GENERIC HEAD from Jun 11 06:49 UTC, vmcore.354
Missing parameter validation in freebsd4_getfsstat()
Fixed in kern/vfs_syscalls.c,v 1.390 2005/06/12 07:03:23 pjd.
GDB: no debug ports present
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2005 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 6.0-CURRENT #0: Sat Jun 11 09:26:47 CEST 2005
pho@current.osted.lan:/usr/src/sys/i386/compile/PHO
WARNING: WITNESS option enabled, expect reduced performance.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(R) CPU 1.80GHz (1799.15-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf13 Stepping = 3
Features=0x3febfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM>
real memory = 267583488 (255 MB)
avail memory = 252256256 (240 MB)
:
Trying to mount root from ufs:/dev/ad0s1a
rl0: link state changed to DOWN
panic: kmem_malloc(868405248): kmem_map too small: 33984512 total allocated
cpuid = 0
KDB: enter: panic
[thread pid 1893 tid 100119 ]
Stopped at kdb_enter+0x2b: nop
db> where
Tracing pid 1893 tid 100119 td 0xc1ada300
kdb_enter(c0852fc9) at kdb_enter+0x2b
panic(c086e46b,33c2d000,2069000,c2b78640,33c2d000) at panic+0x14b
kmem_malloc(c10590c0,33c2d000,2,cf3cab98,c077e4e3) at kmem_malloc+0x89
page_alloc(0,33c2d000,cf3cab8b,2,2000003) at page_alloc+0x1a
uma_large_malloc(33c2d000,2,3a9,33c2cd00,c1ada300) at uma_large_malloc+0x3b
malloc(33c2cd00,c08b5ee0,2,d800,406aef) at malloc+0xf1
freebsd4_getfsstat(c1ada300,cf3cad04,3,3,293) at freebsd4_getfsstat+0x39
syscall(3b,3b,3b,28050308,bfbfeafc) at syscall+0x22f
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (18, FreeBSD ELF32, freebsd4_getfsstat), eip = 0x2809b395, esp = 0xbfbfe980, ebp = 0xbfbfe9c8 ---
db> show pcpu
cpuid = 0
curthread = 0xc1ada300: pid 1893 "syscall"
curpcb = 0xcf3cad90
fpcurthread = none
idlethread = 0xc1539600: pid 11 "idle: cpu0"
APIC ID = 0
currentldt = 0x50
spin locks held:
db> ps
pid proc uid ppid pgrp flag stat wmesg wchan cmd
1906 c292de00 1001 1896 578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp
1905 c1ad9400 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
1904 c1af6c00 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
1903 c1813400 1001 1901 578 0000002 [SLPQ nanslp 0xc092990c][SLP] mkdir
1902 c1b15e00 1001 1901 578 0000002 [RUNQ] mkdir
1901 c1b16c00 1001 1878 578 0000002 [SLPQ wait 0xc1b16c00][SLP] mkdir
1900 c1ad9800 1001 1896 578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp
1899 c2747c00 1001 1896 578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp
1898 c2748a00 1001 1896 578 0000002 [SLPQ nanslp 0xc092990c][SLP] udp
1897 c2747600 1001 1896 578 0000002 [RUNQ] udp
1896 c1b15a00 1001 1884 578 0000002 [SLPQ wait 0xc1b15a00][SLP] udp
1895 c2929c00 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
1894 c1af4a00 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
1893 c1ad9e00 1001 1885 578 0000002 [CPU 0] syscall
1892 c186b200 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
1891 c2747200 1001 1887 578 0000002 [SLPQ nanslp 0xc092990c][SLP] rw
1890 c2748000 1001 1885 578 0000002 [SLPQ nanslp 0xc092990c][SLP] syscall
1889 c1b16200 1001 1887 578 0000002 [SLPQ nanslp 0xc092990c][SLP] rw
1888 c2929a00 1001 1886 578 0000002 [SLPQ nanslp 0xc092990c][SLP] tcp
1887 c1b15000 1001 1880 578 0000002 [SLPQ wait 0xc1b15000][SLP] rw
1886 c1ad9600 1001 1883 578 0000002 [SLPQ wait 0xc1ad9600][SLP] tcp
1885 c2748800 1001 1881 578 0000002 [SLPQ wait 0xc2748800][SLP] syscall
1884 c1b15800 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] udp
1883 c1af6e00 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] tcp
1881 c1af4000 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] syscall
1880 c1ad8c00 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] rw
1878 c1af4e00 1001 585 578 0004002 [SLPQ nanslp 0xc092990c][SLP] mkdir
585 c1814400 1001 584 578 0000002 [SLPQ wait 0xc1814400][SLP] run
584 c186b000 1001 583 578 0000002 [SLPQ wait 0xc186b000][SLP] run
583 c1814000 1001 578 578 0004002 [SLPQ nanslp 0xc092990c][SLP] run
578 c1813c00 1001 570 578 0004002 [SLPQ wait 0xc1813c00][SLP] sh
570 c186aa00 1001 569 570 0004002 [SLPQ wait 0xc186aa00][SLP] bash
569 c186a400 1001 567 567 0000100 [SLPQ select 0xc0976c04][SLP] sshd
567 c186a000 0 431 567 0004100 [SLPQ sbwait 0xc182ac48][SLP] sshd
566 c1764c00 1001 560 566 0004002 [SLPQ select 0xc0976c04][SLP] top
560 c186b400 1001 559 560 0004002 [SLPQ wait 0xc186b400][SLP] bash
559 c1814200 1001 557 557 0000100 [SLPQ select 0xc0976c04][SLP] sshd
557 c186b600 0 431 557 0004100 [SLPQ sbwait 0xc182a480][SLP] sshd
549 c186ac00 0 1 549 0004002 [SLPQ ttyin 0xc16cc810][SLP] getty
548 c1813800 0 1 548 0004002 [SLPQ ttyin 0xc16ccc10][SLP] getty
547 c186a800 0 1 547 0004002 [SLPQ ttyin 0xc16cd010][SLP] getty
546 c186a200 0 1 546 0004002 [SLPQ ttyin 0xc16cd410][SLP] getty
545 c1764000 0 1 545 0004002 [SLPQ ttyin 0xc16c1410][SLP] getty
544 c1814800 0 1 544 0004002 [SLPQ ttyin 0xc16b9c10][SLP] getty
543 c1814a00 0 1 543 0004002 [SLPQ ttyin 0xc16c0c10][SLP] getty
542 c1814c00 0 1 542 0004002 [SLPQ ttyin 0xc16c1810][SLP] getty
510 c186a600 0 1 510 0000000 [SLPQ select 0xc0976c04][SLP] moused
453 c1814600 0 1 453 0000000 [SLPQ nanslp 0xc092990c][SLP] cron
441 c1764600 25 1 441 0000100 [SLPQ pause 0xc1764634][SLP] sendmail
437 c165ee00 0 1 437 0000100 [SLPQ select 0xc0976c04][SLP] sendmail
431 c1767c00 0 1 431 0000100 [SLPQ select 0xc0976c04][SLP] sshd
413 c1813600 0 1 413 0000000 [SLPQ select 0xc0976c04][SLP] ntpd
382 c1813a00 0 1 382 0000000 [SLPQ select 0xc0976c04][SLP] usbd
362 c1764200 0 357 357 0000000 [SLPQ - 0xc181f600][SLP] nfsd
361 c1813000 0 357 357 0000000 [SLPQ - 0xc181f800][SLP] nfsd
360 c1813e00 0 357 357 0000000 [SLPQ - 0xc181fa00][SLP] nfsd
359 c1767a00 0 357 357 0000000 [SLPQ - 0xc181f400][SLP] nfsd
357 c1767e00 0 1 357 0000000 [SLPQ select 0xc0976c04][SLP] nfsd
355 c1813200 0 1 355 0000000 [SLPQ select 0xc0976c04][SLP] mountd
282 c1764a00 0 1 282 0000000 [SLPQ select 0xc0976c04][SLP] rpcbind
268 c1764800 0 1 268 0000000 [SLPQ select 0xc0976c04][SLP] syslogd
239 c1764400 0 1 239 0000000 [SLPQ select 0xc0976c04][SLP] devd
61 c1764e00 0 0 0 0000204 [SLPQ - 0xce9e7d04][SLP] schedcpu
60 c1767000 0 0 0 0000204 [SLPQ - 0xc097f10c][SLP] nfsiod 3
59 c1767200 0 0 0 0000204 [SLPQ - 0xc097f108][SLP] nfsiod 2
58 c1767400 0 0 0 0000204 [SLPQ - 0xc097f104][SLP] nfsiod 1
57 c1767600 0 0 0 0000204 [SLPQ - 0xc097f100][SLP] nfsiod 0
56 c1767800 0 0 0 0000204 [SLPQ syncer 0xc0929680][SLP] syncer
55 c158e400 0 0 0 0000204 [SLPQ vlruwt 0xc158e400][SLP] vnlru
54 c158e600 0 0 0 0000204 [SLPQ psleep 0xc097714c][SLP] bufdaemon
53 c158e800 0 0 0 000020c [SLPQ pgzero 0xc09856a4][SLP] pagezero
52 c158ea00 0 0 0 0000204 [SLPQ psleep 0xc09851f4][SLP] vmdaemon
51 c158ec00 0 0 0 0000204 [SLPQ psleep 0xc09851b0][SLP] pagedaemon
50 c158ee00 0 0 0 0000204 [SLPQ - 0xc168383c][SLP] fdc0
49 c165e000 0 0 0 0000204 [IWAIT] swi0: sio
48 c165e200 0 0 0 0000204 [SLPQ usbevt 0xc162b210][SLP] usb4
47 c165e400 0 0 0 0000204 [SLPQ usbevt 0xc1679210][SLP] usb3
46 c165e600 0 0 0 0000204 [SLPQ usbevt 0xc1666210][SLP] usb2
45 c165e800 0 0 0 0000204 [SLPQ usbevt 0xc1667210][SLP] usb1
44 c165ea00 0 0 0 0000204 [SLPQ usbtsk 0xc09175f4][SLP] usbtask
43 c165ec00 0 0 0 0000204 [SLPQ usbevt 0xc163a210][SLP] usb0
42 c157ec00 0 0 0 0000204 [IWAIT] swi6: task queue
9 c157ee00 0 0 0 0000204 [SLPQ - 0xc1634100][SLP] kqueue taskq
8 c158c000 0 0 0 0000204 [SLPQ - 0xc1634180][SLP] acpi_task2
7 c158c200 0 0 0 0000204 [SLPQ - 0xc1634180][SLP] acpi_task1
6 c158c400 0 0 0 0000204 [SLPQ - 0xc1634180][SLP] acpi_task0
41 c158c600 0 0 0 0000204 [IWAIT] swi2: cambio
40 c158c800 0 0 0 0000204 [IWAIT] swi5:+
5 c158ca00 0 0 0 0000204 [SLPQ - 0xc1634400][SLP] thread taskq
39 c158cc00 0 0 0 0000204 [IWAIT] swi6:+
38 c158ce00 0 0 0 0000204 [SLPQ - 0xc0915320][SLP] yarrow
4 c158e000 0 0 0 0000204 [SLPQ - 0xc0919de8][SLP] g_down
3 c158e200 0 0 0 0000204 [SLPQ - 0xc0919de4][SLP] g_up
2 c156f600 0 0 0 0000204 [SLPQ - 0xc0919ddc][SLP] g_event
37 c156f800 0 0 0 0000204 [IWAIT] swi1: net
36 c156fa00 0 0 0 0000204 [IWAIT] swi3: vm
35 c156fc00 0 0 0 000020c [RUNQ] swi4: clock sio
34 c156fe00 0 0 0 0000204 [IWAIT] irq23: ehci0
33 c157e000 0 0 0 0000204 [IWAIT] irq22: rl0
32 c157e200 0 0 0 0000204 [IWAIT] irq21:
31 c157e400 0 0 0 0000204 [IWAIT] irq20:
30 c157e600 0 0 0 0000204 [IWAIT] irq19: uhci1
29 c157e800 0 0 0 0000204 [IWAIT] irq18: uhci2
28 c157ea00 0 0 0 0000204 [IWAIT] irq17: pcm0
27 c153d200 0 0 0 0000204 [IWAIT] irq16: uhci0 uhci3
26 c153d400 0 0 0 0000204 [IWAIT] irq15: ata1
25 c153d600 0 0 0 0000204 [IWAIT] irq14: ata0
24 c153d800 0 0 0 0000204 [IWAIT] irq13:
23 c153da00 0 0 0 0000204 [IWAIT] irq12: psm0
22 c153dc00 0 0 0 0000204 [IWAIT] irq11:
21 c153de00 0 0 0 0000204 [IWAIT] irq10:
20 c156f000 0 0 0 0000204 [IWAIT] irq9: acpi0
19 c156f200 0 0 0 0000204 [IWAIT] irq8:
18 c156f400 0 0 0 0000204 [IWAIT] irq7: ppc0
17 c1538000 0 0 0 0000204 [IWAIT] irq6: fdc0
16 c1538200 0 0 0 0000204 [IWAIT] irq5:
15 c1538400 0 0 0 0000204 [IWAIT] irq4: sio0
14 c1538600 0 0 0 0000204 [IWAIT] irq3:
13 c1538800 0 0 0 0000204 [IWAIT] irq0:
12 c1538a00 0 0 0 0000204 [IWAIT] irq1: atkbd0
11 c1538c00 0 0 0 000020c [Can run] idle: cpu0
1 c1538e00 0 0 1 0004200 [SLPQ wait 0xc1538e00][SLP] init
10 c153d000 0 0 0 0000204 [SLPQ ktrace 0xc0927858][SLP] ktrace
0 c0919ee0 0 0 0 0000200 [IWAIT] swapper
1907 c1af6600 1001 1885 578 0002002 zomb[INACTIVE] syscall
1882 c1b16000 1001 585 578 0006002 zomb[INACTIVE] sysctl
1879 c1b16600 1001 585 578 0006002 zomb[INACTIVE] thr1
db> call doadump
Dumping 255 MB
16 32 48 64 80 96 112 128 144 160 176 192 208 224 240
Dump complete
0xf
db> reset
#10 0xc062e9cf in panic (fmt=0xc086e46b "kmem_malloc(%ld): kmem_map too small: %ld total allocated") at ../../../kern/kern_shutdown.c:547
#11 0xc0782fe9 in kmem_malloc (map=0xc10590c0, size=0x33c2d000, flags=0x2) at ../../../vm/vm_kern.c:299
#12 0xc077c64a in page_alloc (zone=0x0, bytes=0x33c2d000, pflag=0x0, wait=0x2) at ../../../vm/uma_core.c:941
#13 0xc077e4e3 in uma_large_malloc (size=0x33c2d000, wait=0x2) at ../../../vm/uma_core.c:2670
#14 0xc0624da5 in malloc (size=0x33c2d000, mtp=0xc08b5ee0, flags=0x2) at ../../../kern/kern_malloc.c:322
#15 0xc0685a71 in freebsd4_getfsstat (td=0xc1ada300, uap=0xcf3cad04) at ../../../kern/vfs_syscalls.c:565
#16 0xc07eb19b in syscall (frame=
{tf_fs = 0x3b, tf_es = 0x3b, tf_ds = 0x3b, tf_edi = 0x28050308, tf_esi = 0xbfbfeafc, tf_ebp = 0xbfbfe9c8, tf_isp = 0xcf3cad64, tf_ebx = 0x1, tf_edx = 0x0, tf_ecx = 0x8049080, tf_eax = 0x12, tf_trapno = 0x0, tf_err = 0x2, tf_eip = 0x2809b395, tf_cs = 0x33, tf_eflags = 0x293, tf_esp = 0xbfbfe980, tf_ss = 0x3b}) at ../../../i386/i386/trap.c:976
#17 0xc07d858f in Xint0x80_syscall () at ../../../i386/i386/exception.s:200
(kgdb) f 15
#15 0xc0685a71 in freebsd4_getfsstat (td=0xc1ada300, uap=0xcf3cad04) at ../../../kern/vfs_syscalls.c:565
565 buf = malloc(size, M_TEMP, M_WAITOK);
(kgdb) l
560 int error;
561
562 count = uap->bufsize / sizeof(struct ostatfs);
563 size = count * sizeof(struct statfs);
564 if (size > 0)
565 buf = malloc(size, M_TEMP, M_WAITOK);
566 else
567 buf = NULL;
568 error = kern_getfsstat(td, buf, size, UIO_SYSSPACE, uap->flags);
569 if (buf != NULL) {
(kgdb) info loc
buf = (struct statfs *) 0xd800
sp = (struct statfs *) 0xc1ada300
osb = {f_spare2 = 0x406aef, f_bsize = 0xcf3cac7c, f_iosize = 0xc07f329c, f_blocks = 0xcf3cac56, f_bfree = 0x1, f_bavail = 0xa,
f_files = 0xcf3cac60, f_ffree = 0x4, f_fsid = {val = {0xa, 0x0}}, f_owner = 0xda7a, f_type = 0x6400, f_flags = 0xda7a,
f_syncwrites = 0xc1ada300, f_asyncwrites = 0x6af, f_fstypename = "\203j\205À,¬<Ï\000£Á\003\000\000",
f_mntonname = "\n\000\000\000\002\000\000\000\002\000\000\000à\217zÚD¬<ÏT¬<Ï`¬<Ïdµ\207îW\002\000\000\000\000\000\000W\002\207îdµ<ÏáhbÀXh\000\000\000\000zÚ\000d\000\000\220¬<Ï\000\000\000\000\000\000tG\000\234\205À", f_syncreads = 0x3, f_asyncreads = 0xffffffa3,
f_spares1 = 0x92c0,
f_mntfromname = "\213Àïj@\000\230¬<Ïê4\177Àëý8\224eüÿ\177\231\2366\000\000\000\000\000\000\000\000\000\000<ÏålcÀëý8\224eüÿ\177\231\2366\000\000\000\000\000Ȩ\vqÏv@\000Èj\017ÝÍk\235\224ÿÿÿÿЬ", f_spares2 = 0xcf3c, f_spare = {0xc08b92d8, 0xc0929940}}
count = 0x33c2cd00
size = 0x33c2cd00
error = 0xc1ad9e00