From owner-freebsd-current@FreeBSD.ORG Fri Nov 12 23:30:26 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DCB116A4CE for ; Fri, 12 Nov 2004 23:30:26 +0000 (GMT) Received: from lakermmtao10.cox.net (lakermmtao10.cox.net [68.230.240.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5F4A43D41 for ; Fri, 12 Nov 2004 23:30:25 +0000 (GMT) (envelope-from conrads@cox.net) Received: from dolphin.local.net ([68.11.30.24]) by lakermmtao10.cox.net (InterMail vM.6.01.04.00 201-2131-117-20041022) with ESMTP id <20041112233025.GEIO13256.lakermmtao10.cox.net@dolphin.local.net> for ; Fri, 12 Nov 2004 18:30:25 -0500 Received: from dolphin.local.net (localhost.local.net [127.0.0.1]) by dolphin.local.net (8.13.1/8.13.1) with SMTP id iACNUMnW022798 for ; Fri, 12 Nov 2004 17:30:22 -0600 (CST) (envelope-from conrads@cox.net) Date: Fri, 12 Nov 2004 17:30:17 -0600 From: "Conrad J. Sabatier" To: freebsd-current@freebsd.org Message-ID: <20041112173017.6ce5e360@dolphin.local.net> In-Reply-To: <200411122312.iACNBvVv067706@gw.catspoiler.org> References: <200411122312.iACNBvVv067706@gw.catspoiler.org> X-Mailer: Sylpheed-Claws 0.9.12b (GTK+ 1.2.10; amd64-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: kernel panic in free() called from semop() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Nov 2004 23:30:26 -0000 On Fri, 12 Nov 2004 15:11:57 -0800 (PST), Don Lewis wrote: > I cvsup'ed around 18:12 UTC today and got the following kernel panic > with the new kernel right after moused started. > > Starting default moused:. > panic: free: address 0xe902ecb0(0xe902e000) has not been allocated. > > cpuid = 0 > KDB: enter: panic > [thread 100082] > Stopped at kdb_enter+0x2c: leave > db> tr > kdb_enter(c082a57e,100,c26c8300,e902ecb0,c26c8300) at kdb_enter+0x2c > panic(c0828c9f,e902ecb0,e902e000,e902ecb6,c26c8300) at panic+0x17f > free(e902ecb0,c088f900,c082dd62,685,e902ecb6) at free+0xd4 > semop(c26c8300,e902ed18,5,4,283) at semop+0x150 > syscall(2f,2f,2f,805c010,bfbfed56) at syscall+0x128 > Xint0x80_syscall() at Xint0x80_syscall+0x1f > --- syscall (169, FreeBSD ELF32, semsys), eip = 0x480dd5f8, esp = > 0xbfbfeb04, ebp = 0xbfbfeb40 --- > > > I suspect that the culprit is the sysv_sema.c:1.71. > > This particular part of the change looks like a mistake: > > @@ -900,7 +901,7 @@ semop(td, uap) > semid = IPCID_TO_IX(semid); /* Convert back to zero origin */ > > if (semid < 0 || semid >= seminfo.semmni) > - return (EINVAL); > + error = EINVAL; > > /* Allocate memory for sem_ops */ > if (nsops <= SMALL_SOPS) > > Falling through instead of returning looks dangerous because a little > futher down there is the following code: > > semakptr = &sema[semid]; > sema_mtxp = &sema_mtx[semid]; > > Oh, this looks bad, too: > > @@ -1152,6 +1153,7 @@ done2: > mtx_unlock(sema_mtxp); > if (sops != small_sops) > free(sops, M_SEM); > + free(sops, M_SEM); > return (error); > } > > sops can either point to small_sops, which is located on the stack, or > it call by allocated dynamically with malloc(). Depending on where > sops points, it will either get freed twice, or it we will pass a > stack address to free(). It looks like the latter is happening in > this case. I was seeing the same thing, until I disabled the execution of the pgsql script in /usr/local/etc/rc.d. Then the system booted fine. I presume postgresql needs to be recompiled. -- Conrad J. Sabatier -- "In Unix veritas"