Date: Wed, 7 Nov 2018 23:28:11 +0000 (UTC) From: Mark Johnston <markj@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r340241 - head/sys/vm Message-ID: <201811072328.wA7NSBUr099222@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: markj Date: Wed Nov 7 23:28:11 2018 New Revision: 340241 URL: https://svnweb.freebsd.org/changeset/base/340241 Log: Fix a use-after-free in swp_pager_meta_free(). This was introduced in r326329 and explains the crashes mentioned in the commit log message for r339934. In particular, on INVARIANTS kernels, UMA trashing causes the loop to exit early, leaving swap blocks behind when they should have been freed. After r336984 this became more problematic since new anonymous mappings were more likely to reuse swapped-out subranges of existing VM objects, so faults would trigger pageins of freed memory rather than returning zeroed pages. Reviewed by: kib MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D17897 Modified: head/sys/vm/swap_pager.c Modified: head/sys/vm/swap_pager.c ============================================================================== --- head/sys/vm/swap_pager.c Wed Nov 7 21:36:52 2018 (r340240) +++ head/sys/vm/swap_pager.c Wed Nov 7 23:28:11 2018 (r340241) @@ -1972,13 +1972,13 @@ swp_pager_meta_free(vm_object_t object, vm_pindex_t pi swp_pager_update_freerange(&s_free, &n_free, sb->d[i]); sb->d[i] = SWAPBLK_NONE; } + pindex = sb->p + SWAP_META_PAGES; if (swp_pager_swblk_empty(sb, 0, start) && swp_pager_swblk_empty(sb, limit, SWAP_META_PAGES)) { SWAP_PCTRIE_REMOVE(&object->un_pager.swp.swp_blks, sb->p); uma_zfree(swblk_zone, sb); } - pindex = sb->p + SWAP_META_PAGES; } swp_pager_freeswapspace(s_free, n_free); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201811072328.wA7NSBUr099222>