From owner-svn-src-all@freebsd.org Thu Nov 8 15:04:57 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 00C2B112CF49; Thu, 8 Nov 2018 15:04:57 +0000 (UTC) (envelope-from jonlooney@gmail.com) Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0423E827A4; Thu, 8 Nov 2018 15:04:55 +0000 (UTC) (envelope-from jonlooney@gmail.com) Received: by mail-ed1-f49.google.com with SMTP id e18-v6so5228899eds.2; Thu, 08 Nov 2018 07:04:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NmVLWVfLuHC62f1QpXzjR1L+TMeE4yCAeZAROJ8Sclg=; b=FPDVy8F+zJcqhVYpqN6rnk7Vn7UxVo2InnM2ocEjweOKJPlHwNqCDWo56U113VpZTn uLB1WH3coM++XbwEisHHr+PovhZodBlNPgtzKNO1SEQKV8ozyPouFaH4Q5ArkxIQZi1O hHU9ti6Z25V6cpuV3QA2BB72EkI1wQ4VE3hCFWdwMsoJg4NvUrUGHLiCc+gLJAAD3eru vwS/x56nzklvEuv2czJ9fSC70z1G9/pQ12ZQYA3thAm5s33mBEpd3bT90m0WPqt4cKtt Chl8hVbCkrz7LshBZDRlkFlRqaLjy1ql94O6ktn1YADQkqxsp3x8kPZLKhzWoUZ9HONx Ce7g== X-Gm-Message-State: AGRZ1gIZN0qw3dAKzWWXMrpkwtM92OmY9uYO9zTasUkQP1v53CcfY8cO wT9KemQcvYXVn+xskYcJFoEhZqQI X-Google-Smtp-Source: AJdET5c2aiCTjzVaJg2S+hQwKPM9xj1DzFIMl4hFPvvfaREXjrrNN3EmWbhHZJo/aMUdN5EmWtt+JA== X-Received: by 2002:a50:b574:: with SMTP id z49-v6mr4144092edd.219.1541689488769; Thu, 08 Nov 2018 07:04:48 -0800 (PST) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com. [209.85.128.49]) by smtp.gmail.com with ESMTPSA id s14-v6sm616180ejb.20.2018.11.08.07.04.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 08 Nov 2018 07:04:48 -0800 (PST) Received: by mail-wm1-f49.google.com with SMTP id s10-v6so1598165wmc.5; Thu, 08 Nov 2018 07:04:48 -0800 (PST) X-Received: by 2002:a1c:1802:: with SMTP id 2-v6mr1608311wmy.11.1541689488042; Thu, 08 Nov 2018 07:04:48 -0800 (PST) MIME-Version: 1.0 References: <201811072328.wA7NSBUr099222@repo.freebsd.org> In-Reply-To: <201811072328.wA7NSBUr099222@repo.freebsd.org> From: "Jonathan T. Looney" Date: Thu, 8 Nov 2018 10:04:37 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: svn commit: r340241 - head/sys/vm To: Mark Johnston Cc: src-committers , svn-src-all@freebsd.org, svn-src-head@freebsd.org X-Rspamd-Queue-Id: 0423E827A4 X-Spamd-Result: default: False [-3.99 / 200.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[freebsd.org]; TO_DN_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4]; IP_SCORE(-1.03)[ipnet: 209.85.128.0/17(-3.52), asn: 15169(-1.53), country: US(-0.09)]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_HAM_SHORT(-0.95)[-0.951,0]; RCVD_IN_DNSWL_NONE(0.00)[49.208.85.209.list.dnswl.org : 127.0.5.0]; FORGED_SENDER(0.30)[jtl@freebsd.org,jonlooney@gmail.com]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[jtl@freebsd.org,jonlooney@gmail.com] X-Rspamd-Server: mx1.freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Nov 2018 15:04:57 -0000 Nice find! Jonathan On Wed, Nov 7, 2018 at 6:28 PM Mark Johnston wrote: > Author: markj > Date: Wed Nov 7 23:28:11 2018 > New Revision: 340241 > URL: https://svnweb.freebsd.org/changeset/base/340241 > > Log: > Fix a use-after-free in swp_pager_meta_free(). > > This was introduced in r326329 and explains the crashes mentioned in > the commit log message for r339934. In particular, on INVARIANTS > kernels, UMA trashing causes the loop to exit early, leaving swap > blocks behind when they should have been freed. After r336984 this > became more problematic since new anonymous mappings were more > likely to reuse swapped-out subranges of existing VM objects, so faults > would trigger pageins of freed memory rather than returning zeroed > pages. > > Reviewed by: kib > MFC after: 3 days > Sponsored by: The FreeBSD Foundation > Differential Revision: https://reviews.freebsd.org/D17897 > > Modified: > head/sys/vm/swap_pager.c > > Modified: head/sys/vm/swap_pager.c > > ============================================================================== > --- head/sys/vm/swap_pager.c Wed Nov 7 21:36:52 2018 (r340240) > +++ head/sys/vm/swap_pager.c Wed Nov 7 23:28:11 2018 (r340241) > @@ -1972,13 +1972,13 @@ swp_pager_meta_free(vm_object_t object, > vm_pindex_t pi > swp_pager_update_freerange(&s_free, &n_free, > sb->d[i]); > sb->d[i] = SWAPBLK_NONE; > } > + pindex = sb->p + SWAP_META_PAGES; > if (swp_pager_swblk_empty(sb, 0, start) && > swp_pager_swblk_empty(sb, limit, SWAP_META_PAGES)) { > SWAP_PCTRIE_REMOVE(&object->un_pager.swp.swp_blks, > sb->p); > uma_zfree(swblk_zone, sb); > } > - pindex = sb->p + SWAP_META_PAGES; > } > swp_pager_freeswapspace(s_free, n_free); > } > >