FreeBSD Mail Archives

Date:      Mon, 10 Dec 2012 15:18:45 -0800
From:      mdf@FreeBSD.org
To:        Adrian Chadd <adrian@freebsd.org>, Garrett Cooper <yanegomi@gmail.com>
Cc:        freebsd-net@freebsd.org, FreeBSD Current <freebsd-current@freebsd.org>
Subject:   Re: "Memory modified after free" - by whom?
Message-ID:  <CAMBSHm96ZEiF4mOhUyk-aDS%2BGs%2BhDsh_dMsd-WFcmZ%2BSm6Zk%2BA@mail.gmail.com>
In-Reply-To: <CAJ-Vmo=MsSV3DhAVEP36d%2BFccHDdQz7%2By7v5xTjYKyBP0PfQoQ@mail.gmail.com>
References:  <CAGH67wQKUDLQmL8cnWwgzQpWAN2OhKLu0AemPNuy7EOC-i1p9g@mail.gmail.com> <CAJ-Vmo=MsSV3DhAVEP36d%2BFccHDdQz7%2By7v5xTjYKyBP0PfQoQ@mail.gmail.com>

On Mon, Dec 10, 2012 at 3:10 PM, Adrian Chadd <adrian@freebsd.org> wrote:
> 9216 sounds like a jumbo frame mbuf. So the NIC is writing to an mbuf
> after it's finalised/freed.
>
> I have a similar bug showing up on ath(4) RX. :(

Compile with DEBUG_MEMGUARD in the kernel configuration, and then set
vm.memguard.desc to the name of the UMA zone used for the 9216 byte
allocations, mbuf_jumbo_9k.  This should cause a panic when the memory
is touched after free.

Cheers,
matthew

> On 10 December 2012 14:22, Garrett Cooper <yanegomi@gmail.com> wrote:
>>     I noticed this while checking the logs on one of my test boxes
>> after restarting the network. Any idea where I should start looking
>> into this (has IPv6 enabled but wasn't using it, em/cxgbe/ixgbe
>> interfaces with the ixgbe interfaces lagged previously, but now not)?
>> It looks suspiciously like the same size as a jumbo frame, but I'm not
>> 100% sure if that's the real problem.
>> Thanks,
>> -Garrett
>>
>> Dec 10 14:03:12 wf158 kernel: em0: link state changed to DOWN
>> Dec 10 14:03:13 wf158 kernel: ix0: link state changed to DOWN
>> Dec 10 14:03:13 wf158 kernel: ix0: link state changed to UP
>> Dec 10 14:03:13 wf158 kernel: ix1: link state changed to DOWN
>> Dec 10 14:03:13 wf158 kernel: ix1: link state changed to UP
>> Dec 10 14:03:13 wf158 kernel: ix0: link state changed to DOWN
>> Dec 10 14:03:13 wf158 kernel: ix0: link state changed to UP
>> Dec 10 14:03:15 wf158 kernel: em0: link state changed to UP
>> Dec 10 14:03:15 wf158 dhclient: New IP Address (em0): 10.7.169.89
>> Dec 10 14:03:15 wf158 dhclient: New Subnet Mask (em0): 255.255.240.0
>> Dec 10 14:03:15 wf158 dhclient: New Broadcast Address (em0): 10.7.175.255
>> Dec 10 14:03:15 wf158 dhclient: New Routers (em0): 10.7.160.1
>> Dec 10 14:03:16 wf158 kernel: ix0: link state changed to DOWN
>> Dec 10 14:03:16 wf158 kernel: ix0: link state changed to UP
>> Dec 10 14:03:31 wf158 kernel: in6_purgeaddr: err=65, destination
>> address delete failed
>> Dec 10 14:03:31 wf158 dhclient[4539]: My address (10.7.169.89) was
>> deleted, dhclient exiting
>> Dec 10 14:03:32 wf158 dhclient[4521]: short write: wanted 20 got 0 bytes
>> Dec 10 14:03:32 wf158 dhclient[4521]: exiting.
>> Dec 10 14:03:33 wf158 kernel: em0: link state changed to DOWN
>> Dec 10 14:03:33 wf158 kernel: ix1: link state changed to DOWN
>> Dec 10 14:03:34 wf158 kernel: ix1: link state changed to UP
>> Dec 10 14:03:34 wf158 kernel: ix1: link state changed to DOWN
>> Dec 10 14:03:34 wf158 kernel: ix1: link state changed to UP
>> Dec 10 14:03:34 wf158 kernel: ix0: link state changed to DOWN
>> Dec 10 14:03:34 wf158 kernel: ix0: link state changed to UP
>> Dec 10 14:03:34 wf158 kernel: ix1: link state changed to DOWN
>> Dec 10 14:03:34 wf158 kernel: ix1: link state changed to UP
>> Dec 10 14:03:36 wf158 kernel: em0: link state changed to UP
>> Dec 10 14:03:36 wf158 dhclient: New IP Address (em0): 10.7.169.89
>> Dec 10 14:03:36 wf158 dhclient: New Subnet Mask (em0): 255.255.240.0
>> Dec 10 14:03:36 wf158 dhclient: New Broadcast Address (em0): 10.7.175.255
>> Dec 10 14:03:36 wf158 dhclient: New Routers (em0): 10.7.160.1
>> Dec 10 14:05:34 wf158 kernel: Memory modified after free
>> 0xffffff81c016d000(9216) val=ffffffff @ 0xffffff81c016d000
>> Dec 10 14:05:35 wf158 kernel: Memory modified after free
>> 0xffffff81b5cdc000(9216) val=ffffffff @ 0xffffff81b5cdc000
>>
>> # uname -a
>> FreeBSD wf158.west.isilon.com 10.0-CURRENT FreeBSD 10.0-CURRENT #1
>> r+2760369-dirty: Mon Dec 10 08:04:46 PST 2012
>> root@wf158.west.isilon.com:/usr/obj/usr/src/sys/ISI-GENERIC  amd64
>> _______________________________________________
>> freebsd-net@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMBSHm96ZEiF4mOhUyk-aDS%2BGs%2BhDsh_dMsd-WFcmZ%2BSm6Zk%2BA>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation