From owner-freebsd-current@FreeBSD.ORG Wed Nov 24 16:49:08 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A05416A4CE; Wed, 24 Nov 2004 16:49:08 +0000 (GMT) Received: from ylpvm15.prodigy.net (ylpvm15-ext.prodigy.net [207.115.57.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 214EB43D5A; Wed, 24 Nov 2004 16:49:08 +0000 (GMT) (envelope-from nate@root.org) Received: from [10.0.5.50] (adsl-64-171-186-185.dsl.snfc21.pacbell.net [64.171.186.185])iAOGn9Hr000738; Wed, 24 Nov 2004 11:49:10 -0500 Message-ID: <41A4BB82.2010406@root.org> Date: Wed, 24 Nov 2004 08:49:06 -0800 From: Nate Lawson User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040901) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gavin Atkinson References: <1101312453.56574.122.camel@buffy.york.ac.uk> In-Reply-To: <1101312453.56574.122.camel@buffy.york.ac.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-acpi@freebsd.org cc: freebsd-current@freebsd.org Subject: Re: Memory modified after free: Most recently used by acpitask X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 16:49:08 -0000 Gavin Atkinson wrote: > Hi, > > Just got a panic on a 6-CURRENT (Thu Nov 18 16:36:35 GMT 2004) machine, > while copying a large amount of data around. > > Seems to be an ACPI related reuse-after-free. As far as I can tell, 20 > bytes into the acpi_task structure is (int)ta_flags within the embedded > struct task, but I can't see use of this field in the ACPI code so ACPI > may be a red herring. > > Sadly, I don't have a core dump as the machine double faulted during the > attempt. > > Gavin > > > # cp -Rp /usr/* /var/usr > [about 10 minutes later] > Memory modified after free 0xc44a8420(28) val=0 @ 0xc44a8434 > panic: Most recently used by acpitask Unfortunately, the panic message doesn't tell you who modified it since someone with a stray pointer (say, who allocated/freed it before acpi) could overwrite it and it was only detected on the next malloc. The way I've found these is to boot -d (into ddb) and type "watch 0xc44a8420". Then hit "c" to continue the boot. Dump a "tr" any time the watchpoint triggers and look for suspicious callers. -Nate