Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: 6.99.32: panic when starting X
On Sun, Feb 23, 2014 at 10:26:21PM +0000, David Laight wrote:
> On Sun, Feb 23, 2014 at 09:56:55PM +0100, Thomas Klausner wrote:
> > On Sun, Feb 23, 2014 at 10:34:32AM +0000, Nick Hudson wrote:
> > > On 02/23/14 09:41, Thomas Klausner wrote:
> >
> > > Also, x/i in ddb/crash that address and "show registers"
> >
> > (gdb) x/i usb_allocmem_flags+0x6c
> > 0xffffffff808dbe2c <usb_allocmem_flags+108>: cmp %rbx,(%rcx)
> >
> > > I assume usb_allocmem_flags+0x6c is 0xffffffff808dbe2c
> >
> > Correct!
> >
> > Does this help?
> >
> > I have the kernel (without symbols) and the crash dump if you want to
> > know more or look at it.
>
> The kernels I've build don't have a 'cmp' instruction any where near
> that offset in usb_allocmem_flags.
> The function isn't that big, so if you run 'objdump -d /netbsd >netbsd.dis'
> and search for the function body you'll only have about 120 lines.
> I can usually work out the source lines from that.
> (gdb's 'disas usb_allocmem_flags' probably gives the same lines.)
Thomas sent me the disassembly.
It 'blew up' dereferencing block->tag in the loop:
1.53 mrg 313: mutex_enter(&usb_blk_lock);
1.1 augustss 314: /* Check for free fragments. */
1.44 matt 315: LIST_FOREACH(f, &usb_frag_freelist, next) {
1.48 matt 316: KDASSERTMSG(usb_valid_block_p(f->block,
&usb_blk_fraglist),
1.50 jym 317: "%s: usb frag %p: unknown block
pointer %p",
318: __func__, f, f->block);
1.1 augustss 319: if (f->block->tag == tag)
320: break;
1.41 matt 321: }
I'd guess a 'use after free' or 'allocate too short a buffer'.
David
--
David Laight: david%l8s.co.uk@localhost
Home |
Main Index |
Thread Index |
Old Index