From owner-freebsd-current@FreeBSD.ORG Sat Nov 13 00:33:35 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E989A16A4CE; Sat, 13 Nov 2004 00:33:35 +0000 (GMT) Received: from gw.catspoiler.org (217-ip-163.nccn.net [209.79.217.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5958E43D2D; Sat, 13 Nov 2004 00:33:35 +0000 (GMT) (envelope-from truckman@FreeBSD.org) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.1/8.13.1) with ESMTP id iAD0XM2u067862; Fri, 12 Nov 2004 16:33:26 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <200411130033.iAD0XM2u067862@gw.catspoiler.org> Date: Fri, 12 Nov 2004 16:33:22 -0800 (PST) From: Don Lewis To: conrads@cox.net, rwatson@FreeBSD.org In-Reply-To: <20041112173017.6ce5e360@dolphin.local.net> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii cc: freebsd-current@FreeBSD.org Subject: Re: kernel panic in free() called from semop() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Nov 2004 00:33:36 -0000 On 12 Nov, Conrad J. Sabatier wrote: > On Fri, 12 Nov 2004 15:11:57 -0800 (PST), Don Lewis > wrote: > >> I cvsup'ed around 18:12 UTC today and got the following kernel panic >> with the new kernel right after moused started. >> >> Starting default moused:. >> panic: free: address 0xe902ecb0(0xe902e000) has not been allocated. >> >> cpuid = 0 >> KDB: enter: panic >> [thread 100082] >> Stopped at kdb_enter+0x2c: leave >> db> tr >> kdb_enter(c082a57e,100,c26c8300,e902ecb0,c26c8300) at kdb_enter+0x2c >> panic(c0828c9f,e902ecb0,e902e000,e902ecb6,c26c8300) at panic+0x17f >> free(e902ecb0,c088f900,c082dd62,685,e902ecb6) at free+0xd4 >> semop(c26c8300,e902ed18,5,4,283) at semop+0x150 >> syscall(2f,2f,2f,805c010,bfbfed56) at syscall+0x128 >> Xint0x80_syscall() at Xint0x80_syscall+0x1f >> --- syscall (169, FreeBSD ELF32, semsys), eip = 0x480dd5f8, esp = >> 0xbfbfeb04, ebp = 0xbfbfeb40 --- >> >> >> I suspect that the culprit is the sysv_sema.c:1.71. >> >> This particular part of the change looks like a mistake: >> >> @@ -900,7 +901,7 @@ semop(td, uap) >> semid = IPCID_TO_IX(semid); /* Convert back to zero origin */ >> >> if (semid < 0 || semid >= seminfo.semmni) >> - return (EINVAL); >> + error = EINVAL; >> >> /* Allocate memory for sem_ops */ >> if (nsops <= SMALL_SOPS) >> >> Falling through instead of returning looks dangerous because a little >> futher down there is the following code: >> >> semakptr = &sema[semid]; >> sema_mtxp = &sema_mtx[semid]; >> >> Oh, this looks bad, too: >> >> @@ -1152,6 +1153,7 @@ done2: >> mtx_unlock(sema_mtxp); >> if (sops != small_sops) >> free(sops, M_SEM); >> + free(sops, M_SEM); >> return (error); >> } >> >> sops can either point to small_sops, which is located on the stack, or >> it call by allocated dynamically with malloc(). Depending on where >> sops points, it will either get freed twice, or it we will pass a >> stack address to free(). It looks like the latter is happening in >> this case. > > I was seeing the same thing, until I disabled the execution of the pgsql > script in /usr/local/etc/rc.d. Then the system booted fine. > > I presume postgresql needs to be recompiled. It shouldn't cause a kernel panic! I'm up and running with the following patch. Index: sys/kern/sysv_sem.c =================================================================== RCS file: /home/ncvs/src/sys/kern/sysv_sem.c,v retrieving revision 1.71 diff -u -r1.71 sysv_sem.c --- sys/kern/sysv_sem.c 12 Nov 2004 13:23:47 -0000 1.71 +++ sys/kern/sysv_sem.c 13 Nov 2004 00:27:36 -0000 @@ -901,7 +901,7 @@ semid = IPCID_TO_IX(semid); /* Convert back to zero origin */ if (semid < 0 || semid >= seminfo.semmni) - error = EINVAL; + return (EINVAL); /* Allocate memory for sem_ops */ if (nsops <= SMALL_SOPS) @@ -1153,7 +1153,6 @@ mtx_unlock(sema_mtxp); if (sops != small_sops) free(sops, M_SEM); - free(sops, M_SEM); return (error); }