From owner-svn-src-all@freebsd.org Wed Jun 1 22:31:36 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6111AB667F0; Wed, 1 Jun 2016 22:31:36 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3D0181AD5; Wed, 1 Jun 2016 22:31:36 +0000 (UTC) (envelope-from markj@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u51MVZRn065596; Wed, 1 Jun 2016 22:31:35 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u51MVZeh065594; Wed, 1 Jun 2016 22:31:35 GMT (envelope-from markj@FreeBSD.org) Message-Id: <201606012231.u51MVZeh065594@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Wed, 1 Jun 2016 22:31:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r301176 - head/sys/vm X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2016 22:31:36 -0000 Author: markj Date: Wed Jun 1 22:31:35 2016 New Revision: 301176 URL: https://svnweb.freebsd.org/changeset/base/301176 Log: Fix memguard(9) in kernels with INVARIANTS enabled. With r284861, UMA zones use the trash ctor and dtor by default. This is incompatible with memguard, which frees the backing page when the item is freed. Modify the UMA debug functions to be no-ops if the item was allocated from memguard. This also fixes constructors such as mb_ctor_pack(), which invokes the trash ctor in addition to performing some initialization. Reviewed by: glebius MFC after: 3 weeks Differential Revision: https://reviews.freebsd.org/D6562 Modified: head/sys/vm/uma_core.c head/sys/vm/uma_dbg.c Modified: head/sys/vm/uma_core.c ============================================================================== --- head/sys/vm/uma_core.c Wed Jun 1 22:31:13 2016 (r301175) +++ head/sys/vm/uma_core.c Wed Jun 1 22:31:35 2016 (r301176) @@ -2112,16 +2112,10 @@ uma_zalloc_arg(uma_zone_t zone, void *ud if (memguard_cmp_zone(zone)) { item = memguard_alloc(zone->uz_size, flags); if (item != NULL) { - /* - * Avoid conflict with the use-after-free - * protecting infrastructure from INVARIANTS. - */ if (zone->uz_init != NULL && - zone->uz_init != mtrash_init && zone->uz_init(item, zone->uz_size, flags) != 0) return (NULL); if (zone->uz_ctor != NULL && - zone->uz_ctor != mtrash_ctor && zone->uz_ctor(item, zone->uz_size, udata, flags) != 0) { zone->uz_fini(item, zone->uz_size); @@ -2655,9 +2649,9 @@ uma_zfree_arg(uma_zone_t zone, void *ite return; #ifdef DEBUG_MEMGUARD if (is_memguard_addr(item)) { - if (zone->uz_dtor != NULL && zone->uz_dtor != mtrash_dtor) + if (zone->uz_dtor != NULL) zone->uz_dtor(item, zone->uz_size, udata); - if (zone->uz_fini != NULL && zone->uz_fini != mtrash_fini) + if (zone->uz_fini != NULL) zone->uz_fini(item, zone->uz_size); memguard_free(item); return; Modified: head/sys/vm/uma_dbg.c ============================================================================== --- head/sys/vm/uma_dbg.c Wed Jun 1 22:31:13 2016 (r301175) +++ head/sys/vm/uma_dbg.c Wed Jun 1 22:31:35 2016 (r301176) @@ -33,6 +33,8 @@ #include __FBSDID("$FreeBSD$"); +#include "opt_vm.h" + #include #include #include @@ -49,6 +51,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include static const uint32_t uma_junk = 0xdeadc0de; @@ -57,7 +60,6 @@ static const uint32_t uma_junk = 0xdeadc * prior to subsequent reallocation. * * Complies with standard ctor arg/return - * */ int trash_ctor(void *mem, int size, void *arg, int flags) @@ -65,6 +67,11 @@ trash_ctor(void *mem, int size, void *ar int cnt; uint32_t *p; +#ifdef DEBUG_MEMGUARD + if (is_memguard_addr(mem)) + return (0); +#endif + cnt = size / sizeof(uma_junk); for (p = mem; cnt > 0; cnt--, p++) @@ -93,6 +100,11 @@ trash_dtor(void *mem, int size, void *ar int cnt; uint32_t *p; +#ifdef DEBUG_MEMGUARD + if (is_memguard_addr(mem)) + return; +#endif + cnt = size / sizeof(uma_junk); for (p = mem; cnt > 0; cnt--, p++) @@ -131,6 +143,11 @@ mtrash_ctor(void *mem, int size, void *a uint32_t *p = mem; int cnt; +#ifdef DEBUG_MEMGUARD + if (is_memguard_addr(mem)) + return (0); +#endif + size -= sizeof(struct malloc_type *); ksp = (struct malloc_type **)mem; ksp += size / sizeof(struct malloc_type *); @@ -158,6 +175,11 @@ mtrash_dtor(void *mem, int size, void *a int cnt; uint32_t *p; +#ifdef DEBUG_MEMGUARD + if (is_memguard_addr(mem)) + return; +#endif + size -= sizeof(struct malloc_type *); cnt = size / sizeof(uma_junk); @@ -176,6 +198,11 @@ mtrash_init(void *mem, int size, int fla { struct malloc_type **ksp; +#ifdef DEBUG_MEMGUARD + if (is_memguard_addr(mem)) + return (0); +#endif + mtrash_dtor(mem, size, NULL); ksp = (struct malloc_type **)mem;