From daichi@FreeBSD.org  Mon Sep  6 13:22:51 2004
Return-Path: <daichi@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0EE2616A4CE; Mon,  6 Sep 2004 13:22:51 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 0034F43D3F; Mon,  6 Sep 2004 13:22:50 +0000 (GMT)
	(envelope-from daichi@FreeBSD.org)
Received: from freefall.freebsd.org (daichi@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i86DMogU021597;
	Mon, 6 Sep 2004 13:22:50 GMT
	(envelope-from daichi@freefall.freebsd.org)
Received: (from daichi@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i86DMoMV021596;
	Mon, 6 Sep 2004 13:22:50 GMT
	(envelope-from daichi)
Message-Id: <200409061322.i86DMoMV021596@freefall.freebsd.org>
Date: Mon, 6 Sep 2004 13:22:50 GMT
From: Daichi GOTO <daichi@FreeBSD.org>
Reply-To: Daichi GOTO <daichi@FreeBSD.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: fjoe@FreeBSD.org
Subject: [panic fix] [patch] geom_uzip.ko caused panic
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         71431
>Category:       kern
>Synopsis:       [panic fix] [patch] geom_uzip.ko caused panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    fjoe
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 06 13:30:12 GMT 2004
>Closed-Date:    Sun Sep 19 10:29:16 GMT 2004
>Last-Modified:  Sun Sep 19 10:29:16 GMT 2004
>Originator:     Daichi GOTO
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
FreeBSD freebsd.ongs.co.jp 5.3-BETA3 FreeBSD 5.3-BETA3 #2: Sun Sep  5 01:45:47 JST 2004     root@freebsd.ongs.co.jp:/usr/obj/usr/src/sys/MITHOS  i386

>Description:
/boot/kernel/geom_uzip.ko causes panic.

panic message:
-----------------------------------
panic: malloc(9)/free(9) confusion.
Probably freeing with wrong type, but maybe not here.
cpuid = 0
KDB: enter: panic
[thread 100031]
Stopped at	kdb_enter+0x2b: nop
db>
-----------------------------------

>How-To-Repeat:
# kldload geom_uzip

or 

# geom uzip load

>Fix:

I think that follow patch will fix :)

--- sys/geom/uzip/g_uzip.c.orig	Mon Aug 30 16:08:17 2004
+++ sys/geom/uzip/g_uzip.c	Mon Aug 30 17:02:27 2004
@@ -91,10 +91,10 @@
 		    gp->name, sc->req_total, sc->req_cached);
 	}
 	if (sc->offsets != NULL)
-		free(sc->offsets, M_GEOM_UZIP);
+		g_free(sc->offsets);
 	mtx_destroy(&sc->last_mtx);
-	free(sc->last_buf, M_GEOM_UZIP);
-	free(sc, M_GEOM_UZIP);
+	g_free(sc->last_buf);
+	g_free(sc);
 }
 
 static void *
@@ -102,14 +102,14 @@
 {
 	void *ptr;
 
-	ptr = malloc(type * size, M_GEOM_UZIP, M_NOWAIT);
+	ptr = g_malloc(type * size, M_NOWAIT | M_ZERO);
 	return ptr;
 }
 
 static void
 z_free(void *nil, void *ptr)
 {
-	free(ptr, M_GEOM_UZIP);
+	g_free(ptr);
 }
 
 static void
@@ -207,7 +207,7 @@
 	 */
 	DPRINTF(("%s: done: (%d, %lld, %ld)\n",
 	    gp->name, bp2->bio_error, bp2->bio_completed, bp2->bio_resid));
-	free(bp->bio_data, M_GEOM_UZIP);
+	g_free(bp->bio_data);
 	g_destroy_bio(bp);
 	g_io_deliver(bp2, bp2->bio_error);
 }
@@ -285,7 +285,7 @@
 	    bp->bio_offset, bp->bio_length,
 	    sc->offsets[start_blk], sc->offsets[end_blk] - sc->offsets[start_blk],
 	    bp2->bio_offset, bp2->bio_length));
-	bp2->bio_data = malloc(bp2->bio_length, M_GEOM_UZIP, M_NOWAIT);
+	bp2->bio_data = g_malloc(bp2->bio_length, M_NOWAIT | M_ZERO);
 	if (bp2->bio_data == NULL) {
 		g_io_deliver(bp, ENOMEM);
 		return;
@@ -393,7 +393,7 @@
 	/*
 	 * Initialize softc and read offsets.
 	 */
-	sc = malloc(sizeof(*sc), M_GEOM_UZIP, M_WAITOK);
+	sc = g_malloc(sizeof(*sc), M_WAITOK | M_ZERO);
 	gp->softc = sc;
 	sc->blksz = ntohl(header->blksz);
 	sc->nblocks = ntohl(header->nblocks);
@@ -413,8 +413,8 @@
 		       gp->name, sc->nblocks);
 		goto err;
 	}
-	sc->offsets = malloc(
-	    total_offsets * sizeof(uint64_t), M_GEOM_UZIP, M_WAITOK);
+	sc->offsets = g_malloc(
+	    total_offsets * sizeof(uint64_t), M_WAITOK | M_ZERO);
 	offsets_read = MIN(total_offsets,
 	    (pp->sectorsize - sizeof(*header)) / sizeof(uint64_t));
 	for (i = 0; i < offsets_read; i++)
@@ -424,7 +424,7 @@
 	for (blk = 1; offsets_read < total_offsets; blk++) {
 		uint32_t nread;
 
-		free(buf, M_GEOM_UZIP);
+		g_free(buf);
 		buf = g_read_data(
 		    cp, blk * pp->sectorsize, pp->sectorsize, &error);
 		if (buf == NULL || error != 0)
@@ -442,7 +442,7 @@
 	DPRINTF(("%s: done reading offsets\n", gp->name));
 	mtx_init(&sc->last_mtx, "geom_uzip cache", NULL, MTX_DEF);
 	sc->last_blk = -1;
-	sc->last_buf = malloc(sc->blksz, M_GEOM_UZIP, M_WAITOK);
+	sc->last_buf = g_malloc(sc->blksz, M_WAITOK | M_ZERO);
 	sc->req_total = 0;
 	sc->req_cached = 0;
 
@@ -470,7 +470,7 @@
 	g_topology_lock();
 	g_access(cp, -1, 0, 0);
 	if (buf != NULL)
-		free(buf, M_GEOM_UZIP);
+		g_free(buf);
 	if (gp->softc != NULL) {
 		g_uzip_softc_free(gp->softc, NULL);
 		gp->softc = NULL;



>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: daichi 
State-Changed-When: Mon Sep 6 13:47:37 GMT 2004 
State-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=71431 
State-Changed-From-To: closed->open 
State-Changed-By: daichi 
State-Changed-When: Mon Sep 6 13:48:37 GMT 2004 
State-Changed-Why:  
Sorry. I had took mistake. kern/71432 is duplicate of this pr. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71431 
Responsible-Changed-From-To: freebsd-bugs->freebsd-geom 
Responsible-Changed-By: nork 
Responsible-Changed-When: Mon Sep 6 14:03:36 GMT 2004 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71431 
State-Changed-From-To: open->feedback 
State-Changed-By: fjoe 
State-Changed-When: Thu Sep 9 06:04:33 GMT 2004 
State-Changed-Why:  
I can't reproduce this. 
geom uzip load does not work. 
kldload geom_uzip works perfectly. 

Can you provide stack trace? 
Can you reproduce the problem on recent -CURRENT? 
You can try this patch instead (but I doubt that it will change anything 
for you): 

Index: sys/geom/uzip/g_uzip.c 
=================================================================== 
RCS file: /home/ncvs/src/sys/geom/uzip/g_uzip.c,v 
retrieving revision 1.1 
diff -u -p -r1.1 g_uzip.c 
--- sys/geom/uzip/g_uzip.c	13 Aug 2004 09:40:57 -0000	1.1 
+++ sys/geom/uzip/g_uzip.c	8 Sep 2004 15:34:42 -0000 
@@ -518,4 +518,5 @@ static struct g_class g_uzip_class = { 
.spoiled = g_uzip_spoiled, 
}; 

-DECLARE_GEOM_CLASS(g_uzip_class, g_uzip); 
+DECLARE_GEOM_CLASS(g_uzip_class, geom_uzip); 
+MODULE_DEPEND(geom_uzip, zlib, 1, 1, 1); 
Index: sys/modules/geom/geom_uzip/Makefile 
=================================================================== 
RCS file: /home/ncvs/src/sys/modules/geom/geom_uzip/Makefile,v 
retrieving revision 1.1 
diff -u -p -r1.1 Makefile 
--- sys/modules/geom/geom_uzip/Makefile	13 Aug 2004 09:40:58 -0000	1.1 
+++ sys/modules/geom/geom_uzip/Makefile	8 Sep 2004 15:32:40 -0000 
@@ -3,7 +3,7 @@ 
.PATH: ${.CURDIR}/../../../geom/uzip ${.CURDIR}/../../../net 

KMOD=	geom_uzip 
-SRCS=	g_uzip.c zlib.c 
+SRCS=	g_uzip.c 
#CFLAGS=	-g 

.include <bsd.kmod.mk> 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71431 
Responsible-Changed-From-To: freebsd-geom->fjoe-geom 
Responsible-Changed-By: fjoe 
Responsible-Changed-When: Tue Sep 14 18:39:52 GMT 2004 
Responsible-Changed-Why:  


http://www.freebsd.org/cgi/query-pr.cgi?pr=71431 
Responsible-Changed-From-To: fjoe-geom->fjoe 
Responsible-Changed-By: fjoe 
Responsible-Changed-When: Tue Sep 14 18:40:12 GMT 2004 
Responsible-Changed-Why:  
Does this patch fix the problem for you? 

Index: g_uzip.c 
=================================================================== 
RCS file: /home/ncvs/src/sys/geom/uzip/g_uzip.c,v 
retrieving revision 1.1.2.1 
diff -u -p -r1.1.2.1 g_uzip.c 
--- g_uzip.c	10 Sep 2004 07:00:38 -0000	1.1.2.1 
+++ g_uzip.c	14 Sep 2004 18:19:36 -0000 
@@ -424,7 +424,7 @@ g_uzip_taste(struct g_class *mp, struct  
for (blk = 1; offsets_read < total_offsets; blk++) { 
uint32_t nread; 

-		free(buf, M_GEOM_UZIP); 
+		free(buf, M_GEOM); 
buf = g_read_data( 
cp, blk * pp->sectorsize, pp->sectorsize, &error); 
if (buf == NULL || error != 0) 
@@ -470,7 +470,7 @@ err: 
g_topology_lock(); 
g_access(cp, -1, 0, 0); 
if (buf != NULL) 
-		free(buf, M_GEOM_UZIP); 
+		free(buf, M_GEOM); 
if (gp->softc != NULL) { 
g_uzip_softc_free(gp->softc, NULL); 
gp->softc = NULL; 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71431 
State-Changed-From-To: feedback->closed 
State-Changed-By: fjoe 
State-Changed-When: Sun Sep 19 10:28:22 GMT 2004 
State-Changed-Why:  
Fix committed to HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=71431 
>Unformatted:
