Page MenuHomeFreeBSD

Fix memory modified after free with DEBUG_MEMGUARD
AbandonedPublic

Authored by ngie on Feb 17 2015, 9:50 AM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 23 2023, 8:18 PM
Unknown Object (File)
Dec 19 2023, 10:38 PM
Unknown Object (File)
Jul 24 2023, 9:12 AM
Unknown Object (File)
Jul 24 2023, 6:57 AM
Unknown Object (File)
May 10 2023, 5:04 PM
Unknown Object (File)
Mar 21 2023, 8:10 PM
Unknown Object (File)
Mar 4 2023, 12:01 AM
Unknown Object (File)
Apr 21 2017, 10:52 PM
Subscribers

Details

Reviewers
alc
glebius
Summary

Fix memory modified after free with DEBUG_MEMGUARD

Protect slabs properly [that are larger than PAGE_SIZE] with memguard
vm.memguard.options=2 or vm.memguard.options=3 set by not double-counting
slab vs non-slab allocations

PR: 191359
Reported by: pho
Submitted by: Luke Chang-Hsien Tsai <luke.tw@gmail.com>

Test Plan
  • Run the following commands for a few minutes:

% sysctl vm.memguard.options=3; sysctl vm.memguard.desc=allocdirect
% for i in seq 1 10; do

dd if=/dev/urandom of=/dev/stdout bs=20m | ssh -C 172.16.98.155 tar xf - &
done

%

  • memguard4 scenario from stress2 (still needs to be run)

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

ngie retitled this revision from to Fix memory modified after free with DEBUG_MEMGUARD.
ngie updated this object.
ngie added reviewers: alc, kib.
ngie edited the test plan for this revision. (Show Details)
ngie added subscribers: benno, pho.

The BUGS section of the manual page should be fixed, if the patch gets working.

What actually is "allocdirect"? I can't find it in 'vmstat -m' neither in 'vmstat -z'.

The content of "desc" does not seem to have any impact on this panic:

FreeBSD 11.0-CURRENT (MEMGUARD) #3 r278882M: Tue Feb 17 12:42:28 CET 2015
You have new mail.
root@t1:~ # sysctl vm.memguard.desc=temp; sysctl vm.memguard.options=3
vm.memguard.desc: -> temp
vm.memguard.options: 1 -> 3
root@t1:~ # ssh pho@localhost
Memory modified after free 0xfffffe0000430000(4096) val=5a5a5a5a @ 0xfffffe0000430000

Fatal trap 12: page fault while in kernel mode
cpuid = 3; apic id = 03
fault virtual address = 0x3000
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80bf0053
stack pointer = 0x28:0xfffffe1728bfd1b0
frame pointer = 0x28:0xfffffe1728bfd200
code segment = base 0x0, limit 0xfffff, type 0x1b
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 946 (sshd)
[ thread pid 946 tid 100429 ]
Stopped at uma_find_refcnt+0x33: movq (%rax),%rax
db>
$

Based on input from pho@, I'm more convinced that there's an issue elsewhere [in the network stack?] that needs to be addressed.

Closing this CR but will reopen if more information comes to light as to whether or not this is the issue that needs to be fixed.