From owner-freebsd-current@FreeBSD.ORG Tue Jan 31 22:38:23 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 68DAC16A422 for ; Tue, 31 Jan 2006 22:38:23 +0000 (GMT) (envelope-from sgk@troutmask.apl.washington.edu) Received: from troutmask.apl.washington.edu (troutmask.apl.washington.edu [128.208.78.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5DE1C43D58 for ; Tue, 31 Jan 2006 22:38:17 +0000 (GMT) (envelope-from sgk@troutmask.apl.washington.edu) Received: from troutmask.apl.washington.edu (localhost [127.0.0.1]) by troutmask.apl.washington.edu (8.13.4/8.13.4) with ESMTP id k0VMcHMr000688; Tue, 31 Jan 2006 14:38:17 -0800 (PST) (envelope-from sgk@troutmask.apl.washington.edu) Received: (from sgk@localhost) by troutmask.apl.washington.edu (8.13.4/8.13.1/Submit) id k0VMcHS9000687; Tue, 31 Jan 2006 14:38:17 -0800 (PST) (envelope-from sgk) Date: Tue, 31 Jan 2006 14:38:16 -0800 From: Steve Kargl To: Kris Kennaway Message-ID: <20060131223816.GA587@troutmask.apl.washington.edu> References: <20060131212209.GA870@troutmask.apl.washington.edu> <20060131213332.GA15250@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060131213332.GA15250@xor.obsecurity.org> User-Agent: Mutt/1.4.2.1i Cc: freebsd-current@freebsd.org Subject: Re: panic: Memory modified after free X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jan 2006 22:38:23 -0000 On Tue, Jan 31, 2006 at 04:33:32PM -0500, Kris Kennaway wrote: > On Tue, Jan 31, 2006 at 01:22:09PM -0800, Steve Kargl wrote: > > The system is a dual proc Tyan K8S Pro with 12 GB of memory. > > The kernel is UP. This was recorded by hand. I have the crash dump. > > > > Memory modified after free 0xffffff02505e0c00(504) val=deadc0dd @ > > 0xffffff02505e0cd0 > > > > panic: Most recently used by DEVFS1 > > Set up memguard to watch this malloc type in order to obtain useful > debugging. > memguard has made the situation even worse. The kernel never makes to single user mode. I get MEMGUARD DEBUGGING ALLOCATOR INITIALIZED MEMGUARD map base: 0xffffffff8f1b2000 map limit: 0xffffffff919b3000 map size: 41947136 (Bytes) Memory modified after free 0xffffff000005bd00(248) val=5 @ 0xffffff000005bdd0 kernel trap 9 wiith interrupts disabled Fatal trap 9: general protection fault while in kernel mode instruction pointer = 0x8:0xffffffff80306487 stack pointer = 0x10:0xffffffff807a1a20 frame pointer = 0x10:0xffffffff807a1a30 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = resume, IOPL = 0 current process: = 0 () [thread pid 0 tid 0] Stopped at strlen+0x7: cmpb $0,0(%rdi) db> bt Tracing pid 0 tid 0 td 0xffffffff8060ac40 strlen() at strlen+0x7 kvprintf() at kvprintf+0x987 vsnprintf() at vsnprintf+0x2e panic() at panic+0xfa mtrash_ctor() at mtrash_ctor+0x70 uma_zalloc_arg() at uma_zalloc_arg+0x170 malloc() at malloc+0x11e init_dynamic_kenv() at init_dynamic_kenv+0x68 mi_startup() at mi_startup+0xb6 btext() at btext+0x2c -- Steve