panic after boot - memory used after free
Nate Lawson
nate at root.org
Sat May 1 13:27:57 PDT 2004
A recent kernel with INVARIANTS gets a panic right after boot saying
memory has been used after free. This happens when booting single user
and then immediately when the first command is run. I'm tracking down the
source with hardware watch points. This is 100% reproduceable with the
same addresses. The panic message is:
... modified after free 0xc344b200(508) val=1000100 @ 0xc344b200
Watch points and a mod to malloc/free show the memory is modified:
1. Memory is first freed:
free
acpi_cmbat_get_bif
acpi_cmbat_init_battery
2. Memory malloced/freed 4 times in:
free
g_bsd_try
g_bsd_taste
g_new_provider_event
3. Memory is written to during the ata1-slave probe:
ata_pio_read(0xc34e6b40, 0x200) + 0x1b4
ata_generic_interrupt + 0x605
ata_timeout + 0x167
softclock(0)
4. Finally, the trace of what triggers the panic is:
mtrash_ctor+0x3a
uma_zalloc_arg+0x169
malloc+0xb7
elf32_load_file+0x51
exec_elf32_imgact+0x4c7
kern_execve+0x34e
execve+0x18
I think the ata_pio_read is suspicious because it accesses the memory even
though it did not appear to malloc it. Here is the dmesg from a
non-INVARIANTS boot:
atapci0: <Intel ICH3 UDMA100 controller> port
0x1860-0x186f,0x376,0x170-0x177,0x3f6,0x1f0-0x1f7 at device 31.1 on pci0
atapci0: Reserved 0x10 bytes for rid 0x20 type 4 at 0x1860
atapci0: Reserved 0x8 bytes for rid 0x10 type 4 at 0x1f0
atapci0: Reserved 0x1 bytes for rid 0x14 type 4 at 0x3f6
ata0: at 0x1f0 irq 14 on atapci0
atapci0: Reserved 0x8 bytes for rid 0x18 type 4 at 0x170
atapci0: Reserved 0x1 bytes for rid 0x1c type 4 at 0x376
ata1: at 0x170 irq 15 on atapci0
[...]
ad0: 19077MB <IC25N020ATCS04-0> [41344/15/63] at ata0-master UDMA100
ata1-slave: FAILURE - ATAPI_IDENTIFY no interrupt
ata1-slave: FAILURE - ATAPI_IDENTIFY no interrupt
acd0: CDRW <UJDA720 DVD/CDRW> at ata1-master PIO4
-Nate
More information about the freebsd-current
mailing list