Site Navigation

Date:      Thu, 8 Nov 2018 10:04:37 -0500
From:      "Jonathan T. Looney" <jtl@freebsd.org>
To:        Mark Johnston <markj@freebsd.org>
Cc:        src-committers <src-committers@freebsd.org>, svn-src-all@freebsd.org,  svn-src-head@freebsd.org
Subject:   Re: svn commit: r340241 - head/sys/vm
Message-ID:  <CADrOrmthwgNz_kz%2Bfa-bTY6MpbNiR25uo66GXk2Q1cKWy04z3A@mail.gmail.com>
In-Reply-To: <201811072328.wA7NSBUr099222@repo.freebsd.org>
References:  <201811072328.wA7NSBUr099222@repo.freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Nice find!

Jonathan

On Wed, Nov 7, 2018 at 6:28 PM Mark Johnston <markj@freebsd.org> wrote:

> Author: markj
> Date: Wed Nov  7 23:28:11 2018
> New Revision: 340241
> URL: https://svnweb.freebsd.org/changeset/base/340241
>
> Log:
>   Fix a use-after-free in swp_pager_meta_free().
>
>   This was introduced in r326329 and explains the crashes mentioned in
>   the commit log message for r339934.  In particular, on INVARIANTS
>   kernels, UMA trashing causes the loop to exit early, leaving swap
>   blocks behind when they should have been freed.  After r336984 this
>   became more problematic since new anonymous mappings were more
>   likely to reuse swapped-out subranges of existing VM objects, so faults
>   would trigger pageins of freed memory rather than returning zeroed
>   pages.
>
>   Reviewed by:  kib
>   MFC after:    3 days
>   Sponsored by: The FreeBSD Foundation
>   Differential Revision:        https://reviews.freebsd.org/D17897
>
> Modified:
>   head/sys/vm/swap_pager.c
>
> Modified: head/sys/vm/swap_pager.c
>
> ==============================================================================
> --- head/sys/vm/swap_pager.c    Wed Nov  7 21:36:52 2018        (r340240)
> +++ head/sys/vm/swap_pager.c    Wed Nov  7 23:28:11 2018        (r340241)
> @@ -1972,13 +1972,13 @@ swp_pager_meta_free(vm_object_t object,
> vm_pindex_t pi
>                         swp_pager_update_freerange(&s_free, &n_free,
> sb->d[i]);
>                         sb->d[i] = SWAPBLK_NONE;
>                 }
> +               pindex = sb->p + SWAP_META_PAGES;
>                 if (swp_pager_swblk_empty(sb, 0, start) &&
>                     swp_pager_swblk_empty(sb, limit, SWAP_META_PAGES)) {
>                         SWAP_PCTRIE_REMOVE(&object->un_pager.swp.swp_blks,
>                             sb->p);
>                         uma_zfree(swblk_zone, sb);
>                 }
> -               pindex = sb->p + SWAP_META_PAGES;
>         }
>         swp_pager_freeswapspace(s_free, n_free);
>  }
>
>

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADrOrmthwgNz_kz%2Bfa-bTY6MpbNiR25uo66GXk2Q1cKWy04z3A>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact