GENERIC HEAD from Oct 14 10:43 UTC, vmcore.98
Missing parameter validation for syscall #54
GDB: no debug ports present
KDB: debugger backends: ddb
KDB: current backend: ddb
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 7.0-CURRENT #0: Sat Oct 14 14:41:05 CEST 2006
pho@crashbox.osted.lan:/usr/src/sys/i386/compile/PHO
WARNING: WITNESS option enabled, expect reduced performance.
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) XEON(TM) CPU 1.80GHz (1799.81-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf24 Stepping = 4
Features=0x3febfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM>
Logical CPUs per core: 2
real memory = 1073676288 (1023 MB)
avail memory = 1032458240 (984 MB)
:
Trying to mount root from ufs:/dev/ad0s1a
fxp0: link state changed to UP
panic: free: address 0xe6745d0c(0xe6745000) has not been allocated.
cpuid = 3
KDB: enter: panic
[thread pid 1704 tid 100128 ]
Stopped at kdb_enter+0x2b: nop
db> where
Tracing pid 1704 tid 100128 td 0xc4134d80
kdb_enter(c091de21) at kdb_enter+0x2b
panic(c091bf4e,e6745d0c,e6745000,8000f7ef,0,...) at panic+0x14b
free(e6745d0c,c09cbfa0,e6745d0c,c4134d80,0,...) at free+0x8e
ioctl(c4134d80,e6745d04) at ioctl+0xbe
syscall(2805003b,bfbf003b,bfbf003b,2805188c,bfbfec00,...) at syscall+0x256
Xint0x80_syscall() at Xint0x80_syscall+0x1f
--- syscall (54, FreeBSD ELF32, ioctl), eip = 0x280b0571, esp = 0xbfbfea60, ebp = 0xbfbfeaa8 ---
db> show alllocks
Process 1706 (syscall) thread 0xc4069bd0 (100095)
exclusive sleep mutex pmap r = 0 (0xc415b0a8) locked @ i386/i386/pmap.c:2326
exclusive sleep mutex vm page queue mutex r = 0 (0xc0a67adc) locked @ i386/i386/pmap.c:2325
exclusive sx user map r = 0 (0xc415b044) locked @ vm/vm_map.c:3073
db> show allpcpu
Current CPU: 3
cpuid = 0
curthread = 0xc3c36a20: pid 13 "idle: cpu0"
curpcb = 0xe26d3d90
fpcurthread = none
idlethread = 0xc3c36a20: pid 13 "idle: cpu0"
APIC ID = 0
currentldt = 0x50
spin locks held:
cpuid = 1
curthread = 0xc4015360: pid 1705 "syscall"
curpcb = 0xe6652d90
fpcurthread = none
idlethread = 0xc3c36870: pid 12 "idle: cpu1"
APIC ID = 1
currentldt = 0x50
spin locks held:
cpuid = 2
curthread = 0xc4069bd0: pid 1706 "syscall"
curpcb = 0xe66c1d90
fpcurthread = none
idlethread = 0xc3c366c0: pid 11 "idle: cpu2"
APIC ID = 6
currentldt = 0x50
spin locks held:
cpuid = 3
curthread = 0xc4134d80: pid 1704 "syscall"
curpcb = 0xe6745d90
fpcurthread = none
idlethread = 0xc3c36510: pid 10 "idle: cpu3"
APIC ID = 7
currentldt = 0x50
spin locks held:
db> set $lines 0
db> ps
pid ppid pgrp uid state wmesg wchan cmd
1706 1700 1699 1001 R+ CPU 2 syscall
1705 1700 1699 1001 RL+ CPU 1 syscall
1704 1700 1699 1001 R+ CPU 3 syscall
1703 1700 1699 1001 S+ nanslp 0xc0a0d8a4 syscall
1702 1700 1699 1001 S+ nanslp 0xc0a0d8a4 syscall
1701 1700 1699 1001 S+ nanslp 0xc0a0d8a4 syscall
1700 1699 1699 1001 S+ wait 0xc4132000 syscall
1699 936 1699 1001 S+ nanslp 0xc0a0d8a4 syscall
936 935 936 1001 Ss+ wait 0xc3f7f69c bash
935 933 933 1001 S select 0xc0a5a39c sshd
933 757 933 0 Ss sbwait 0xc41b1480 sshd
884 1 884 0 Ss+ ttyin 0xc3dfe810 getty
883 1 883 0 Ss+ ttyin 0xc3e02810 getty
882 1 882 0 Ss+ ttyin 0xc3e01810 getty
881 1 881 0 Ss+ ttyin 0xc3e01010 getty
880 1 880 0 Ss+ ttyin 0xc3e00c10 getty
879 1 879 0 Ss+ ttyin 0xc3e02c10 getty
878 1 878 0 Ss+ ttyin 0xc3e03010 getty
877 1 877 0 Ss+ ttyin 0xc3e01c10 getty
863 1 863 0 Ss select 0xc0a5a39c inetd
836 1 836 0 Ss select 0xc0a5a39c moused
822 1 822 0 Ss nanslp 0xc0a0d8a4 watchdogd
773 1 773 0 Ss nanslp 0xc0a0d8a4 cron
767 1 767 25 Ss pause 0xc4066034 sendmail
763 1 763 0 Ss select 0xc0a5a39c sendmail
757 1 757 0 Ss select 0xc0a5a39c sshd
738 1 738 0 Ss select 0xc0a5a39c ntpd
684 680 680 0 S - 0xc4169000 nfsd
683 680 680 0 S - 0xc4149400 nfsd
682 680 680 0 S - 0xc3f72000 nfsd
681 680 680 0 S - 0xc3fb1800 nfsd
680 1 680 0 Ss select 0xc0a5a39c nfsd
678 1 678 0 Ss select 0xc0a5a39c mountd
628 1 628 0 Ss select 0xc0a5a39c rpcbind
609 1 609 0 Ss select 0xc0a5a39c syslogd
542 1 542 0 Ss select 0xc0a5a39c devd
42 0 0 0 SL - 0xe43f4cfc [schedcpu]
41 0 0 0 SL sdflush 0xc0a672e0 [softdepflush]
40 0 0 0 SL syncer 0xc0a0d670 [syncer]
39 0 0 0 SL vlruwt 0xc3f81000 [vnlru]
38 0 0 0 SL psleep 0xc0a5a814 [bufdaemon]
37 0 0 0 SL pgzero 0xc0a6fc10 [pagezero]
36 0 0 0 SL psleep 0xc0a67b40 [vmdaemon]
35 0 0 0 SL psleep 0xc0a67b00 [pagedaemon]
34 0 0 0 WL [irq7: ppc0]
33 0 0 0 SL - 0xc3d7e03c [fdc0]
32 0 0 0 WL [swi0: sio]
31 0 0 0 WL [irq12: psm0]
30 0 0 0 WL [irq1: atkbd0]
29 0 0 0 WL [irq15: ata1]
28 0 0 0 WL [irq14: ata0]
27 0 0 0 WL [irq17: fxp0]
26 0 0 0 SL usbtsk 0xc0a0ae24 [usbtask]
25 0 0 0 SL usbevt 0xc3d6d210 [usb0]
24 0 0 0 WL [irq16: uhci0]
23 0 0 0 SL - 0xc3d5a280 [em0 taskq]
22 0 0 0 WL [irq9: acpi0]
21 0 0 0 WL [swi5: +]
9 0 0 0 SL - 0xc3c85780 [thread taskq]
8 0 0 0 SL - 0xc3c85800 [acpi_task_2]
7 0 0 0 SL - 0xc3c85800 [acpi_task_1]
6 0 0 0 SL - 0xc3c85800 [acpi_task_0]
20 0 0 0 WL [swi6: Giant taskq]
19 0 0 0 WL [swi6: task queue]
5 0 0 0 SL - 0xc3c85a80 [kqueue taskq]
18 0 0 0 WL [swi2: cambio]
17 0 0 0 SL - 0xc0a08a60 [yarrow]
4 0 0 0 SL - 0xc0a0b5dc [g_down]
3 0 0 0 SL - 0xc0a0b5d8 [g_up]
2 0 0 0 SL - 0xc0a0b5d0 [g_event]
16 0 0 0 WL [swi1: net]
15 0 0 0 WL [swi3: vm]
14 0 0 0 WL [swi4: clock sio]
13 0 0 0 RL CPU 0 [idle: cpu0]
12 0 0 0 RL [idle: cpu1]
11 0 0 0 RL [idle: cpu2]
10 0 0 0 RL [idle: cpu3]
1 0 1 0 SLs wait 0xc3c3a000 [init]
0 0 0 0 WLs [swapper]
db> call doadump
Physical memory: 1007 MB
Dumping 64 MB: 49 33 17 1
Dump complete
= 0xf
db> reset
cpu_reset: Restarting BSP
cpu_reset_proxy: Stopped CPU 3
(kgdb) bt
#0 doadump () at pcpu.h:166
#1 0xc04763db in db_fncall (dummy1=-428582284, dummy2=0, dummy3=-1062676320, dummy4=0xe6745a50 "@Y©À") at ../../../ddb/db_command.c:486
#2 0xc04761e7 in db_command (last_cmdp=0xc09f2c44, cmd_table=0x0) at ../../../ddb/db_command.c:401
#3 0xc04762a2 in db_command_loop () at ../../../ddb/db_command.c:453
#4 0xc0477ef9 in db_trap (type=3, code=0) at ../../../ddb/db_main.c:228
#5 0xc06b6288 in kdb_trap (type=3, code=0, tf=0xe6745be0) at ../../../kern/subr_kdb.c:502
#6 0xc0898d24 in trap (frame=
{tf_fs = -428605432, tf_es = -1066729432, tf_ds = -1064173528, tf_edi = -1064190130, tf_esi = 1, tf_ebp = -428581856, tf_isp = -428581876, tf_ebx = -428581812, tf_edx = 0, tf_ecx = -1048367104, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1066704977, tf_cs = 32, tf_eflags = 658, tf_esp = -428581824, tf_ss = -1066828661}) at ../../../i386/i386/trap.c:620
#7 0xc0883aea in calltrap () at ../../../i386/i386/exception.s:138
#8 0xc06b5faf in kdb_enter (msg=0x12 <Address 0x12 out of bounds>) at cpufunc.h:60
#9 0xc0697c8b in panic (fmt=0xc091bf4e "free: address %p(%p) has not been allocated.\n") at ../../../kern/kern_shutdown.c:559
#10 0xc068d0ee in free (addr=0xe6745d0c, mtp=0xc09cbfa0) at ../../../kern/kern_malloc.c:417
#11 0xc06c378a in ioctl (td=0xc4134d80, uap=0xe6745d04) at ../../../kern/sys_generic.c:568
#12 0xc0899572 in syscall (frame=
{tf_fs = 671416379, tf_es = -1078001605, tf_ds = -1078001605, tf_edi = 671422604, tf_esi = -1077941248, tf_ebp = -1077941592, tf_isp = -428581532, tf_ebx = 8, tf_edx = 0, tf_ecx = 134517072, tf_eax = 54, tf_trapno = 0, tf_err = 2, tf_eip = 671810929, tf_cs = 51, tf_eflags = 663, tf_esp = -1077941664, tf_ss = 59}) at ../../../i386/i386/trap.c:1006
#13 0xc0883b3f in Xint0x80_syscall () at ../../../i386/i386/exception.s:191
#14 0x00000033 in ?? ()
(kgdb) f 11
#11 0xc06c378a in ioctl (td=0xc4134d80, uap=0xe6745d04) at ../../../kern/sys_generic.c:568
568 free(data, M_IOCTLOPS);
(kgdb) l
563 } else
564 data = (void *)&uap->data;
565 if (com & IOC_IN) {
566 error = copyin(uap->data, data, (u_int)size);
567 if (error) {
568 free(data, M_IOCTLOPS);
569 return (error);
570 }
571 } else if (com & IOC_OUT) {
572 /*
(kgdb) info loc
com = 2147547119
arg = -1005367936
error = 14
size = 0
data = 0xe6745d0c "°íâú\220Ð| À\002"
(kgdb) p *uap
$1 = {fd_l_ = 0xe6745d04 "\005\001\f\026ï÷", fd = 369885445, fd_r_ = 0xe6745d08 "ï÷", com_l_ = 0xe6745d08 "ï÷", com = 2147547119,
com_r_ = 0xe6745d0c "°íâú\220Ð| À\002", data_l_ = 0xe6745d0c "°íâú\220Ð| À\002", data = 0xfae2edb0 <Address 0xfae2edb0 out of bounds>,
data_r_ = 0xe6745d10 "\220Ð| À\002"}