Date: Tue, 24 Jan 2006 00:27:55 -0800 From: John-Mark Gurney <gurney_j@resnet.uoregon.edu> To: Kris Kennaway <kris@obsecurity.org> Cc: current@FreeBSD.org Subject: Re: memory corruption in recent -current? Message-ID: <20060124082755.GB69162@funkthat.com> In-Reply-To: <20060122201233.GA59053@xor.obsecurity.org> References: <20060122194129.GZ69162@funkthat.com> <20060122201233.GA59053@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway wrote this message on Sun, Jan 22, 2006 at 15:12 -0500: > On Sun, Jan 22, 2006 at 11:41:29AM -0800, John-Mark Gurney wrote: > > I've been working on a BT878 audio driver (first crack is available > > in p4), and with a recent -current (you can sync to my -current as > > it's the one in my workspace, jmg_carbon), I get memory corruption: > > Memory modified after free 0xc2fb1050(12) val=1c @ 0xc2fb1050 > > panic: Most recently used by ioctlops > > or: > > Memory modified after free 0xc2ba2b90(12) val=1c @ 0xc2ba2b90 > > panic: Most recently used by Unitno > > > > I went back to a kerenl that is pre-Dec 21st, and I haven't had a single > > panic yet. I will admit I haven't done a builtworld between the these > > two (the last buildworld matched with the pre-Dec 21st kernel)... I am > > using kld modules for my testing, so I was building modules against an > > old world, but I don't know of anything that has changed that would > > cause problems.. > > > > Anyone else seeing this? > > Use memguard to track down the cause. Well, looks like memguard is broken? I just ran it, and got this panic: Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x800 fault code = supervisor write, page not present instruction pointer = 0x20:0xc0611c46 stack pointer = 0x28:0xd1d36c28 frame pointer = 0x28:0xd1d36c3c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 868 (bktrautest) [thread pid 868 tid 100088 ] Stopped at memguard_free+0x12: movl $0xd34dc0d3,0x800(%esi) db> tr Tracing pid 868 tid 100088 td 0xc3916820 memguard_free(2e,e,80044105,4,d1d36c80) at memguard_free+0x12 free(2e,c06d4360,2e,2e,0) at free+0x27 ioctl(c3916820,d1d36d04,c3916820,0,2) at ioctl+0x272 syscall(3b,3b,3b,2804fa28,bfbfe8c8) at syscall+0x27e Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (54, FreeBSD ELF32, ioctl), eip = 0x28131e53, esp = 0xbfbfe6ec, ebp = 0xbfbfe828 --- ok, the backtrace: #11 0xc064a9fa in calltrap () at ../../../i386/i386/exception.s:137 #12 0xc0611c46 in memguard_free (addr=0x0) at ../../../vm/memguard.c:272 #13 0xc04eb2df in free (addr=0x2e, mtp=0xc06d4360) at ../../../kern/kern_malloc.c:356 #14 0xc051c98a in ioctl (td=0xc3916820, uap=0xd1d36d04) at ../../../kern/sys_generic.c:589 #15 0xc065e296 in syscall (frame= {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 671414824, tf_esi = -1077942072, tf_ebp = -1077942232, tf_isp = -774673052, tf_ebx = 6, tf_edx = 6, tf_ecx = 0, tf_eax = 54, tf_trapno = 12, tf_err = 2, tf_eip = 672341587, tf_cs = 51, tf_eflags = 662, tf_esp = -1077942548, tf_ss = 59}) at ../../../i386/i386/trap.c:1008 #16 0xc064aa4f in Xint0x80_syscall () at ../../../i386/i386/exception.s:190 It's wierd that free is free'ing an address of 0x2e, and it looks like the copyin faulted w/ EFAULT probably because of the bad address in kernel space, not userland... though the memory address shouldn't be invalid, as the size (4) should of been allocated by: 580 memp = malloc((u_long)size, M_IOCTLOPS, M_WAITOK); and should of waited as necessary... Comments anyone? I have the dump around if anyone needs more information. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060124082755.GB69162>