GENERIC HEAD from Jun 11 06:49 UTC, vmcore.354
Missing parameter validation in freebsd4_getfsstat()
Fixed in kern/vfs_syscalls.c,v 1.390 2005/06/12 07:03:23 pjd.

GDB: no debug ports present
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD 6.0-CURRENT #0: Sat Jun 11 09:26:47 CEST 2005
    pho@current.osted.lan:/usr/src/sys/i386/compile/PHO
WARNING: WITNESS option enabled, expect reduced performance.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(R) CPU 1.80GHz (1799.15-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0xf13  Stepping = 3
  Features=0x3febfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM>
real memory  = 267583488 (255 MB)
avail memory = 252256256 (240 MB)
:
Trying to mount root from ufs:/dev/ad0s1a
rl0: link state changed to DOWN
panic: kmem_malloc(868405248): kmem_map too small: 33984512 total allocated
cpuid = 0
KDB: enter: panic
[thread pid 1893 tid 100119 ]
Stopped at      kdb_enter+0x2b: nop
db> where
Tracing pid 1893 tid 100119 td 0xc1ada300
kdb_enter(c0852fc9) at kdb_enter+0x2b
panic(c086e46b,33c2d000,2069000,c2b78640,33c2d000) at panic+0x14b
kmem_malloc(c10590c0,33c2d000,2,cf3cab98,c077e4e3) at kmem_malloc+0x89
page_alloc(0,33c2d000,cf3cab8b,2,2000003) at page_alloc+0x1a
uma_large_malloc(33c2d000,2,3a9,33c2cd00,c1ada300) at uma_large_malloc+0x3b
malloc(33c2cd00,c08b5ee0,2,d800,406aef) at malloc+0xf1
freebsd4_getfsstat(c1ada300,cf3cad04,3,3,293) at freebsd4_getfsstat+0x39
syscall(3b,3b,3b,28050308,bfbfeafc) at syscall+0x22f
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (18, FreeBSD ELF32, freebsd4_getfsstat), eip = 0x2809b395, esp = 0xbfbfe980, ebp = 0xbfbfe9c8 ---
db> show pcpu
cpuid        = 0
curthread    = 0xc1ada300: pid 1893 "syscall"
curpcb       = 0xcf3cad90
fpcurthread  = none
idlethread   = 0xc1539600: pid 11 "idle: cpu0"
APIC ID      = 0
currentldt   = 0x50
spin locks held:
db> ps
  pid   proc     uid  ppid  pgrp  flag   stat  wmesg    wchan  cmd
 1906 c292de00 1001  1896   578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp
 1905 c1ad9400 1001  1885   578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
 1904 c1af6c00 1001  1885   578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
 1903 c1813400 1001  1901   578 0000002 [SLPQ nanslp 0xc092990c][SLP] mkdir
 1902 c1b15e00 1001  1901   578 0000002 [RUNQ] mkdir
 1901 c1b16c00 1001  1878   578 0000002 [SLPQ wait 0xc1b16c00][SLP] mkdir
 1900 c1ad9800 1001  1896   578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp
 1899 c2747c00 1001  1896   578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp
 1898 c2748a00 1001  1896   578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp
 1897 c2747600 1001  1896   578 0000002 [RUNQ] udp
 1896 c1b15a00 1001  1884   578 0000002 [SLPQ wait 0xc1b15a00][SLP] udp
 1895 c2929c00 1001  1885   578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
 1894 c1af4a00 1001  1885   578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
 1893 c1ad9e00 1001  1885   578 0000002 [CPU 0] syscall
 1892 c186b200 1001  1885   578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
 1891 c2747200 1001  1887   578 0000002 [SLPQ nanslp 0xc092990c][SLP] rw
 1890 c2748000 1001  1885   578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
 1889 c1b16200 1001  1887   578 0000002 [SLPQ nanslp 0xc092990c][SLP] rw
 1888 c2929a00 1001  1886   578 0000002 [SLPQ nanslp 0xc092990c][SLP] tcp
 1887 c1b15000 1001  1880   578 0000002 [SLPQ wait 0xc1b15000][SLP] rw
 1886 c1ad9600 1001  1883   578 0000002 [SLPQ wait 0xc1ad9600][SLP] tcp
 1885 c2748800 1001  1881   578 0000002 [SLPQ wait 0xc2748800][SLP] syscall
 1884 c1b15800 1001   585   578 0004002 [SLPQ nanslp 0xc092990c][SLP] udp
 1883 c1af6e00 1001   585   578 0004002 [SLPQ nanslp 0xc092990c][SLP] tcp
 1881 c1af4000 1001   585   578 0004002 [SLPQ nanslp 0xc092990c][SLP] syscall
 1880 c1ad8c00 1001   585   578 0004002 [SLPQ nanslp 0xc092990c][SLP] rw
 1878 c1af4e00 1001   585   578 0004002 [SLPQ nanslp 0xc092990c][SLP] mkdir
  585 c1814400 1001   584   578 0000002 [SLPQ wait 0xc1814400][SLP] run
  584 c186b000 1001   583   578 0000002 [SLPQ wait 0xc186b000][SLP] run
  583 c1814000 1001   578   578 0004002 [SLPQ nanslp 0xc092990c][SLP] run
  578 c1813c00 1001   570   578 0004002 [SLPQ wait 0xc1813c00][SLP] sh
  570 c186aa00 1001   569   570 0004002 [SLPQ wait 0xc186aa00][SLP] bash
  569 c186a400 1001   567   567 0000100 [SLPQ select 0xc0976c04][SLP] sshd
  567 c186a000    0   431   567 0004100 [SLPQ sbwait 0xc182ac48][SLP] sshd
  566 c1764c00 1001   560   566 0004002 [SLPQ select 0xc0976c04][SLP] top
  560 c186b400 1001   559   560 0004002 [SLPQ wait 0xc186b400][SLP] bash
  559 c1814200 1001   557   557 0000100 [SLPQ select 0xc0976c04][SLP] sshd
  557 c186b600    0   431   557 0004100 [SLPQ sbwait 0xc182a480][SLP] sshd
  549 c186ac00    0     1   549 0004002 [SLPQ ttyin 0xc16cc810][SLP] getty
  548 c1813800    0     1   548 0004002 [SLPQ ttyin 0xc16ccc10][SLP] getty
  547 c186a800    0     1   547 0004002 [SLPQ ttyin 0xc16cd010][SLP] getty
  546 c186a200    0     1   546 0004002 [SLPQ ttyin 0xc16cd410][SLP] getty
  545 c1764000    0     1   545 0004002 [SLPQ ttyin 0xc16c1410][SLP] getty
  544 c1814800    0     1   544 0004002 [SLPQ ttyin 0xc16b9c10][SLP] getty
  543 c1814a00    0     1   543 0004002 [SLPQ ttyin 0xc16c0c10][SLP] getty
  542 c1814c00    0     1   542 0004002 [SLPQ ttyin 0xc16c1810][SLP] getty
  510 c186a600    0     1   510 0000000 [SLPQ select 0xc0976c04][SLP] moused
  453 c1814600    0     1   453 0000000 [SLPQ nanslp 0xc092990c][SLP] cron
  441 c1764600   25     1   441 0000100 [SLPQ pause 0xc1764634][SLP] sendmail
  437 c165ee00    0     1   437 0000100 [SLPQ select 0xc0976c04][SLP] sendmail
  431 c1767c00    0     1   431 0000100 [SLPQ select 0xc0976c04][SLP] sshd
  413 c1813600    0     1   413 0000000 [SLPQ select 0xc0976c04][SLP] ntpd
  382 c1813a00    0     1   382 0000000 [SLPQ select 0xc0976c04][SLP] usbd
  362 c1764200    0   357   357 0000000 [SLPQ - 0xc181f600][SLP] nfsd
  361 c1813000    0   357   357 0000000 [SLPQ - 0xc181f800][SLP] nfsd
  360 c1813e00    0   357   357 0000000 [SLPQ - 0xc181fa00][SLP] nfsd
  359 c1767a00    0   357   357 0000000 [SLPQ - 0xc181f400][SLP] nfsd
  357 c1767e00    0     1   357 0000000 [SLPQ select 0xc0976c04][SLP] nfsd
  355 c1813200    0     1   355 0000000 [SLPQ select 0xc0976c04][SLP] mountd
  282 c1764a00    0     1   282 0000000 [SLPQ select 0xc0976c04][SLP] rpcbind
  268 c1764800    0     1   268 0000000 [SLPQ select 0xc0976c04][SLP] syslogd
  239 c1764400    0     1   239 0000000 [SLPQ select 0xc0976c04][SLP] devd
   61 c1764e00    0     0     0 0000204 [SLPQ - 0xce9e7d04][SLP] schedcpu
   60 c1767000    0     0     0 0000204 [SLPQ - 0xc097f10c][SLP] nfsiod 3
   59 c1767200    0     0     0 0000204 [SLPQ - 0xc097f108][SLP] nfsiod 2
   58 c1767400    0     0     0 0000204 [SLPQ - 0xc097f104][SLP] nfsiod 1
   57 c1767600    0     0     0 0000204 [SLPQ - 0xc097f100][SLP] nfsiod 0
   56 c1767800    0     0     0 0000204 [SLPQ syncer 0xc0929680][SLP] syncer
   55 c158e400    0     0     0 0000204 [SLPQ vlruwt 0xc158e400][SLP] vnlru
   54 c158e600    0     0     0 0000204 [SLPQ psleep 0xc097714c][SLP] bufdaemon
   53 c158e800    0     0     0 000020c [SLPQ pgzero 0xc09856a4][SLP] pagezero
   52 c158ea00    0     0     0 0000204 [SLPQ psleep 0xc09851f4][SLP] vmdaemon
   51 c158ec00    0     0     0 0000204 [SLPQ psleep 0xc09851b0][SLP] pagedaemon
   50 c158ee00    0     0     0 0000204 [SLPQ - 0xc168383c][SLP] fdc0
   49 c165e000    0     0     0 0000204 [IWAIT] swi0: sio
   48 c165e200    0     0     0 0000204 [SLPQ usbevt 0xc162b210][SLP] usb4
   47 c165e400    0     0     0 0000204 [SLPQ usbevt 0xc1679210][SLP] usb3
   46 c165e600    0     0     0 0000204 [SLPQ usbevt 0xc1666210][SLP] usb2
   45 c165e800    0     0     0 0000204 [SLPQ usbevt 0xc1667210][SLP] usb1
   44 c165ea00    0     0     0 0000204 [SLPQ usbtsk 0xc09175f4][SLP] usbtask
   43 c165ec00    0     0     0 0000204 [SLPQ usbevt 0xc163a210][SLP] usb0
   42 c157ec00    0     0     0 0000204 [IWAIT] swi6: task queue
    9 c157ee00    0     0     0 0000204 [SLPQ - 0xc1634100][SLP] kqueue taskq
    8 c158c000    0     0     0 0000204 [SLPQ - 0xc1634180][SLP] acpi_task2
    7 c158c200    0     0     0 0000204 [SLPQ - 0xc1634180][SLP] acpi_task1
    6 c158c400    0     0     0 0000204 [SLPQ - 0xc1634180][SLP] acpi_task0
   41 c158c600    0     0     0 0000204 [IWAIT] swi2: cambio
   40 c158c800    0     0     0 0000204 [IWAIT] swi5:+
    5 c158ca00    0     0     0 0000204 [SLPQ - 0xc1634400][SLP] thread taskq
   39 c158cc00    0     0     0 0000204 [IWAIT] swi6:+
   38 c158ce00    0     0     0 0000204 [SLPQ - 0xc0915320][SLP] yarrow
    4 c158e000    0     0     0 0000204 [SLPQ - 0xc0919de8][SLP] g_down
    3 c158e200    0     0     0 0000204 [SLPQ - 0xc0919de4][SLP] g_up
    2 c156f600    0     0     0 0000204 [SLPQ - 0xc0919ddc][SLP] g_event
   37 c156f800    0     0     0 0000204 [IWAIT] swi1: net
   36 c156fa00    0     0     0 0000204 [IWAIT] swi3: vm
   35 c156fc00    0     0     0 000020c [RUNQ] swi4: clock sio
   34 c156fe00    0     0     0 0000204 [IWAIT] irq23: ehci0
   33 c157e000    0     0     0 0000204 [IWAIT] irq22: rl0
   32 c157e200    0     0     0 0000204 [IWAIT] irq21:
   31 c157e400    0     0     0 0000204 [IWAIT] irq20:
   30 c157e600    0     0     0 0000204 [IWAIT] irq19: uhci1
   29 c157e800    0     0     0 0000204 [IWAIT] irq18: uhci2
   28 c157ea00    0     0     0 0000204 [IWAIT] irq17: pcm0
   27 c153d200    0     0     0 0000204 [IWAIT] irq16: uhci0 uhci3
   26 c153d400    0     0     0 0000204 [IWAIT] irq15: ata1
   25 c153d600    0     0     0 0000204 [IWAIT] irq14: ata0
   24 c153d800    0     0     0 0000204 [IWAIT] irq13:
   23 c153da00    0     0     0 0000204 [IWAIT] irq12: psm0
   22 c153dc00    0     0     0 0000204 [IWAIT] irq11:
   21 c153de00    0     0     0 0000204 [IWAIT] irq10:
   20 c156f000    0     0     0 0000204 [IWAIT] irq9: acpi0
   19 c156f200    0     0     0 0000204 [IWAIT] irq8:
   18 c156f400    0     0     0 0000204 [IWAIT] irq7: ppc0
   17 c1538000    0     0     0 0000204 [IWAIT] irq6: fdc0
   16 c1538200    0     0     0 0000204 [IWAIT] irq5:
   15 c1538400    0     0     0 0000204 [IWAIT] irq4: sio0
   14 c1538600    0     0     0 0000204 [IWAIT] irq3:
   13 c1538800    0     0     0 0000204 [IWAIT] irq0:
   12 c1538a00    0     0     0 0000204 [IWAIT] irq1: atkbd0
   11 c1538c00    0     0     0 000020c [Can run] idle: cpu0
    1 c1538e00    0     0     1 0004200 [SLPQ wait 0xc1538e00][SLP] init
   10 c153d000    0     0     0 0000204 [SLPQ ktrace 0xc0927858][SLP] ktrace
    0 c0919ee0    0     0     0 0000200 [IWAIT] swapper
 1907 c1af6600 1001  1885   578 0002002 zomb[INACTIVE] syscall
 1882 c1b16000 1001   585   578 0006002 zomb[INACTIVE] sysctl
 1879 c1b16600 1001   585   578 0006002 zomb[INACTIVE] thr1
db> call doadump
Dumping 255 MB
 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
Dump complete
0xf
db> reset

#10 0xc062e9cf in panic (fmt=0xc086e46b "kmem_malloc(%ld): kmem_map too small: %ld total allocated") at ../../../kern/kern_shutdown.c:547
#11 0xc0782fe9 in kmem_malloc (map=0xc10590c0, size=0x33c2d000, flags=0x2) at ../../../vm/vm_kern.c:299
#12 0xc077c64a in page_alloc (zone=0x0, bytes=0x33c2d000, pflag=0x0, wait=0x2) at ../../../vm/uma_core.c:941
#13 0xc077e4e3 in uma_large_malloc (size=0x33c2d000, wait=0x2) at ../../../vm/uma_core.c:2670
#14 0xc0624da5 in malloc (size=0x33c2d000, mtp=0xc08b5ee0, flags=0x2) at ../../../kern/kern_malloc.c:322
#15 0xc0685a71 in freebsd4_getfsstat (td=0xc1ada300, uap=0xcf3cad04) at ../../../kern/vfs_syscalls.c:565
#16 0xc07eb19b in syscall (frame=
      {tf_fs = 0x3b, tf_es = 0x3b, tf_ds = 0x3b, tf_edi = 0x28050308, tf_esi = 0xbfbfeafc, tf_ebp = 0xbfbfe9c8, tf_isp = 0xcf3cad64, tf_ebx = 0x1, tf_edx = 0x0, tf_ecx = 0x8049080, tf_eax = 0x12, tf_trapno = 0x0, tf_err = 0x2, tf_eip = 0x2809b395, tf_cs = 0x33, tf_eflags = 0x293, tf_esp = 0xbfbfe980, tf_ss = 0x3b}) at ../../../i386/i386/trap.c:976
#17 0xc07d858f in Xint0x80_syscall () at ../../../i386/i386/exception.s:200
(kgdb) f 15
#15 0xc0685a71 in freebsd4_getfsstat (td=0xc1ada300, uap=0xcf3cad04) at ../../../kern/vfs_syscalls.c:565
565                     buf = malloc(size, M_TEMP, M_WAITOK);
(kgdb) l
560             int error;
561
562             count = uap->bufsize / sizeof(struct ostatfs);
563             size = count * sizeof(struct statfs);
564             if (size > 0)
565                     buf = malloc(size, M_TEMP, M_WAITOK);
566             else
567                     buf = NULL;
568             error = kern_getfsstat(td, buf, size, UIO_SYSSPACE, uap->flags);
569             if (buf != NULL) {
(kgdb) info loc
buf = (struct statfs *) 0xd800
sp = (struct statfs *) 0xc1ada300
osb = {f_spare2 = 0x406aef, f_bsize = 0xcf3cac7c, f_iosize = 0xc07f329c, f_blocks = 0xcf3cac56, f_bfree = 0x1, f_bavail = 0xa,
  f_files = 0xcf3cac60, f_ffree = 0x4, f_fsid = {val = {0xa, 0x0}}, f_owner = 0xda7a, f_type = 0x6400, f_flags = 0xda7a,
  f_syncwrites = 0xc1ada300, f_asyncwrites = 0x6af, f_fstypename = "\203j\205À,¬<Ï\000£­Á\003\000\000",
  f_mntonname = "\n\000\000\000\002\000\000\000\002\000\000\000à\217zÚD¬<ÏT¬<Ï`¬<Ïdµ\207îW\002\000\000\000\000\000\000W\002\207îdµ<ÏáhbÀXh\000\000\000\000zÚ\000d\000\000\220¬<Ï\000\000\000\000\000\000tG\000\234\205À", f_syncreads = 0x3, f_asyncreads = 0xffffffa3,
  f_spares1 = 0x92c0,
  f_mntfromname = "\213Àïj@\000\230¬<Ïê4\177Àëý8\224eüÿ\177\231\2366\000\000\000\000\000\000\000\000\000\000­<ÏålcÀëý8\224eüÿ\177\231\2366\000\000\000\000\000Ȩ\vqÏv@\000Èj\017ÝÍk\235\224ÿÿÿÿЬ", f_spares2 = 0xcf3c, f_spare = {0xc08b92d8, 0xc0929940}}
count = 0x33c2cd00
size = 0x33c2cd00
error = 0xc1ad9e00