GENERIC HEAD from Jun 11 06:49 UTC, vmcore.354 Missing parameter validation in freebsd4_getfsstat() Fixed in kern/vfs_syscalls.c,v 1.390 2005/06/12 07:03:23 pjd. GDB: no debug ports present KDB: debugger backends: ddb KDB: current backend: ddb Copyright (c) 1992-2005 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.0-CURRENT #0: Sat Jun 11 09:26:47 CEST 2005 pho@current.osted.lan:/usr/src/sys/i386/compile/PHO WARNING: WITNESS option enabled, expect reduced performance. Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Celeron(R) CPU 1.80GHz (1799.15-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf13 Stepping = 3 Features=0x3febfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM> real memory = 267583488 (255 MB) avail memory = 252256256 (240 MB) : Trying to mount root from ufs:/dev/ad0s1a rl0: link state changed to DOWN panic: kmem_malloc(868405248): kmem_map too small: 33984512 total allocated cpuid = 0 KDB: enter: panic [thread pid 1893 tid 100119 ] Stopped at kdb_enter+0x2b: nop db> where Tracing pid 1893 tid 100119 td 0xc1ada300 kdb_enter(c0852fc9) at kdb_enter+0x2b panic(c086e46b,33c2d000,2069000,c2b78640,33c2d000) at panic+0x14b kmem_malloc(c10590c0,33c2d000,2,cf3cab98,c077e4e3) at kmem_malloc+0x89 page_alloc(0,33c2d000,cf3cab8b,2,2000003) at page_alloc+0x1a uma_large_malloc(33c2d000,2,3a9,33c2cd00,c1ada300) at uma_large_malloc+0x3b malloc(33c2cd00,c08b5ee0,2,d800,406aef) at malloc+0xf1 freebsd4_getfsstat(c1ada300,cf3cad04,3,3,293) at freebsd4_getfsstat+0x39 syscall(3b,3b,3b,28050308,bfbfeafc) at syscall+0x22f Xint0x80_syscall() at Xint0x80_syscall+0x1f --- syscall (18, FreeBSD ELF32, freebsd4_getfsstat), eip = 0x2809b395, esp = 0xbfbfe980, ebp = 0xbfbfe9c8 --- db> show pcpu cpuid = 0 curthread = 0xc1ada300: pid 1893 "syscall" curpcb = 0xcf3cad90 fpcurthread = none idlethread = 0xc1539600: pid 11 "idle: cpu0" APIC ID = 0 currentldt = 0x50 spin locks held: db> ps pid proc uid ppid pgrp flag stat wmesg wchan cmd 1906 c292de00 1001 1896 578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp 1905 c1ad9400 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall 1904 c1af6c00 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall 1903 c1813400 1001 1901 578 0000002 [SLPQ nanslp 0xc092990c][SLP] mkdir 1902 c1b15e00 1001 1901 578 0000002 [RUNQ] mkdir 1901 c1b16c00 1001 1878 578 0000002 [SLPQ wait 0xc1b16c00][SLP] mkdir 1900 c1ad9800 1001 1896 578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp 1899 c2747c00 1001 1896 578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp 1898 c2748a00 1001 1896 578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp 1897 c2747600 1001 1896 578 0000002 [RUNQ] udp 1896 c1b15a00 1001 1884 578 0000002 [SLPQ wait 0xc1b15a00][SLP] udp 1895 c2929c00 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall 1894 c1af4a00 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall 1893 c1ad9e00 1001 1885 578 0000002 [CPU 0] syscall 1892 c186b200 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall 1891 c2747200 1001 1887 578 0000002 [SLPQ nanslp 0xc092990c][SLP] rw 1890 c2748000 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall 1889 c1b16200 1001 1887 578 0000002 [SLPQ nanslp 0xc092990c][SLP] rw 1888 c2929a00 1001 1886 578 0000002 [SLPQ nanslp 0xc092990c][SLP] tcp 1887 c1b15000 1001 1880 578 0000002 [SLPQ wait 0xc1b15000][SLP] rw 1886 c1ad9600 1001 1883 578 0000002 [SLPQ wait 0xc1ad9600][SLP] tcp 1885 c2748800 1001 1881 578 0000002 [SLPQ wait 0xc2748800][SLP] syscall 1884 c1b15800 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] udp 1883 c1af6e00 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] tcp 1881 c1af4000 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] syscall 1880 c1ad8c00 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] rw 1878 c1af4e00 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] mkdir 585 c1814400 1001 584 578 0000002 [SLPQ wait 0xc1814400][SLP] run 584 c186b000 1001 583 578 0000002 [SLPQ wait 0xc186b000][SLP] run 583 c1814000 1001 578 578 0004002 [SLPQ nanslp 0xc092990c][SLP] run 578 c1813c00 1001 570 578 0004002 [SLPQ wait 0xc1813c00][SLP] sh 570 c186aa00 1001 569 570 0004002 [SLPQ wait 0xc186aa00][SLP] bash 569 c186a400 1001 567 567 0000100 [SLPQ select 0xc0976c04][SLP] sshd 567 c186a000 0 431 567 0004100 [SLPQ sbwait 0xc182ac48][SLP] sshd 566 c1764c00 1001 560 566 0004002 [SLPQ select 0xc0976c04][SLP] top 560 c186b400 1001 559 560 0004002 [SLPQ wait 0xc186b400][SLP] bash 559 c1814200 1001 557 557 0000100 [SLPQ select 0xc0976c04][SLP] sshd 557 c186b600 0 431 557 0004100 [SLPQ sbwait 0xc182a480][SLP] sshd 549 c186ac00 0 1 549 0004002 [SLPQ ttyin 0xc16cc810][SLP] getty 548 c1813800 0 1 548 0004002 [SLPQ ttyin 0xc16ccc10][SLP] getty 547 c186a800 0 1 547 0004002 [SLPQ ttyin 0xc16cd010][SLP] getty 546 c186a200 0 1 546 0004002 [SLPQ ttyin 0xc16cd410][SLP] getty 545 c1764000 0 1 545 0004002 [SLPQ ttyin 0xc16c1410][SLP] getty 544 c1814800 0 1 544 0004002 [SLPQ ttyin 0xc16b9c10][SLP] getty 543 c1814a00 0 1 543 0004002 [SLPQ ttyin 0xc16c0c10][SLP] getty 542 c1814c00 0 1 542 0004002 [SLPQ ttyin 0xc16c1810][SLP] getty 510 c186a600 0 1 510 0000000 [SLPQ select 0xc0976c04][SLP] moused 453 c1814600 0 1 453 0000000 [SLPQ nanslp 0xc092990c][SLP] cron 441 c1764600 25 1 441 0000100 [SLPQ pause 0xc1764634][SLP] sendmail 437 c165ee00 0 1 437 0000100 [SLPQ select 0xc0976c04][SLP] sendmail 431 c1767c00 0 1 431 0000100 [SLPQ select 0xc0976c04][SLP] sshd 413 c1813600 0 1 413 0000000 [SLPQ select 0xc0976c04][SLP] ntpd 382 c1813a00 0 1 382 0000000 [SLPQ select 0xc0976c04][SLP] usbd 362 c1764200 0 357 357 0000000 [SLPQ - 0xc181f600][SLP] nfsd 361 c1813000 0 357 357 0000000 [SLPQ - 0xc181f800][SLP] nfsd 360 c1813e00 0 357 357 0000000 [SLPQ - 0xc181fa00][SLP] nfsd 359 c1767a00 0 357 357 0000000 [SLPQ - 0xc181f400][SLP] nfsd 357 c1767e00 0 1 357 0000000 [SLPQ select 0xc0976c04][SLP] nfsd 355 c1813200 0 1 355 0000000 [SLPQ select 0xc0976c04][SLP] mountd 282 c1764a00 0 1 282 0000000 [SLPQ select 0xc0976c04][SLP] rpcbind 268 c1764800 0 1 268 0000000 [SLPQ select 0xc0976c04][SLP] syslogd 239 c1764400 0 1 239 0000000 [SLPQ select 0xc0976c04][SLP] devd 61 c1764e00 0 0 0 0000204 [SLPQ - 0xce9e7d04][SLP] schedcpu 60 c1767000 0 0 0 0000204 [SLPQ - 0xc097f10c][SLP] nfsiod 3 59 c1767200 0 0 0 0000204 [SLPQ - 0xc097f108][SLP] nfsiod 2 58 c1767400 0 0 0 0000204 [SLPQ - 0xc097f104][SLP] nfsiod 1 57 c1767600 0 0 0 0000204 [SLPQ - 0xc097f100][SLP] nfsiod 0 56 c1767800 0 0 0 0000204 [SLPQ syncer 0xc0929680][SLP] syncer 55 c158e400 0 0 0 0000204 [SLPQ vlruwt 0xc158e400][SLP] vnlru 54 c158e600 0 0 0 0000204 [SLPQ psleep 0xc097714c][SLP] bufdaemon 53 c158e800 0 0 0 000020c [SLPQ pgzero 0xc09856a4][SLP] pagezero 52 c158ea00 0 0 0 0000204 [SLPQ psleep 0xc09851f4][SLP] vmdaemon 51 c158ec00 0 0 0 0000204 [SLPQ psleep 0xc09851b0][SLP] pagedaemon 50 c158ee00 0 0 0 0000204 [SLPQ - 0xc168383c][SLP] fdc0 49 c165e000 0 0 0 0000204 [IWAIT] swi0: sio 48 c165e200 0 0 0 0000204 [SLPQ usbevt 0xc162b210][SLP] usb4 47 c165e400 0 0 0 0000204 [SLPQ usbevt 0xc1679210][SLP] usb3 46 c165e600 0 0 0 0000204 [SLPQ usbevt 0xc1666210][SLP] usb2 45 c165e800 0 0 0 0000204 [SLPQ usbevt 0xc1667210][SLP] usb1 44 c165ea00 0 0 0 0000204 [SLPQ usbtsk 0xc09175f4][SLP] usbtask 43 c165ec00 0 0 0 0000204 [SLPQ usbevt 0xc163a210][SLP] usb0 42 c157ec00 0 0 0 0000204 [IWAIT] swi6: task queue 9 c157ee00 0 0 0 0000204 [SLPQ - 0xc1634100][SLP] kqueue taskq 8 c158c000 0 0 0 0000204 [SLPQ - 0xc1634180][SLP] acpi_task2 7 c158c200 0 0 0 0000204 [SLPQ - 0xc1634180][SLP] acpi_task1 6 c158c400 0 0 0 0000204 [SLPQ - 0xc1634180][SLP] acpi_task0 41 c158c600 0 0 0 0000204 [IWAIT] swi2: cambio 40 c158c800 0 0 0 0000204 [IWAIT] swi5:+ 5 c158ca00 0 0 0 0000204 [SLPQ - 0xc1634400][SLP] thread taskq 39 c158cc00 0 0 0 0000204 [IWAIT] swi6:+ 38 c158ce00 0 0 0 0000204 [SLPQ - 0xc0915320][SLP] yarrow 4 c158e000 0 0 0 0000204 [SLPQ - 0xc0919de8][SLP] g_down 3 c158e200 0 0 0 0000204 [SLPQ - 0xc0919de4][SLP] g_up 2 c156f600 0 0 0 0000204 [SLPQ - 0xc0919ddc][SLP] g_event 37 c156f800 0 0 0 0000204 [IWAIT] swi1: net 36 c156fa00 0 0 0 0000204 [IWAIT] swi3: vm 35 c156fc00 0 0 0 000020c [RUNQ] swi4: clock sio 34 c156fe00 0 0 0 0000204 [IWAIT] irq23: ehci0 33 c157e000 0 0 0 0000204 [IWAIT] irq22: rl0 32 c157e200 0 0 0 0000204 [IWAIT] irq21: 31 c157e400 0 0 0 0000204 [IWAIT] irq20: 30 c157e600 0 0 0 0000204 [IWAIT] irq19: uhci1 29 c157e800 0 0 0 0000204 [IWAIT] irq18: uhci2 28 c157ea00 0 0 0 0000204 [IWAIT] irq17: pcm0 27 c153d200 0 0 0 0000204 [IWAIT] irq16: uhci0 uhci3 26 c153d400 0 0 0 0000204 [IWAIT] irq15: ata1 25 c153d600 0 0 0 0000204 [IWAIT] irq14: ata0 24 c153d800 0 0 0 0000204 [IWAIT] irq13: 23 c153da00 0 0 0 0000204 [IWAIT] irq12: psm0 22 c153dc00 0 0 0 0000204 [IWAIT] irq11: 21 c153de00 0 0 0 0000204 [IWAIT] irq10: 20 c156f000 0 0 0 0000204 [IWAIT] irq9: acpi0 19 c156f200 0 0 0 0000204 [IWAIT] irq8: 18 c156f400 0 0 0 0000204 [IWAIT] irq7: ppc0 17 c1538000 0 0 0 0000204 [IWAIT] irq6: fdc0 16 c1538200 0 0 0 0000204 [IWAIT] irq5: 15 c1538400 0 0 0 0000204 [IWAIT] irq4: sio0 14 c1538600 0 0 0 0000204 [IWAIT] irq3: 13 c1538800 0 0 0 0000204 [IWAIT] irq0: 12 c1538a00 0 0 0 0000204 [IWAIT] irq1: atkbd0 11 c1538c00 0 0 0 000020c [Can run] idle: cpu0 1 c1538e00 0 0 1 0004200 [SLPQ wait 0xc1538e00][SLP] init 10 c153d000 0 0 0 0000204 [SLPQ ktrace 0xc0927858][SLP] ktrace 0 c0919ee0 0 0 0 0000200 [IWAIT] swapper 1907 c1af6600 1001 1885 578 0002002 zomb[INACTIVE] syscall 1882 c1b16000 1001 585 578 0006002 zomb[INACTIVE] sysctl 1879 c1b16600 1001 585 578 0006002 zomb[INACTIVE] thr1 db> call doadump Dumping 255 MB 16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 Dump complete 0xf db> reset #10 0xc062e9cf in panic (fmt=0xc086e46b "kmem_malloc(%ld): kmem_map too small: %ld total allocated") at ../../../kern/kern_shutdown.c:547 #11 0xc0782fe9 in kmem_malloc (map=0xc10590c0, size=0x33c2d000, flags=0x2) at ../../../vm/vm_kern.c:299 #12 0xc077c64a in page_alloc (zone=0x0, bytes=0x33c2d000, pflag=0x0, wait=0x2) at ../../../vm/uma_core.c:941 #13 0xc077e4e3 in uma_large_malloc (size=0x33c2d000, wait=0x2) at ../../../vm/uma_core.c:2670 #14 0xc0624da5 in malloc (size=0x33c2d000, mtp=0xc08b5ee0, flags=0x2) at ../../../kern/kern_malloc.c:322 #15 0xc0685a71 in freebsd4_getfsstat (td=0xc1ada300, uap=0xcf3cad04) at ../../../kern/vfs_syscalls.c:565 #16 0xc07eb19b in syscall (frame= {tf_fs = 0x3b, tf_es = 0x3b, tf_ds = 0x3b, tf_edi = 0x28050308, tf_esi = 0xbfbfeafc, tf_ebp = 0xbfbfe9c8, tf_isp = 0xcf3cad64, tf_ebx = 0x1, tf_edx = 0x0, tf_ecx = 0x8049080, tf_eax = 0x12, tf_trapno = 0x0, tf_err = 0x2, tf_eip = 0x2809b395, tf_cs = 0x33, tf_eflags = 0x293, tf_esp = 0xbfbfe980, tf_ss = 0x3b}) at ../../../i386/i386/trap.c:976 #17 0xc07d858f in Xint0x80_syscall () at ../../../i386/i386/exception.s:200 (kgdb) f 15 #15 0xc0685a71 in freebsd4_getfsstat (td=0xc1ada300, uap=0xcf3cad04) at ../../../kern/vfs_syscalls.c:565 565 buf = malloc(size, M_TEMP, M_WAITOK); (kgdb) l 560 int error; 561 562 count = uap->bufsize / sizeof(struct ostatfs); 563 size = count * sizeof(struct statfs); 564 if (size > 0) 565 buf = malloc(size, M_TEMP, M_WAITOK); 566 else 567 buf = NULL; 568 error = kern_getfsstat(td, buf, size, UIO_SYSSPACE, uap->flags); 569 if (buf != NULL) { (kgdb) info loc buf = (struct statfs *) 0xd800 sp = (struct statfs *) 0xc1ada300 osb = {f_spare2 = 0x406aef, f_bsize = 0xcf3cac7c, f_iosize = 0xc07f329c, f_blocks = 0xcf3cac56, f_bfree = 0x1, f_bavail = 0xa, f_files = 0xcf3cac60, f_ffree = 0x4, f_fsid = {val = {0xa, 0x0}}, f_owner = 0xda7a, f_type = 0x6400, f_flags = 0xda7a, f_syncwrites = 0xc1ada300, f_asyncwrites = 0x6af, f_fstypename = "\203j\205À,¬<Ï\000£Á\003\000\000", f_mntonname = "\n\000\000\000\002\000\000\000\002\000\000\000à\217zÚD¬<ÏT¬<Ï`¬<Ïdµ\207îW\002\000\000\000\000\000\000W\002\207îdµ<ÏáhbÀXh\000\000\000\000zÚ\000d\000\000\220¬<Ï\000\000\000\000\000\000tG\000\234\205À", f_syncreads = 0x3, f_asyncreads = 0xffffffa3, f_spares1 = 0x92c0, f_mntfromname = "\213Àïj@\000\230¬<Ïê4\177Àëý8\224eüÿ\177\231\2366\000\000\000\000\000\000\000\000\000\000<ÏålcÀëý8\224eüÿ\177\231\2366\000\000\000\000\000Ȩ\vqÏv@\000Èj\017ÝÍk\235\224ÿÿÿÿЬ", f_spares2 = 0xcf3c, f_spare = {0xc08b92d8, 0xc0929940}} count = 0x33c2cd00 size = 0x33c2cd00 error = 0xc1ad9e00