Date: Sun, 28 Apr 2002 22:51:38 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: current@FreeBSD.org Subject: elf_freebsd_fixup: panic freeing imgp->auxargs Message-ID: <Pine.NEB.3.96L.1020428224734.64976S-100000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
The usual setup: dual process -CURRENT box (crash2) from an hour or two
ago, network booted using pxeboot, with an NFS root. System boots, builds
a kernel, and reboots, repeating until panic. Doesn't take long :-).
This one is weird, as with many of them I suppose, and could mean possible
memory corruption, or a malloc/free bug. In essence, it appears to be
freeing the imgp->auxargs argument, which as far as I can tell shouldn't
get NULL'd, and yet free() indicates that it's not allocated.
Robert N M Watson FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org NAI Labs, Safeport Network Services
APIC_IO: Testing 8254 interrupt delivery
APIC_IO: Broken MP table detected: 8254 is not connected to IOAPIC #0
intpin 2
APIC_IO: routing 8254 via 8259 and IOAPIC #0 intpin 0
ad0: 19458MB <ST320420A> [39535/16/63] at ata0-master UDMA33
acd0: CDROM <MATSHITA CR-176> at ata1-master PIO4
doSuMnPt:i nAgP rCoPoUt #f1r oLma unnfcsh:e
ts
ray irq 10
NFS ROOT: 192.168.50.1:/cboss/devel/nfsroot/crash2.cboss.tislabs.com
panic: free: address 0xc93a8a80(0xc93a8000) has not been allocated.
cpuid = 0; lapic.id = 00000000
Debugger("panic")
Stopped at Debugger+0x41: xorl %eax,%eax
db> trace
Debugger(c03cda9a) at Debugger+0x41
panic(c03cbc80,c93a8a80,c93a8000,bfbffe64,c93a8a80) at panic+0xd8
free(c93a8a80,c04271a0,1,0,c8710ba4) at free+0x76
elf_freebsd_fixup(c8710b30,c8710ba4,bfbfffe4,bfbffff2,c042474a) at
elf_freebsd_fixup+0x12b
execve(c8709100,c8710d10,bfbfffe4,bfbffff2,bfbfffe8,bfbffffd,bfbfffec,0)
at execve+0x3de
start_init(0,c8710d48,c8709100,c0230e50,0) at start_init+0x349
fork_exit(c0230e50,0,c8710d48) at fork_exit+0x88
fork_trampoline() at fork_trampoline+0x37
Debugger (msg=0xc03cda9a "panic") at machine/atomic.h:227
227 ATOMIC_STORE_LOAD(int, "cmpxchgl %0,%1", "xchgl %1,%0")
(kgdb) bt
#0 Debugger (msg=0xc03cda9a "panic") at machine/atomic.h:227
#1 0xc024c094 in panic (
fmt=0xc03cbc80 "free: address %p(%p) has not been allocated.\n")
at ../../../kern/kern_shutdown.c:477
#2 0xc0243472 in free (addr=0xc93a8a80, type=0xc04271a0)
at ../../../kern/kern_malloc.c:222
#3 0xc02300a3 in elf_freebsd_fixup (stack_base=0xc8710b30,
imgp=0xc8710ba4)
at ../../../kern/imgact_elf.c:711
#4 0xc0239fbe in execve (td=0xc8709100, uap=0xc8710d10)
at ../../../kern/kern_exec.c:278
#5 0xc0231199 in start_init (dummy=0x0) at ../../../kern/init_main.c:610
#6 0xc023d5d8 in fork_exit (callout=0xc0230e50 <start_init>, arg=0x0,
frame=0xc8710d48) at ../../../kern/kern_fork.c:808
(kgdb) up
#1 0xc024c094 in panic (
fmt=0xc03cbc80 "free: address %p(%p) has not been allocated.\n")
at ../../../kern/kern_shutdown.c:477
477 Debugger ("panic");
(kgdb) up
#2 0xc0243472 in free (addr=0xc93a8a80, type=0xc04271a0)
at ../../../kern/kern_malloc.c:222
222 panic("free: address %p(%p) has not been
allocated.\n",
(kgdb) up
#3 0xc02300a3 in elf_freebsd_fixup (stack_base=0xc8710b30,
imgp=0xc8710ba4)
at ../../../kern/imgact_elf.c:711
711 free(imgp->auxargs, M_TEMP);
(kgdb) inspect imgp
$1 = (struct image_params *) 0xc8710ba4
(kgdb) inspect *imgp
$2 = {proc = 0xc8709000, uap = 0xc8710d10, vp = 0xc93a51e0, attr =
0xc8710b44,
image_header = 0xc7f08000 "\177ELF\001\001\001\t",
stringbase = 0xc7ef8000 "/sbin/init", stringp = 0xc7ef800e "",
endargs = 0xc7ef800e "", stringspace = 65522, argc = 2, envc = 0,
argv0 = 0x0, entry_addr = 134513216, vmspace_destroyed = 1 '\001',
interpreted = 0 '\000',
interpreter_name =
"\000\000\xe9b?\xc0F\002\000\000\xdc\221p\xc8\xd2\002\000\0
00\xe9b?\xc0F\002\000\000(\fq\xc8\xe4G$\xc0\xdc\221p\xc8\b\000\000\000\xe9b?\xc0
\xd2\002\000\000\xdc\221p\xc8\001\000\000\000\xd7\xca<\xc0K\001\000\000\xdc\221p
\xc8\000\220p\xc8\000\000\000\000X\fq\xc8\024\2037\xc0\xdc\221p\xc8\000\000\000\
000\xe9b?\xc0\xd2\002\000\000\f\000\000\000\000\000\000\000\002\000\000\000\000\
221p\xc8\002%$\xc0\000\xf0\xbf\xbf\214\f", auxargs = 0xc93a8a80, firstpage
= 0xc
0a2edc4,
fname = 0xbfbffff2 "\xbf\xbf\002", ps_strings = 0, auxarg_size = 30}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1020428224734.64976S-100000>