stable/9 @r241776 panic: REDZONE: Buffer underflow detected...

David Wolfskill david at catwhisker.org
Sun Oct 21 20:23:47 UTC 2012 

On Sun, Oct 21, 2012 at 09:28:06PM +0300, Alexander Motin wrote:
> ...
> I am curious, how to interpret phrase "42=94966796 bytes allocated" in 
> log. May be it is just corrupted output, but the number still seems 
> quite big, especially for i386 system, making me think about some 
> integer overflow. David, could you write down that part once more?
> 
> Having few more lines of "Allocation backtrace:" could also be useful.
> 
> Could you show your kernel config? I can try to run it on my tests 
> system, hoping to reproduce the problem.
> ...

I was unable to get serial console to work, even with the USB<=>serial
dongle.

However, I did find that the ddb "dump" command appears to have operated
appropriately, and so I now have a dump.  That, as well as the core.txt
and additinal copies of the kernel config ("CANARY") and dmesg.boot have
been copied, and are now accessible from
<http://www.catwhisker.org/~david/FreeBSD/stable_9/>.

For a quick reality check, here's the stuff (cut/pasted from core.txt.4)
that I had hand-written in my initial message:

<118>Starting devd.
REDZONE: Buffer underflow detected. 1 byte corrupted before 0xced40080 (4294966796 bytes allocated).
Allocation backtrace:
#0 0xc0ceaa8f at redzone_setup+0xcf
#1 0xc0a5d5c9 at malloc+0x1d9
#2 0xc0a9ead0 at devctl_queue_data_f+0x40
#3 0xc0aa3fba at devaddq+0x20a
#4 0xc0aa098d at device_probe+0xad
#5 0xc0aa1c9f at bus_generic_attach+0x1f
#6 0xc07bcb1a at vga_pci_attach+0x4a
#7 0xc0aa0de4 at device_attach+0x3b4
#8 0xc0aa1cab at bus_generic_attach+0x2b
#9 0xc0531865 at acpi_pci_attach+0x185
#10 0xc0aa0de4 at device_attach+0x3b4
#11 0xc0aa1cab at bus_generic_attach+0x2b
#12 0xc05339c2 at acpi_pcib_attach+0x262
#13 0xc0534cbf at acpi_pcib_pci_attach+0x9f
#14 0xc0aa0de4 at device_attach+0x3b4
#15 0xc0aa1cab at bus_generic_attach+0x2b
#16 0xc0531865 at acpi_pci_attach+0x185
#17 0xc0aa0de4 at device_attach+0x3b4
Free backtrace:
#0 0xc0cead4a at redzone_check+0x1ca
#1 0xc0a5d618 at free+0x38
#2 0xc0a9e956 at devread+0x1a6
#3 0xc0a28807 at giant_read+0x87
#4 0xc09710c6 at devfs_read_f+0xc6
#5 0xc0aba8d9 at dofileread+0x99
#6 0xc0aba4f8 at sys_read+0x98
#7 0xc0ddf977 at syscall+0x387
#8 0xc0dc87d1 at Xint0x80_syscall+0x21
REDZONE: Buffer overflow detected. 16 bytes corrupted after 0xced3fe8c (4294966796 bytes allocated).
Allocation backtrace:
#0 0xc0ceaa8f at redzone_setup+0xcf
#1 0xc0a5d5c9 at malloc+0x1d9
#2 0xc0a9ead0 at devctl_queue_data_f+0x40
#3 0xc0aa3fba at devaddq+0x20a
#4 0xc0aa098d at device_probe+0xad
#5 0xc0aa1c9f at bus_generic_attach+0x1f
#6 0xc07bcb1a at vga_pci_attach+0x4a
#7 0xc0aa0de4 at device_attach+0x3b4
#8 0xc0aa1cab at bus_generic_attach+0x2b
#9 0xc0531865 at acpi_pci_attach+0x185
#10 0xc0aa0de4 at device_attach+0x3b4
#11 0xc0aa1cab at bus_generic_attach+0x2b
#12 0xc05339c2 at acpi_pcib_attach+0x262
#13 0xc0534cbf at acpi_pcib_pci_attach+0x9f
#14 0xc0aa0de4 at device_attach+0x3b4
#15 0xc0aa1cab at bus_generic_attach+0x2b
#16 0xc0531865 at acpi_pci_attach+0x185
#17 0xc0aa0de4 at device_attach+0x3b4
Free backtrace:
#0 0xc0ceae92 at redzone_check+0x312
#1 0xc0a5d618 at free+0x38
#2 0xc0a9e956 at devread+0x1a6
#3 0xc0a28807 at giant_read+0x87
#4 0xc09710c6 at devfs_read_f+0xc6
#5 0xc0aba8d9 at dofileread+0x99
#6 0xc0aba4f8 at sys_read+0x98
#7 0xc0ddf977 at syscall+0x387
#8 0xc0dc87d1 at Xint0x80_syscall+0x21
panic: free: address 0xced3f080(0xced3f000) has not been allocated.

cpuid = 1
KDB: stack backtrace:
db_trace_self_wrapper(c0f99230,c09710c6,c0aba8d9,c0734d37,c1131d40,...) at 0xc051d25e = db_trace_self_wrapper+0x2e
kdb_backtrace(c0fd3355,1,c0f94756,f7231ae8,c0aa1cab,...) at 0xc0aa7eda = kdb_backtrace+0x2a
panic(c0f94756,ced3f080,ced3f000,cebe4400,ced40080,...) at 0xc0a73bd4 = panic+0x1a4
free(ced40080,c10c3660,f7231c0c,c0b1e30d,ce7ef000,...) at 0xc0a5d6f9 = free+0x119
devread(ce8c2d00,f7231c0c,0,c0b1e4f0,d279ca48,...) at 0xc0a9e956 = devread+0x1a6
giant_read(ce8c2d00,f7231c0c,0,400,0,...) at 0xc0a28807 = giant_read+0x87
devfs_read_f(d279ca48,f7231c0c,ce84b680,0,d2797000,...) at 0xc09710c6 = devfs_read_f+0xc6
dofileread(d279ca48,f7231c0c,ffffffff,ffffffff,0,...) at 0xc0aba8d9 = dofileread+0x99
sys_read(d2797000,f7231ccc,c0a7c784,d2797000,0,...) at 0xc0aba4f8 = sys_read+0x98
syscall(f7231d08) at 0xc0ddf977 = syscall+0x387
Xint0x80_syscall() at 0xc0dc87d1 = Xint0x80_syscall+0x21
--- syscall (3, FreeBSD ELF32, sys_read), eip = 0x808f14b, esp = 0xbfbfd92c, ebp = 0xbfbfde58 ---
KDB: enter: panic
...
(kgdb) #0  doadump (textdump=Variable "textdump" is not available.
) at pcpu.h:249
#1  0xc051b353 in db_dump (dummy=-148694992, dummy2=-148694992, 
    dummy3=-148694992, dummy4=0xf7231830 "")
    at /usr/src/sys/ddb/db_command.c:538
#2  0xc051ae45 in db_command (cmd_table=Variable "cmd_table" is not available.
) at /usr/src/sys/ddb/db_command.c:449
#3  0xc051abd0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:502
#4  0xc051d3be in db_trap (type=Unhandled dwarf expression opcode 0xc0
) at /usr/src/sys/ddb/db_main.c:231
#5  0xc0aa8464 in kdb_trap (tf=Unhandled dwarf expression opcode 0xc0
) at /usr/src/sys/kern/subr_kdb.c:649
#6  0xc0ddebde in trap (frame=Variable "frame" is not available.
) at /usr/src/sys/i386/i386/trap.c:715
#7  0xc0dc876c in calltrap () at /tmp/exception-ceSooo.s:94
#8  0xc0aa7cdd in kdb_enter (why=Variable "why" is not available.
) at cpufunc.h:71
#9  0xc0a73bf4 in panic (fmt=Unhandled dwarf expression opcode 0xc0
) at /usr/src/sys/kern/kern_shutdown.c:627
#10 0xc0a5d6f9 in free (addr=Unhandled dwarf expression opcode 0xc0
) at /usr/src/sys/kern/kern_malloc.c:545
#11 0xc0a9e956 in devread (dev=0xf7231b14, uio=Variable "uio" is not available.
)
    at /usr/src/sys/kern/subr_bus.c:473
#12 0xc0a28807 in giant_read (dev=Variable "dev" is not available.
) at /usr/src/sys/kern/kern_conf.c:443
#13 0xc09710c6 in devfs_read_f (fp=Variable "fp" is not available.
)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:1177
#14 0xc0aba8d9 in dofileread (td=Variable "td" is not available.
) at file.h:286
#15 0xc0aba4f8 in sys_read (td=Variable "td" is not available.
) at /usr/src/sys/kern/sys_generic.c:250
#16 0xc0ddf977 in syscall (frame=Variable "frame" is not available.
) at subr_syscall.c:135
#17 0xc0dc87d1 in Xint0x80_syscall () at /tmp/exception-ceSooo.s:134
#18 0x00000033 in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal
(kgdb) 


Anyway: all that (and more!) is available from
<http://www.catwhisker.org/~david/FreeBSD/stable_9/>; I cite the
above mostly as evidence that I might not have been hallucinating.
:-}

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Taliban: Evil men with guns afraid of truth from a 14-year old girl.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20121021/1eeb4232/attachment.sig>

More information about the freebsd-stable mailing list