Date: Wed, 22 Jul 1998 10:54:52 -0400 (EDT) From: Thomas David Rivers <rivers@dignus.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: kern/7367: panic: malloc: wrong bucket Message-ID: <199807221454.KAA00527@lakes.dignus.com>
next in thread | raw e-mail | index | archive | help
>Number: 7367
>Category: kern
>Synopsis: panic: malloc: wrong bucket
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 22 09:00:01 PDT 1998
>Last-Modified:
>Originator: Thomas David Rivers
>Organization:
Dignus LLC
>Release: FreeBSD 2.2.6-RELEASE i386
>Environment:
FreeBSD 2.2.6; 32Meg machine, XFreeBSD, Matrox Millenium II card.
>Description:
I get "mysterious" panics/crashs after upgrading to 2.2.6 (from 2.2.5).
Sometimes, I get a panic with a nice savecore, sometimes I don't.
Here's the traceback of the latest one (from gdb -k):
#0 boot (howto=256) at ../../kern/kern_shutdown.c:266
#1 0xf0112882 in panic (fmt=0xf010f01b "malloc: wrong bucket")
at ../../kern/kern_shutdown.c:390
#2 0xf010f364 in malloc (size=264, type=41, flags=0)
at ../../kern/kern_malloc.c:226
#3 0xf010c992 in fork1 (p1=0xf0b04000, flags=20, retval=0xefbfff84)
at ../../kern/kern_fork.c:170
#4 0xf010c870 in fork (p=0xf0b04000, uap=0xefbfff94, retval=0xefbfff84)
at ../../kern/kern_fork.c:91
#5 0xf01c853f in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 368640,
tf_esi = 337812, tf_ebp = -272639004, tf_isp = -272629788, tf_ebx = 1,
tf_edx = 368640, tf_ecx = 337812, tf_eax = 2, tf_trapno = 12,
tf_err = 7, tf_eip = 168389, tf_cs = 31, tf_eflags = 514,
tf_esp = -272639028, tf_ss = 39}) at ../../i386/i386/trap.c:918
#6 0x291c5 in ?? ()
#7 0x2e49 in ?? ()
#8 0x2399 in ?? ()
#9 0x2148 in ?? ()
#10 0x909e in ?? ()
#11 0x107e in ?? ()
which seems to be an issue with the kernel malloc routines,
the call in fork1 looks like:
169 /* Allocate new proc. */
170 MALLOC(newproc, struct proc *, sizeof(struct proc), M_PROC, M_WAITOK);
I'd guess that the malloc chains had been corrupted, and this
is not the culprit of the corruption; but the call that discovered
it.
I have the kernel (a 2.2.6-RELEASE kernel config'd with debug)
and the core file if anyone is interested.
The panic call looks like (from kern_malloc.c):
221 freep->spare0 = 0;
222 #endif /* DIAGNOSTIC */
223 #ifdef KMEMSTATS
224 kup = btokup(va);
225 if (kup->ku_indx != indx)
226 panic("malloc: wrong bucket");
227 if (kup->ku_freecnt == 0)
228 panic("malloc: lost data");
229 kup->ku_freecnt--;
230 kbp->kb_totalfree--;
and, the problem here is kup is NULL!
[so, the dereference kup->ku_indx gets a bogus value.]
va is 0xf0b46c00, and *va is NULL.
>How-To-Repeat:
Hmm... for me, it's boot up and wait a few days.
>Fix:
As a diagnostic, perhaps a PANIC in kern_malloc if kup is NULL?
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807221454.KAA00527>