kern/71431: [panic fix] [patch] geom_uzip.ko caused panic

Daichi GOTO daichi at FreeBSD.org
Mon Sep 6 06:30:13 PDT 2004


>Number:         71431
>Category:       kern
>Synopsis:       [panic fix] [patch] geom_uzip.ko caused panic
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 06 13:30:12 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Daichi GOTO
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
FreeBSD freebsd.ongs.co.jp 5.3-BETA3 FreeBSD 5.3-BETA3 #2: Sun Sep  5 01:45:47 JST 2004     root at freebsd.ongs.co.jp:/usr/obj/usr/src/sys/MITHOS  i386

>Description:
/boot/kernel/geom_uzip.ko causes panic.

panic message:
-----------------------------------
panic: malloc(9)/free(9) confusion.
Probably freeing with wrong type, but maybe not here.
cpuid = 0
KDB: enter: panic
[thread 100031]
Stopped at	kdb_enter+0x2b: nop
db>
-----------------------------------

>How-To-Repeat:
# kldload geom_uzip

or 

# geom uzip load

>Fix:

I think that follow patch will fix :)

--- sys/geom/uzip/g_uzip.c.orig	Mon Aug 30 16:08:17 2004
+++ sys/geom/uzip/g_uzip.c	Mon Aug 30 17:02:27 2004
@@ -91,10 +91,10 @@
 		    gp->name, sc->req_total, sc->req_cached);
 	}
 	if (sc->offsets != NULL)
-		free(sc->offsets, M_GEOM_UZIP);
+		g_free(sc->offsets);
 	mtx_destroy(&sc->last_mtx);
-	free(sc->last_buf, M_GEOM_UZIP);
-	free(sc, M_GEOM_UZIP);
+	g_free(sc->last_buf);
+	g_free(sc);
 }
 
 static void *
@@ -102,14 +102,14 @@
 {
 	void *ptr;
 
-	ptr = malloc(type * size, M_GEOM_UZIP, M_NOWAIT);
+	ptr = g_malloc(type * size, M_NOWAIT | M_ZERO);
 	return ptr;
 }
 
 static void
 z_free(void *nil, void *ptr)
 {
-	free(ptr, M_GEOM_UZIP);
+	g_free(ptr);
 }
 
 static void
@@ -207,7 +207,7 @@
 	 */
 	DPRINTF(("%s: done: (%d, %lld, %ld)\n",
 	    gp->name, bp2->bio_error, bp2->bio_completed, bp2->bio_resid));
-	free(bp->bio_data, M_GEOM_UZIP);
+	g_free(bp->bio_data);
 	g_destroy_bio(bp);
 	g_io_deliver(bp2, bp2->bio_error);
 }
@@ -285,7 +285,7 @@
 	    bp->bio_offset, bp->bio_length,
 	    sc->offsets[start_blk], sc->offsets[end_blk] - sc->offsets[start_blk],
 	    bp2->bio_offset, bp2->bio_length));
-	bp2->bio_data = malloc(bp2->bio_length, M_GEOM_UZIP, M_NOWAIT);
+	bp2->bio_data = g_malloc(bp2->bio_length, M_NOWAIT | M_ZERO);
 	if (bp2->bio_data == NULL) {
 		g_io_deliver(bp, ENOMEM);
 		return;
@@ -393,7 +393,7 @@
 	/*
 	 * Initialize softc and read offsets.
 	 */
-	sc = malloc(sizeof(*sc), M_GEOM_UZIP, M_WAITOK);
+	sc = g_malloc(sizeof(*sc), M_WAITOK | M_ZERO);
 	gp->softc = sc;
 	sc->blksz = ntohl(header->blksz);
 	sc->nblocks = ntohl(header->nblocks);
@@ -413,8 +413,8 @@
 		       gp->name, sc->nblocks);
 		goto err;
 	}
-	sc->offsets = malloc(
-	    total_offsets * sizeof(uint64_t), M_GEOM_UZIP, M_WAITOK);
+	sc->offsets = g_malloc(
+	    total_offsets * sizeof(uint64_t), M_WAITOK | M_ZERO);
 	offsets_read = MIN(total_offsets,
 	    (pp->sectorsize - sizeof(*header)) / sizeof(uint64_t));
 	for (i = 0; i < offsets_read; i++)
@@ -424,7 +424,7 @@
 	for (blk = 1; offsets_read < total_offsets; blk++) {
 		uint32_t nread;
 
-		free(buf, M_GEOM_UZIP);
+		g_free(buf);
 		buf = g_read_data(
 		    cp, blk * pp->sectorsize, pp->sectorsize, &error);
 		if (buf == NULL || error != 0)
@@ -442,7 +442,7 @@
 	DPRINTF(("%s: done reading offsets\n", gp->name));
 	mtx_init(&sc->last_mtx, "geom_uzip cache", NULL, MTX_DEF);
 	sc->last_blk = -1;
-	sc->last_buf = malloc(sc->blksz, M_GEOM_UZIP, M_WAITOK);
+	sc->last_buf = g_malloc(sc->blksz, M_WAITOK | M_ZERO);
 	sc->req_total = 0;
 	sc->req_cached = 0;
 
@@ -470,7 +470,7 @@
 	g_topology_lock();
 	g_access(cp, -1, 0, 0);
 	if (buf != NULL)
-		free(buf, M_GEOM_UZIP);
+		g_free(buf);
 	if (gp->softc != NULL) {
 		g_uzip_softc_free(gp->softc, NULL);
 		gp->softc = NULL;



>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list