From owner-freebsd-current@FreeBSD.ORG Wed Nov 24 18:28:13 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC1D116A4CE; Wed, 24 Nov 2004 18:28:13 +0000 (GMT) Received: from ylpvm15.prodigy.net (ylpvm15-ext.prodigy.net [207.115.57.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E91343D1D; Wed, 24 Nov 2004 18:28:13 +0000 (GMT) (envelope-from nate@root.org) Received: from [10.0.0.34] (adsl-67-119-74-222.dsl.sntc01.pacbell.net [67.119.74.222])iAOISFHr011325; Wed, 24 Nov 2004 13:28:15 -0500 Message-ID: <41A4D2BB.7090400@root.org> Date: Wed, 24 Nov 2004 10:28:11 -0800 From: Nate Lawson User-Agent: Mozilla Thunderbird 0.7.3 (X11/20040901) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gavin Atkinson References: <1101312453.56574.122.camel@buffy.york.ac.uk> <41A4BB82.2010406@root.org> <1101319662.56574.141.camel@buffy.york.ac.uk> In-Reply-To: <1101319662.56574.141.camel@buffy.york.ac.uk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-acpi@freebsd.org cc: freebsd-current@freebsd.org Subject: Re: Memory modified after free: Most recently used by acpitask X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 18:28:13 -0000 Gavin Atkinson wrote: > On Wed, 2004-11-24 at 16:49, Nate Lawson wrote: > >>Gavin Atkinson wrote: >>># cp -Rp /usr/* /var/usr >>>[about 10 minutes later] >>>Memory modified after free 0xc44a8420(28) val=0 @ 0xc44a8434 >>>panic: Most recently used by acpitask >> >>Unfortunately, the panic message doesn't tell you who modified it since >>someone with a stray pointer (say, who allocated/freed it before acpi) >>could overwrite it and it was only detected on the next malloc. The way >>I've found these is to boot -d (into ddb) and type "watch 0xc44a8420". >>Then hit "c" to continue the boot. Dump a "tr" any time the watchpoint >>triggers and look for suspicious callers. > > > Sadly, I suspect it's not going to be that easy. I've just had another > panic, same trigger and symptoms but different memory address. > > Memory modified after free 0xc50441c0(28) val=0 @ 0xc50441d4 > panic: Most recently used by acpitask > > cpuid = 0 > KDB: enter: panic > [thread 100111] > Stopped at kdb_enter+0x2c: leave > > I'll try taking the box to top-of-tree current in case it has already > been fixed - however that will probably have to wait until tomorrow now > as this machine cannot reboot without physical help. Surely it seems > like quite a coincidence that both times it was 20 bytes into memory > once owned by acpitask, though? The only coincidence is it's likely the same component causing this problem. acpi is probably only a victim. FYI, in August I fixed an overflow in ATA that had the same symptoms of overwriting an ACPI struct (although that doesn't mean this is caused by ATA). -Nate