0xc0a28807 at giant_read+0x87
#4 0xc09710c6 at devfs_read_f+0xc6
#5 0xc0aba8d9 at dofileread+0x99
#6 0xc0aba4f8 at sys_read+0x98
#7 0xc0ddf977 at syscall+0x387
#8 0xc0dc87d1 at Xint0x80_syscall+0x21
panic: free: address 0xced3f080(0xced3f000) has not been allocated.
cpuid =3D 1
KDB: stack backtrace:
db_trace_self_wrapper(c0f99230,c09710c6,c0aba8d9,c0734d37,c1131d40,...) at =
0xc051d25e =3D db_trace_self_wrapper+0x2e
kdb_backtrace(c0fd3355,1,c0f94756,f7231ae8,c0aa1cab,...) at 0xc0aa7eda =3D =
kdb_backtrace+0x2a
panic(c0f94756,ced3f080,ced3f000,cebe4400,ced40080,...) at 0xc0a73bd4 =3D p=
anic+0x1a4
free(ced40080,c10c3660,f7231c0c,c0b1e30d,ce7ef000,...) at 0xc0a5d6f9 =3D fr=
ee+0x119
devread(ce8c2d00,f7231c0c,0,c0b1e4f0,d279ca48,...) at 0xc0a9e956 =3D devrea=
d+0x1a6
giant_read(ce8c2d00,f7231c0c,0,400,0,...) at 0xc0a28807 =3D giant_read+0x87
devfs_read_f(d279ca48,f7231c0c,ce84b680,0,d2797000,...) at 0xc09710c6 =3D d=
evfs_read_f+0xc6
dofileread(d279ca48,f7231c0c,ffffffff,ffffffff,0,...) at 0xc0aba8d9 =3D dof=
ileread+0x99
sys_read(d2797000,f7231ccc,c0a7c784,d2797000,0,...) at 0xc0aba4f8 =3D sys_r=
ead+0x98
syscall(f7231d08) at 0xc0ddf977 =3D syscall+0x387
Xint0x80_syscall() at 0xc0dc87d1 =3D Xint0x80_syscall+0x21
--- syscall (3, FreeBSD ELF32, sys_read), eip =3D 0x808f14b, esp =3D 0xbfbf=
d92c, ebp =3D 0xbfbfde58 ---
KDB: enter: panic
=2E..
(kgdb) #0 doadump (textdump=3DVariable "textdump" is not available.
) at pcpu.h:249
#1 0xc051b353 in db_dump (dummy=3D-148694992, dummy2=3D-148694992,=20
dummy3=3D-148694992, dummy4=3D0xf7231830 "")
at /usr/src/sys/ddb/db_command.c:538
#2 0xc051ae45 in db_command (cmd_table=3DVariable "cmd_table" is not avail=
able.
) at /usr/src/sys/ddb/db_command.c:449
#3 0xc051abd0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:502
#4 0xc051d3be in db_trap (type=3DUnhandled dwarf expression opcode 0xc0
) at /usr/src/sys/ddb/db_main.c:231
#5 0xc0aa8464 in kdb_trap (tf=3DUnhandled dwarf expression opcode 0xc0
) at /usr/src/sys/kern/subr_kdb.c:649
#6 0xc0ddebde in trap (frame=3DVariable "frame" is not available.
) at /usr/src/sys/i386/i386/trap.c:715
#7 0xc0dc876c in calltrap () at /tmp/exception-ceSooo.s:94
#8 0xc0aa7cdd in kdb_enter (why=3DVariable "why" is not available.
) at cpufunc.h:71
#9 0xc0a73bf4 in panic (fmt=3DUnhandled dwarf expression opcode 0xc0
) at /usr/src/sys/kern/kern_shutdown.c:627
#10 0xc0a5d6f9 in free (addr=3DUnhandled dwarf expression opcode 0xc0
) at /usr/src/sys/kern/kern_malloc.c:545
#11 0xc0a9e956 in devread (dev=3D0xf7231b14, uio=3DVariable "uio" is not av=
ailable.
)
at /usr/src/sys/kern/subr_bus.c:473
#12 0xc0a28807 in giant_read (dev=3DVariable "dev" is not available.
) at /usr/src/sys/kern/kern_conf.c:443
#13 0xc09710c6 in devfs_read_f (fp=3DVariable "fp" is not available.
)
at /usr/src/sys/fs/devfs/devfs_vnops.c:1177
#14 0xc0aba8d9 in dofileread (td=3DVariable "td" is not available.
) at file.h:286
#15 0xc0aba4f8 in sys_read (td=3DVariable "td" is not available.
) at /usr/src/sys/kern/sys_generic.c:250
#16 0xc0ddf977 in syscall (frame=3DVariable "frame" is not available.
) at subr_syscall.c:135
#17 0xc0dc87d1 in Xint0x80_syscall () at /tmp/exception-ceSooo.s:134
#18 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language: auto; currently minimal
(kgdb)=20
Anyway: all that (and more!) is available from
<http://www.catwhisker.org/~david/FreeBSD/stable_9/>; I cite the
above mostly as evidence that I might not have been hallucinating.
:-}
Peace,
david
--=20
David H. Wolfskill david@catwhisker.org
Taliban: Evil men with guns afraid of truth from a 14-year old girl.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
--1ccMZA6j1vT5UqiK
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)
iEYEARECAAYFAlCEWRIACgkQmprOCmdXAD3P9QCfThfe0nA/m+gJ9z+xubDJXt8k
P4UAn3zC+nndA4Vv7g3/o5PK7IJDsbgY
=sj2x
-----END PGP SIGNATURE-----
--1ccMZA6j1vT5UqiK--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121021202346.GB1609>