From owner-freebsd-stable@FreeBSD.ORG  Sun Oct 21 20:23:47 2012
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 7F069AD;
 Sun, 21 Oct 2012 20:23:47 +0000 (UTC)
 (envelope-from david@catwhisker.org)
Received: from albert.catwhisker.org (m209-73.dsl.rawbw.com [198.144.209.73])
 by mx1.freebsd.org (Postfix) with ESMTP id 10D848FC0C;
 Sun, 21 Oct 2012 20:23:47 +0000 (UTC)
Received: from albert.catwhisker.org (localhost [127.0.0.1])
 by albert.catwhisker.org (8.14.5/8.14.5) with ESMTP id q9LKNki1002197;
 Sun, 21 Oct 2012 13:23:46 -0700 (PDT)
 (envelope-from david@albert.catwhisker.org)
Received: (from david@localhost)
 by albert.catwhisker.org (8.14.5/8.14.5/Submit) id q9LKNk0H002196;
 Sun, 21 Oct 2012 13:23:46 -0700 (PDT) (envelope-from david)
Date: Sun, 21 Oct 2012 13:23:46 -0700
From: David Wolfskill <david@catwhisker.org>
To: Alexander Motin <mav@freebsd.org>
Subject: Re: stable/9 @r241776 panic: REDZONE: Buffer underflow detected...
Message-ID: <20121021202346.GB1609@albert.catwhisker.org>
References: <20121020141019.GW1817@albert.catwhisker.org>
 <20121021121356.GJ35915@deviant.kiev.zoral.com.ua>
 <20121021163322.GB1730@albert.catwhisker.org>
 <20121021164634.GC1730@albert.catwhisker.org>
 <20121021174054.GM35915@deviant.kiev.zoral.com.ua>
 <50843EB6.8030407@FreeBSD.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="1ccMZA6j1vT5UqiK"
Content-Disposition: inline
In-Reply-To: <50843EB6.8030407@FreeBSD.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Oct 2012 20:23:47 -0000


--1ccMZA6j1vT5UqiK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Oct 21, 2012 at 09:28:06PM +0300, Alexander Motin wrote:
> ...
> I am curious, how to interpret phrase "42=3D94966796 bytes allocated" in=
=20
> log. May be it is just corrupted output, but the number still seems=20
> quite big, especially for i386 system, making me think about some=20
> integer overflow. David, could you write down that part once more?
>=20
> Having few more lines of "Allocation backtrace:" could also be useful.
>=20
> Could you show your kernel config? I can try to run it on my tests=20
> system, hoping to reproduce the problem.
> ...

I was unable to get serial console to work, even with the USB<=3D>serial
dongle.

However, I did find that the ddb "dump" command appears to have operated
appropriately, and so I now have a dump.  That, as well as the core.txt
and additinal copies of the kernel config ("CANARY") and dmesg.boot have
been copied, and are now accessible from
<http://www.catwhisker.org/~david/FreeBSD/stable_9/>.

For a quick reality check, here's the stuff (cut/pasted from core.txt.4)
that I had hand-written in my initial message:

<118>Starting devd.
REDZONE: Buffer underflow detected. 1 byte corrupted before 0xced40080 (429=
4966796 bytes allocated).
Allocation backtrace:
#0 0xc0ceaa8f at redzone_setup+0xcf
#1 0xc0a5d5c9 at malloc+0x1d9
#2 0xc0a9ead0 at devctl_queue_data_f+0x40
#3 0xc0aa3fba at devaddq+0x20a
#4 0xc0aa098d at device_probe+0xad
#5 0xc0aa1c9f at bus_generic_attach+0x1f
#6 0xc07bcb1a at vga_pci_attach+0x4a
#7 0xc0aa0de4 at device_attach+0x3b4
#8 0xc0aa1cab at bus_generic_attach+0x2b
#9 0xc0531865 at acpi_pci_attach+0x185
#10 0xc0aa0de4 at device_attach+0x3b4
#11 0xc0aa1cab at bus_generic_attach+0x2b
#12 0xc05339c2 at acpi_pcib_attach+0x262
#13 0xc0534cbf at acpi_pcib_pci_attach+0x9f
#14 0xc0aa0de4 at device_attach+0x3b4
#15 0xc0aa1cab at bus_generic_attach+0x2b
#16 0xc0531865 at acpi_pci_attach+0x185
#17 0xc0aa0de4 at device_attach+0x3b4
Free backtrace:
#0 0xc0cead4a at redzone_check+0x1ca
#1 0xc0a5d618 at free+0x38
#2 0xc0a9e956 at devread+0x1a6
#3 0xc0a28807 at giant_read+0x87
#4 0xc09710c6 at devfs_read_f+0xc6
#5 0xc0aba8d9 at dofileread+0x99
#6 0xc0aba4f8 at sys_read+0x98
#7 0xc0ddf977 at syscall+0x387
#8 0xc0dc87d1 at Xint0x80_syscall+0x21
REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xced3fe8c (429=
4966796 bytes allocated).
Allocation backtrace:
#0 0xc0ceaa8f at redzone_setup+0xcf
#1 0xc0a5d5c9 at malloc+0x1d9
#2 0xc0a9ead0 at devctl_queue_data_f+0x40
#3 0xc0aa3fba at devaddq+0x20a
#4 0xc0aa098d at device_probe+0xad
#5 0xc0aa1c9f at bus_generic_attach+0x1f
#6 0xc07bcb1a at vga_pci_attach+0x4a
#7 0xc0aa0de4 at device_attach+0x3b4
#8 0xc0aa1cab at bus_generic_attach+0x2b
#9 0xc0531865 at acpi_pci_attach+0x185
#10 0xc0aa0de4 at device_attach+0x3b4
#11 0xc0aa1cab at bus_generic_attach+0x2b
#12 0xc05339c2 at acpi_pcib_attach+0x262
#13 0xc0534cbf at acpi_pcib_pci_attach+0x9f
#14 0xc0aa0de4 at device_attach+0x3b4
#15 0xc0aa1cab at bus_generic_attach+0x2b
#16 0xc0531865 at acpi_pci_attach+0x185
#17 0xc0aa0de4 at device_attach+0x3b4
Free backtrace:
#0 0xc0ceae92 at redzone_check+0x312
#1 0xc0a5d618 at free+0x38
#2 0xc0a9e956 at devread+0x1a6
#3 0xc0a28807 at giant_read+0x87
#4 0xc09710c6 at devfs_read_f+0xc6
#5 0xc0aba8d9 at dofileread+0x99
#6 0xc0aba4f8 at sys_read+0x98
#7 0xc0ddf977 at syscall+0x387
#8 0xc0dc87d1 at Xint0x80_syscall+0x21
panic: free: address 0xced3f080(0xced3f000) has not been allocated.

cpuid =3D 1
KDB: stack backtrace:
db_trace_self_wrapper(c0f99230,c09710c6,c0aba8d9,c0734d37,c1131d40,...) at =
0xc051d25e =3D db_trace_self_wrapper+0x2e
kdb_backtrace(c0fd3355,1,c0f94756,f7231ae8,c0aa1cab,...) at 0xc0aa7eda =3D =
kdb_backtrace+0x2a
panic(c0f94756,ced3f080,ced3f000,cebe4400,ced40080,...) at 0xc0a73bd4 =3D p=
anic+0x1a4
free(ced40080,c10c3660,f7231c0c,c0b1e30d,ce7ef000,...) at 0xc0a5d6f9 =3D fr=
ee+0x119
devread(ce8c2d00,f7231c0c,0,c0b1e4f0,d279ca48,...) at 0xc0a9e956 =3D devrea=
d+0x1a6
giant_read(ce8c2d00,f7231c0c,0,400,0,...) at 0xc0a28807 =3D giant_read+0x87
devfs_read_f(d279ca48,f7231c0c,ce84b680,0,d2797000,...) at 0xc09710c6 =3D d=
evfs_read_f+0xc6
dofileread(d279ca48,f7231c0c,ffffffff,ffffffff,0,...) at 0xc0aba8d9 =3D dof=
ileread+0x99
sys_read(d2797000,f7231ccc,c0a7c784,d2797000,0,...) at 0xc0aba4f8 =3D sys_r=
ead+0x98
syscall(f7231d08) at 0xc0ddf977 =3D syscall+0x387
Xint0x80_syscall() at 0xc0dc87d1 =3D Xint0x80_syscall+0x21
--- syscall (3, FreeBSD ELF32, sys_read), eip =3D 0x808f14b, esp =3D 0xbfbf=
d92c, ebp =3D 0xbfbfde58 ---
KDB: enter: panic
=2E..
(kgdb) #0  doadump (textdump=3DVariable "textdump" is not available.
) at pcpu.h:249
#1  0xc051b353 in db_dump (dummy=3D-148694992, dummy2=3D-148694992,=20
    dummy3=3D-148694992, dummy4=3D0xf7231830 "")
    at /usr/src/sys/ddb/db_command.c:538
#2  0xc051ae45 in db_command (cmd_table=3DVariable "cmd_table" is not avail=
able.
) at /usr/src/sys/ddb/db_command.c:449
#3  0xc051abd0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:502
#4  0xc051d3be in db_trap (type=3DUnhandled dwarf expression opcode 0xc0
) at /usr/src/sys/ddb/db_main.c:231
#5  0xc0aa8464 in kdb_trap (tf=3DUnhandled dwarf expression opcode 0xc0
) at /usr/src/sys/kern/subr_kdb.c:649
#6  0xc0ddebde in trap (frame=3DVariable "frame" is not available.
) at /usr/src/sys/i386/i386/trap.c:715
#7  0xc0dc876c in calltrap () at /tmp/exception-ceSooo.s:94
#8  0xc0aa7cdd in kdb_enter (why=3DVariable "why" is not available.
) at cpufunc.h:71
#9  0xc0a73bf4 in panic (fmt=3DUnhandled dwarf expression opcode 0xc0
) at /usr/src/sys/kern/kern_shutdown.c:627
#10 0xc0a5d6f9 in free (addr=3DUnhandled dwarf expression opcode 0xc0
) at /usr/src/sys/kern/kern_malloc.c:545
#11 0xc0a9e956 in devread (dev=3D0xf7231b14, uio=3DVariable "uio" is not av=
ailable.
)
    at /usr/src/sys/kern/subr_bus.c:473
#12 0xc0a28807 in giant_read (dev=3DVariable "dev" is not available.
) at /usr/src/sys/kern/kern_conf.c:443
#13 0xc09710c6 in devfs_read_f (fp=3DVariable "fp" is not available.
)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:1177
#14 0xc0aba8d9 in dofileread (td=3DVariable "td" is not available.
) at file.h:286
#15 0xc0aba4f8 in sys_read (td=3DVariable "td" is not available.
) at /usr/src/sys/kern/sys_generic.c:250
#16 0xc0ddf977 in syscall (frame=3DVariable "frame" is not available.
) at subr_syscall.c:135
#17 0xc0dc87d1 in Xint0x80_syscall () at /tmp/exception-ceSooo.s:134
#18 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal
(kgdb)=20


Anyway: all that (and more!) is available from
<http://www.catwhisker.org/~david/FreeBSD/stable_9/>; I cite the
above mostly as evidence that I might not have been hallucinating.
:-}

Peace,
david
--=20
David H. Wolfskill				david@catwhisker.org
Taliban: Evil men with guns afraid of truth from a 14-year old girl.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.

--1ccMZA6j1vT5UqiK
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlCEWRIACgkQmprOCmdXAD3P9QCfThfe0nA/m+gJ9z+xubDJXt8k
P4UAn3zC+nndA4Vv7g3/o5PK7IJDsbgY
=sj2x
-----END PGP SIGNATURE-----

--1ccMZA6j1vT5UqiK--