From owner-freebsd-current@FreeBSD.ORG Wed Nov 24 18:07:48 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5602816A4CE; Wed, 24 Nov 2004 18:07:48 +0000 (GMT) Received: from mail-gw0.york.ac.uk (mail-gw0.york.ac.uk [144.32.128.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81B9143D2F; Wed, 24 Nov 2004 18:07:47 +0000 (GMT) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: from buffy.york.ac.uk (buffy.york.ac.uk [144.32.226.160]) by mail-gw0.york.ac.uk (8.12.10/8.12.10) with ESMTP id iAOI7hg5024948; Wed, 24 Nov 2004 18:07:43 GMT Received: from buffy.york.ac.uk (localhost [127.0.0.1]) by buffy.york.ac.uk (8.13.1/8.13.1) with ESMTP id iAOI7hYC058210; Wed, 24 Nov 2004 18:07:43 GMT (envelope-from gavin.atkinson@ury.york.ac.uk) Received: (from ga9@localhost) by buffy.york.ac.uk (8.13.1/8.13.1/Submit) id iAOI7hkB058209; Wed, 24 Nov 2004 18:07:43 GMT (envelope-from gavin.atkinson@ury.york.ac.uk) X-Authentication-Warning: buffy.york.ac.uk: ga9 set sender to gavin.atkinson@ury.york.ac.uk using -f From: Gavin Atkinson To: Nate Lawson In-Reply-To: <41A4BB82.2010406@root.org> References: <1101312453.56574.122.camel@buffy.york.ac.uk> <41A4BB82.2010406@root.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit Message-Id: <1101319662.56574.141.camel@buffy.york.ac.uk> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 24 Nov 2004 18:07:43 +0000 X-York-MailScanner: Found to be clean X-York-MailScanner-From: gavin.atkinson@ury.york.ac.uk cc: freebsd-acpi@freebsd.org cc: freebsd-current@freebsd.org Subject: Re: Memory modified after free: Most recently used by acpitask X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 18:07:48 -0000 On Wed, 2004-11-24 at 16:49, Nate Lawson wrote: > Gavin Atkinson wrote: > > Hi, > > > > Just got a panic on a 6-CURRENT (Thu Nov 18 16:36:35 GMT 2004) machine, > > while copying a large amount of data around. > > > > Seems to be an ACPI related reuse-after-free. As far as I can tell, 20 > > bytes into the acpi_task structure is (int)ta_flags within the embedded > > struct task, but I can't see use of this field in the ACPI code so ACPI > > may be a red herring. > > > > > > # cp -Rp /usr/* /var/usr > > [about 10 minutes later] > > Memory modified after free 0xc44a8420(28) val=0 @ 0xc44a8434 > > panic: Most recently used by acpitask > > Unfortunately, the panic message doesn't tell you who modified it since > someone with a stray pointer (say, who allocated/freed it before acpi) > could overwrite it and it was only detected on the next malloc. The way > I've found these is to boot -d (into ddb) and type "watch 0xc44a8420". > Then hit "c" to continue the boot. Dump a "tr" any time the watchpoint > triggers and look for suspicious callers. Sadly, I suspect it's not going to be that easy. I've just had another panic, same trigger and symptoms but different memory address. Memory modified after free 0xc50441c0(28) val=0 @ 0xc50441d4 panic: Most recently used by acpitask cpuid = 0 KDB: enter: panic [thread 100111] Stopped at kdb_enter+0x2c: leave I'll try taking the box to top-of-tree current in case it has already been fixed - however that will probably have to wait until tomorrow now as this machine cannot reboot without physical help. Surely it seems like quite a coincidence that both times it was 20 bytes into memory once owned by acpitask, though? Gavin