Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: 6.99.32: panic when starting X



On Sun, Feb 23, 2014 at 10:26:21PM +0000, David Laight wrote:
> On Sun, Feb 23, 2014 at 09:56:55PM +0100, Thomas Klausner wrote:
> > On Sun, Feb 23, 2014 at 10:34:32AM +0000, Nick Hudson wrote:
> > > On 02/23/14 09:41, Thomas Klausner wrote:
> > 
> > > Also, x/i in ddb/crash that address and "show registers"
> > 
> > (gdb) x/i  usb_allocmem_flags+0x6c
> >    0xffffffff808dbe2c <usb_allocmem_flags+108>: cmp    %rbx,(%rcx)
> > 
> > > I assume usb_allocmem_flags+0x6c is 0xffffffff808dbe2c
> > 
> > Correct!
> > 
> > Does this help?
> > 
> > I have the kernel (without symbols) and the crash dump if you want to
> > know more or look at it.
> 
> The kernels I've build don't have a 'cmp' instruction any where near
> that offset in usb_allocmem_flags.
> The function isn't that big, so if you run 'objdump -d /netbsd >netbsd.dis'
> and search for the function body you'll only have about 120 lines.
> I can usually work out the source lines from that.
> (gdb's 'disas usb_allocmem_flags' probably gives the same lines.)

Thomas sent me the disassembly.
It 'blew up' dereferencing block->tag in the loop:

1.53      mrg       313:        mutex_enter(&usb_blk_lock);
1.1       augustss  314:        /* Check for free fragments. */
1.44      matt      315:        LIST_FOREACH(f, &usb_frag_freelist, next) {
1.48      matt      316:                KDASSERTMSG(usb_valid_block_p(f->block, 
&usb_blk_fraglist),
1.50      jym       317:                    "%s: usb frag %p: unknown block 
pointer %p",
                    318:                     __func__, f, f->block);
1.1       augustss  319:                if (f->block->tag == tag)
                    320:                        break;
1.41      matt      321:        }

I'd guess a 'use after free' or 'allocate too short a buffer'.

        David

-- 
David Laight: david%l8s.co.uk@localhost


Home | Main Index | Thread Index | Old Index