subject:"stack trace \/ free\(0\) in isascan\(\)"

Re: stack trace / free(0) in isascan()

2019-05-09 Thread Ted Unangst

Sebastien Marie wrote:
> 
> So calling free() with cf->cf_attach->ca_devsize should be fine.
> Diff below.

ok. didn't get to this one yet.

Re: stack trace / free(0) in isascan()

2019-05-09 Thread Hrvoje Popovski

On 9.5.2019. 11:14, Sebastien Marie wrote:
> On Thu, May 09, 2019 at 10:55:44AM +0200, Hrvoje Popovski wrote:
>>
>> with this diff i'm getting new traces
> 
> it is (somehow) expected.
> 
> the commit that starts showing traces do the following:
> - when there is missing size on free() reports it (with a backtrace to know 
> the caller)
> - but report only a fixed number of calls (5), because else users will be mad
> 
> so by correcting some sizes it makes others calls to free() to be visible.
> 
>> free with zero size: (127)
>> Starting stack trace...
>> free(8013f800,7f,0,8013f800,cf43c4f465ef43f8,0) at free+0xd8
>> uhidev_attach(80071200,8014ed00,8000224a40a0,80071200,89eb6e07df884e85,80071200)
>>  at uhidev_attach+0x1b4
> 
>> free with zero size: (127)
>> Starting stack trace...
>> free(8013f800,7f,0,8013f800,cf43c4f465284bc3,0) at free+0xd8
>> hid_report_size(80070c00,41,0,0,764c887b264d079f,0) at 
>> hid_report_size+0x10f
> 
>> free with zero size: (127)
>> Starting stack trace...
>> free(8013f800,7f,0,8013f800,cf43c4f465284185,0) at free+0xd8
>> hid_is_collection(80070c00,41,ff,10006,a6cb281b8426ee7e,81cf60e0)
>>  at hid_is_collection+0xe9
> 
>> free with zero size: (127)
>> Starting stack trace...
>> free(8013f800,7f,0,8013f800,cf43c4f465284185,0) at free+0xd8
>> hid_is_collection(80070c00,41,ff,10001,a6cb281b844568dc,81cf6118)
>>  at hid_is_collection+0xe9
> 
>> free with zero size: (127)
>> Starting stack trace...
>> free(8013f800,7f,0,8013f800,cf43c4f465284185,0) at free+0xd8
>> hid_is_collection(80070c00,41,ff,10002,a6cb281b844568fc,3) at 
>> hid_is_collection+0xe9
> 
> I am leaving others free() calls to people that would like to play this game 
> too.
> 

traces from different pc

free with zero size: (2)
Starting stack trace...
free(800dc000,2,0,800dc000,bccbb3f663e5b90b,0) at free+0xd8
azalia_mixer_delete(800d9410,800d9410,12eae783e6f10d36,800d9410,815389e0,82004a20)
at azalia_mixer_delete+0x30
azalia_codec_delete(800d9410,800d9410,fb5581cc816e9ad6,800b6c00,814e84ed,82004a50)
at azalia_codec_delete+0x1d
azalia_init_codecs(800b6c00,800b6c00,d1d8bb30647efc90,82004b90,800b6c00,0)
at azalia_init_codecs+0x344
azalia_pci_attach(800c6800,800b6c00,82004b90,800c6800,6a09b45b25c7514b,800c6800)
at azalia_pci_attach+0x21f
config_attach(800c6800,81d2c1f8,82004b90,815ad6c0,fb1ef9caf20ebad0,8000d800)
at config_attach+0x1ee
pci_probe_device(800c6800,8000d800,0,0,271a74bc17e998d4,0) at
pci_probe_device+0x4c0
pci_enumerate_bus(800c6800,0,0,800c6800,7473f8bb614e5ef1,80026100)
at pci_enumerate_bus+0xb7
config_attach(80026100,81d2be08,82004db8,8143f230,fb1ef9caf2179750,82004db8)
at config_attach+0x1ee
mainbus_attach(0,80026100,0,0,7473f8bb614e5ef1,0) at
mainbus_attach+0x280
config_attach(0,81d2b938,0,0,fb1ef9caf259a843,2c5dc00) at
config_attach+0x1ee
cpu_configure(fb1ef9caf20e9d69,2c5dc00,0,80027000,810dce43,82004f00)
at cpu_configure+0x33
main(0,0,2c5dc00,0,10ff8c0,1) at main+0x4a9
end trace frame: 0x0, count: 244
End of stack trace.
free with zero size: (2)
Starting stack trace...
free(800b9e00,2,0,800b9e00,bccbb3f663f8b5ee,0) at free+0xd8
azalia_codec_delete(800d9410,800d9410,fb5581cc816e9ad6,800b6c00,814e8505,82004a50)
at azalia_codec_delete+0x35
azalia_init_codecs(800b6c00,800b6c00,d1d8bb30647efc90,82004b90,800b6c00,0)
at azalia_init_codecs+0x344
azalia_pci_attach(800c6800,800b6c00,82004b90,800c6800,6a09b45b25c7514b,800c6800)
at azalia_pci_attach+0x21f
config_attach(800c6800,81d2c1f8,82004b90,815ad6c0,fb1ef9caf20ebad0,8000d800)
at config_attach+0x1ee
pci_probe_device(800c6800,8000d800,0,0,271a74bc17e998d4,0) at
pci_probe_device+0x4c0
pci_enumerate_bus(800c6800,0,0,800c6800,7473f8bb614e5ef1,80026100)
at pci_enumerate_bus+0xb7
config_attach(80026100,81d2be08,82004db8,8143f230,fb1ef9caf2179750,82004db8)
at config_attach+0x1ee
mainbus_attach(0,80026100,0,0,7473f8bb614e5ef1,0) at
mainbus_attach+0x280
config_attach(0,81d2b938,0,0,fb1ef9caf259a843,2c5dc00) at
config_attach+0x1ee
cpu_configure(fb1ef9caf20e9d69,2c5dc00,0,80027000,810dce43,82004f00)
at cpu_configure+0x33
main(0,0,2c5dc00,0,10ff8c0,1) at main+0x4a9
end trace frame: 0x0, count: 245
End of stack trace.
free with zero size: (2)
Starting stack trace...
free(80028890,2,0,80028890,bccbb3f663f8b5d8,0) at fre

Re: stack trace / free(0) in isascan()

2019-05-09 Thread Sebastien Marie

On Thu, May 09, 2019 at 10:55:44AM +0200, Hrvoje Popovski wrote:
> 
> with this diff i'm getting new traces

it is (somehow) expected.

the commit that starts showing traces do the following:
- when there is missing size on free() reports it (with a backtrace to know the 
caller)
- but report only a fixed number of calls (5), because else users will be mad

so by correcting some sizes it makes others calls to free() to be visible.

> free with zero size: (127)
> Starting stack trace...
> free(8013f800,7f,0,8013f800,cf43c4f465ef43f8,0) at free+0xd8
> uhidev_attach(80071200,8014ed00,8000224a40a0,80071200,89eb6e07df884e85,80071200)
>  at uhidev_attach+0x1b4

> free with zero size: (127)
> Starting stack trace...
> free(8013f800,7f,0,8013f800,cf43c4f465284bc3,0) at free+0xd8
> hid_report_size(80070c00,41,0,0,764c887b264d079f,0) at 
> hid_report_size+0x10f

> free with zero size: (127)
> Starting stack trace...
> free(8013f800,7f,0,8013f800,cf43c4f465284185,0) at free+0xd8
> hid_is_collection(80070c00,41,ff,10006,a6cb281b8426ee7e,81cf60e0)
>  at hid_is_collection+0xe9

> free with zero size: (127)
> Starting stack trace...
> free(8013f800,7f,0,8013f800,cf43c4f465284185,0) at free+0xd8
> hid_is_collection(80070c00,41,ff,10001,a6cb281b844568dc,81cf6118)
>  at hid_is_collection+0xe9

> free with zero size: (127)
> Starting stack trace...
> free(8013f800,7f,0,8013f800,cf43c4f465284185,0) at free+0xd8
> hid_is_collection(80070c00,41,ff,10002,a6cb281b844568fc,3) at 
> hid_is_collection+0xe9

I am leaving others free() calls to people that would like to play this game 
too.
-- 
Sebastien Marie

Re: stack trace / free(0) in isascan()

2019-05-09 Thread Hrvoje Popovski

On 9.5.2019. 10:35, Sebastien Marie wrote:
> On Thu, May 09, 2019 at 10:12:49AM +0200, Hrvoje Popovski wrote:
>> Hi all,
>>
>> i update kernel from cvs few minutes ago and i'm seeing this stack trace
>> in dmesg. i'm just reporting it.
> 
> The principe of the game is to look at the free() call that still use 0
> as size, and found the right size to fill it.
> 
>> free with zero size: (2)
>> Starting stack trace...
>> free(80074100,2,0,80074100,1d5a05b47900fbf4,81d287e8)
>>  at free+0xd8
>> isascan(80101200,80074100,9563e4d9af15796a,81618690,80101200,81d16d01)
>>  at isascan+0x3f8
> 
> Here, isascan() calls free() on dev (a struct device).
> 
> the related malloc() call is done by config_make_softc() at line 248:
>247  config_attach(parent, dev, &ia2, isaprint);
>248  dev = config_make_softc(parent, cf);
> 
> The size used for malloc() is :
> 
> kern/subr_autoconf.c
>417  struct device *
>418  config_make_softc(struct device *parent, struct cfdata *cf)
>419  {
>420  struct device *dev;
>421  struct cfdriver *cd;
>422  struct cfattach *ca;
>423
>424  cd = cf->cf_driver;
>425  ca = cf->cf_attach;
>426  if (ca->ca_devsize < sizeof(struct device))
>427  panic("config_make_softc");
>428
>429  /* get memory for all device vars */
>430  dev = malloc(ca->ca_devsize, M_DEVBUF, M_NOWAIT|M_ZERO);
>431  if (dev == NULL)
>432  panic("config_make_softc: allocation for device softc 
> failed");
> 
> 
> So calling free() with cf->cf_attach->ca_devsize should be fine.
> Diff below.
> 
> OK ?
> 

with this diff i'm getting new traces

dmesg

OpenBSD 6.5-current (GENERIC.MP) #2: Thu May  9 10:48:28 CEST 2019
r...@r620-1.srce.hr:/sys/arch/amd64/compile/GENERIC.MP
real mem = 17115840512 (16322MB)
avail mem = 16587034624 (15818MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xcf42c000 (99 entries)
bios0: vendor Dell Inc. version "2.7.0" date 05/23/2018
bios0: Dell Inc. PowerEdge R620
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET DMAR MCFG WDAT SLIC ERST HEST
BERT EINJ TCPA PC__ SRAT SSDT
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 4 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2643 v2 @ 3.50GHz, 3600.45 MHz, 06-3e-04
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 2, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 6 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2643 v2 @ 3.50GHz, 3600.00 MHz, 06-3e-04
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 3, package 0
cpu2 at mainbus0: apid 8 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2643 v2 @ 3.50GHz, 3600.00 MHz, 06-3e-04
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 4, package 0
cpu3 at mainbus0: apid 16 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5-2643 v2 @ 3.50GHz, 3600.00 MHz, 06-3e-04
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 8, package 0
cpu4 at mainbus0: apid 18 (application processor)
cpu4: Intel(R) Xeon(R)

Re: stack trace / free(0) in isascan()

2019-05-09 Thread Sebastien Marie

On Thu, May 09, 2019 at 10:12:49AM +0200, Hrvoje Popovski wrote:
> Hi all,
> 
> i update kernel from cvs few minutes ago and i'm seeing this stack trace
> in dmesg. i'm just reporting it.

The principe of the game is to look at the free() call that still use 0
as size, and found the right size to fill it.

> free with zero size: (2)
> Starting stack trace...
> free(80074100,2,0,80074100,1d5a05b47900fbf4,81d287e8) 
> at free+0xd8
> isascan(80101200,80074100,9563e4d9af15796a,81618690,80101200,81d16d01)
>  at isascan+0x3f8

Here, isascan() calls free() on dev (a struct device).

the related malloc() call is done by config_make_softc() at line 248:
   247  config_attach(parent, dev, &ia2, isaprint);
   248  dev = config_make_softc(parent, cf);

The size used for malloc() is :

kern/subr_autoconf.c
   417  struct device *
   418  config_make_softc(struct device *parent, struct cfdata *cf)
   419  {
   420  struct device *dev;
   421  struct cfdriver *cd;
   422  struct cfattach *ca;
   423
   424  cd = cf->cf_driver;
   425  ca = cf->cf_attach;
   426  if (ca->ca_devsize < sizeof(struct device))
   427  panic("config_make_softc");
   428
   429  /* get memory for all device vars */
   430  dev = malloc(ca->ca_devsize, M_DEVBUF, M_NOWAIT|M_ZERO);
   431  if (dev == NULL)
   432  panic("config_make_softc: allocation for device softc 
failed");


So calling free() with cf->cf_attach->ca_devsize should be fine.
Diff below.

OK ?
-- 
Sebastien Marie

Index: dev/isa/isa.c
===
RCS file: /cvs/src/sys/dev/isa/isa.c,v
retrieving revision 1.46
diff -u -p -r1.46 isa.c
--- dev/isa/isa.c   25 May 2015 15:19:22 -  1.46
+++ dev/isa/isa.c   9 May 2019 08:28:47 -
@@ -257,7 +257,7 @@ isascan(parent, match)
if (autoconf_verbose)
printf(">>> probing for %s* finished\n",
cf->cf_driver->cd_name);
-   free(dev, M_DEVBUF, 0);
+   free(dev, M_DEVBUF, cf->cf_attach->ca_devsize);
return;
}
 
@@ -270,7 +270,7 @@ isascan(parent, match)
!isa_intr_check(sc->sc_ic, ia.ia_irq, IST_EDGE)) {
printf("%s%d: irq %d already in use\n",
cf->cf_driver->cd_name, cf->cf_unit, ia.ia_irq);
-   free(dev, M_DEVBUF, 0);
+   free(dev, M_DEVBUF, cf->cf_attach->ca_devsize);
} else {
 #endif
if (autoconf_verbose)
@@ -291,7 +291,7 @@ isascan(parent, match)
if (autoconf_verbose)
printf(">>> probing for %s%d failed\n",
cf->cf_driver->cd_name, cf->cf_unit);
-   free(dev, M_DEVBUF, 0);
+   free(dev, M_DEVBUF, cf->cf_attach->ca_devsize);
}
 }

Re: stack trace / free(0) in isascan()

Re: stack trace / free(0) in isascan()

Re: stack trace / free(0) in isascan()

Re: stack trace / free(0) in isascan()

Re: stack trace / free(0) in isascan()

5 matches

Site Navigation

Mail list logo

Footer information