From owner-freebsd-current@FreeBSD.ORG  Wed Nov 24 16:07:38 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 647C116A4CF; Wed, 24 Nov 2004 16:07:38 +0000 (GMT)
Received: from mail-gw0.york.ac.uk (mail-gw0.york.ac.uk [144.32.128.245])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 6DD3443D5E; Wed, 24 Nov 2004 16:07:37 +0000 (GMT)
	(envelope-from gavin.atkinson@ury.york.ac.uk)
Received: from buffy.york.ac.uk (buffy.york.ac.uk [144.32.226.160])
	by mail-gw0.york.ac.uk (8.12.10/8.12.10) with ESMTP id iAOG7Yg5008289;
	Wed, 24 Nov 2004 16:07:34 GMT
Received: from buffy.york.ac.uk (localhost [127.0.0.1])
	by buffy.york.ac.uk (8.13.1/8.13.1) with ESMTP id iAOG7Yqm057811;
	Wed, 24 Nov 2004 16:07:34 GMT
	(envelope-from gavin.atkinson@ury.york.ac.uk)
Received: (from ga9@localhost)
	by buffy.york.ac.uk (8.13.1/8.13.1/Submit) id iAOG7Yf1057810;
	Wed, 24 Nov 2004 16:07:34 GMT
	(envelope-from gavin.atkinson@ury.york.ac.uk)
X-Authentication-Warning: buffy.york.ac.uk: ga9 set sender to
	gavin.atkinson@ury.york.ac.uk using -f
From: Gavin Atkinson <gavin.atkinson@ury.york.ac.uk>
To: freebsd-acpi@freebsd.org, freebsd-current@freebsd.org
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Message-Id: <1101312453.56574.122.camel@buffy.york.ac.uk>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.4.6 
Date: Wed, 24 Nov 2004 16:07:34 +0000
X-York-MailScanner: Found to be clean
X-York-MailScanner-From: gavin.atkinson@ury.york.ac.uk
Subject: Memory modified after free: Most recently used by acpitask
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2004 16:07:38 -0000


Hi,

Just got a panic on a 6-CURRENT (Thu Nov 18 16:36:35 GMT 2004) machine,
while copying a large amount of data around.

Seems to be an ACPI related reuse-after-free.  As far as I can tell, 20
bytes into the acpi_task structure is (int)ta_flags within the embedded
struct task, but I can't see use of this field in the ACPI code so ACPI
may be a red herring.

Sadly, I don't have a core dump as the machine double faulted during the
attempt.

Gavin


# cp -Rp /usr/* /var/usr
[about 10 minutes later]
Memory modified after free 0xc44a8420(28) val=0 @ 0xc44a8434
panic: Most recently used by acpitask

cpuid = 1
KDB: enter: panic
[thread 100103]
Stopped at      kdb_enter+0x2c: leave
db> tr
kdb_enter(c081145f,100,c3929480,1c,c44a843c) at kdb_enter+0x2c
panic(c082b121,c0a312d0,c082b0f2,c44a8420,1c) at panic+0x17f
mtrash_ctor(c44a8420,20,0,502) at mtrash_ctor+0x5f
uma_zalloc_arg(c1052420,0,502) at uma_zalloc_arg+0x3d8
malloc(20,c08a80c0,502,0,0) at malloc+0x6b
softdep_setup_directory_add(d7583cb0,c5379348,28,0,f769f) at
softdep_setup_directory_add+0x61
ufs_direnter(c5e9dac8,c58aa78c,ecc95924,ecc95c0c,0,c53e4834,ecc95c0c,ecc95924) at ufs_direnter+0x6ff
ufs_makeinode(ecc95bf8,ecc95c0c,ecc95a6c,ecc95b2c,c0668f16) at
ufs_makeinode+0x267
ufs_create(ecc95a70) at ufs_create+0x25
vn_open_cred(ecc95be4,ecc95ce4,16d,c3480780,4) at vn_open_cred+0x49a
vn_open(ecc95be4,ecc95ce4,16d,4,c08d2040,8,c081a444,3bc) at vn_open+0x1e
kern_open(c3929480,804b868,0,602,816d) at kern_open+0xd6
open(c3929480,ecc95d14,3,1015d,286) at open+0x18
syscall(804002f,2f,bfbf002f,804b89d,1) at syscall+0x128
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (5, FreeBSD ELF32, open), eip = 0x280c1bdf, esp =
0xbfbfeb3c, ebp = 0xbfbfeb88 ---


Gavin