From owner-cvs-src@FreeBSD.ORG  Mon Aug  2 05:57:52 2004
Return-Path: <owner-cvs-src@FreeBSD.ORG>
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0D6FE16A4CE; Mon,  2 Aug 2004 05:57:52 +0000 (GMT)
Received: from www.cryptography.com (li-22.members.linode.com [64.5.53.22])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id CCBB243D62; Mon,  2 Aug 2004 05:57:51 +0000 (GMT)
	(envelope-from nate@root.org)
Received: from [10.0.5.50] (adsl-64-171-186-94.dsl.snfc21.pacbell.net
	[64.171.186.94])
	by www.cryptography.com (8.12.8/8.12.8) with ESMTP id i725vnra029846;
	Sun, 1 Aug 2004 22:57:50 -0700
Message-ID: <410DD7DC.4020707@root.org>
Date: Sun, 01 Aug 2004 22:57:48 -0700
From: Nate Lawson <nate@root.org>
User-Agent: Mozilla Thunderbird 0.7 (X11/20040702)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: =?ISO-8859-1?Q?S=F8ren_Schmidt?= <sos@FreeBSD.org>
References: <20040731103039.5D6D716A52B@hub.freebsd.org>
In-Reply-To: <20040731103039.5D6D716A52B@hub.freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
cc: cvs-src@FreeBSD.org
cc: src-committers@FreeBSD.org
cc: cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sys/dev/ata ata-all.c
X-BeenThere: cvs-src@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: CVS commit messages for the src tree <cvs-src.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/cvs-src>
List-Post: <mailto:cvs-src@freebsd.org>
List-Help: <mailto:cvs-src-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/cvs-src>,
	<mailto:cvs-src-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2004 05:57:52 -0000

Søren Schmidt wrote:
> sos         2004-07-31 10:29:30 UTC
> 
>   Modified files:
>     sys/dev/ata          ata-all.c 
>   Log:
>   Fix the panic (""memory modified after free") when ata_getparam() fails
>   and retries.
>   
>   Found by:       Nate Lawson
>   
>   Revision  Changes    Path
>   1.216     +1 -0      src/sys/dev/ata/ata-all.c

Thanks.  For the record, this was the root cause of several panics and 
anyone whose system prints "FAILURE - ATAPI_IDENTIFY no interrupt" (or 
retried the identify for other reasons) was subject to the memory 
corruption.

The message "memory modified after free" was not a panic in itself. 
Instead, the caller of malloc() would go on to use the memory expecting 
it to be zeroed, since it came from the MZERO pool, and cause a panic. 
Observed panic victims included GEOM, ACPI, and the routing code (rt_msg2).

-Nate