Page MenuHomeFreeBSD
Differential D1865

Fix memory modified after free with DEBUG_MEMGUARD
AbandonedPublic
Actions

Authored by ngie on Feb 17 2015, 9:50 AM.
Tags
None
Referenced Files
F150419460: D1865.id3807.diff
Wed, Apr 1, 2:04 AM
Unknown Object (File)
Sat, Mar 7, 12:26 AM
Unknown Object (File)
Wed, Mar 4, 5:57 AM
Unknown Object (File)
Jan 22 2026, 11:30 AM
Unknown Object (File)
Dec 25 2025, 1:55 AM
Unknown Object (File)
Dec 20 2025, 5:06 AM
Unknown Object (File)
Dec 9 2025, 1:22 PM
Unknown Object (File)
Nov 24 2025, 1:51 PM
View All 97 Files
Subscribers
benno
pho

Details

Reviewers
alc
glebius
Summary

Fix memory modified after free with DEBUG_MEMGUARD

Protect slabs properly [that are larger than PAGE_SIZE] with memguard
vm.memguard.options=2 or vm.memguard.options=3 set by not double-counting
slab vs non-slab allocations

PR: 191359
Reported by: pho
Submitted by: Luke Chang-Hsien Tsai <luke.tw@gmail.com>

Test Plan
  • Run the following commands for a few minutes:

% sysctl vm.memguard.options=3; sysctl vm.memguard.desc=allocdirect
% for i in seq 1 10; do

dd if=/dev/urandom of=/dev/stdout bs=20m | ssh -C 172.16.98.155 tar xf - &
done

%

  • memguard4 scenario from stress2 (still needs to be run)

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

ngie updated this revision to Diff 3807.Feb 17 2015, 9:50 AM
ngie retitled this revision from to Fix memory modified after free with DEBUG_MEMGUARD.
ngie updated this object.
ngie added reviewers: alc, kib.
ngie edited the test plan for this revision. (Show Details)
ngie added subscribers: benno, pho.
kib edited reviewers, added: glebius; removed: kib.Feb 17 2015, 11:42 AM
pho added a comment.Feb 17 2015, 1:41 PM

I'm unfortunately still able to get a panic using ssh:
http://people.freebsd.org/~pho/stress/log/memguard7.txt

glebius edited edge metadata.Feb 17 2015, 4:36 PM

The BUGS section of the manual page should be fixed, if the patch gets working.

glebius added a comment.Feb 17 2015, 4:36 PM

What actually is "allocdirect"? I can't find it in 'vmstat -m' neither in 'vmstat -z'.

pho added a comment.Feb 17 2015, 6:01 PM

The content of "desc" does not seem to have any impact on this panic:

FreeBSD 11.0-CURRENT (MEMGUARD) #3 r278882M: Tue Feb 17 12:42:28 CET 2015
You have new mail.
root@t1:~ # sysctl vm.memguard.desc=temp; sysctl vm.memguard.options=3
vm.memguard.desc: -> temp
vm.memguard.options: 1 -> 3
root@t1:~ # ssh pho@localhost
Memory modified after free 0xfffffe0000430000(4096) val=5a5a5a5a @ 0xfffffe0000430000

Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address = 0x3000
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80bf0053
stack pointer = 0x28:0xfffffe1728bfd1b0
frame pointer = 0x28:0xfffffe1728bfd200
code segment = base 0x0, limit 0xfffff, type 0x1b
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 946 (sshd)
[ thread pid 946 tid 100429 ]
Stopped at uma_find_refcnt+0x33: movq (%rax),%rax
db>
$

ngie abandoned this revision.Feb 19 2015, 11:10 AM

Based on input from pho@, I'm more convinced that there's an issue elsewhere [in the network stack?] that needs to be addressed.

Closing this CR but will reopen if more information comes to light as to whether or not this is the issue that needs to be fixed.

Revision Contents
Changeset List

PathSize
share/
man/
man9/
2 lines
sys/
vm/
3 lines

Diff 3807

View Options

share/man/man9/memguard.9

Loading...
View Options

sys/vm/memguard.c

Loading...