From owner-freebsd-current@freebsd.org  Thu Aug  6 02:04:56 2015
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38D269B272D
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Thu,  6 Aug 2015 02:04:56 +0000 (UTC)
 (envelope-from pawel@dawidek.net)
Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72])
 by mx1.freebsd.org (Postfix) with ESMTP id 05EA51B18;
 Thu,  6 Aug 2015 02:04:55 +0000 (UTC)
 (envelope-from pawel@dawidek.net)
Received: from localhost (unknown [91.206.210.19])
 by mail.dawidek.net (Postfix) with ESMTPSA id 1C282F99;
 Thu,  6 Aug 2015 04:04:48 +0200 (CEST)
Date: Thu, 6 Aug 2015 04:06:40 +0200
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Ed Maste <emaste@freebsd.org>
Cc: FreeBSD Current <freebsd-current@freebsd.org>
Subject: Re: Memory modified after free, seemingly geli related
Message-ID: <20150806020639.GA72832@garage.freebsd.pl>
References: <CAPyFy2B3hN3z+TonbCDiKPxL5v53ZTtms1BXZgdofWzDzZ4X0A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk"
Content-Disposition: inline
In-Reply-To: <CAPyFy2B3hN3z+TonbCDiKPxL5v53ZTtms1BXZgdofWzDzZ4X0A@mail.gmail.com>
X-OS: FreeBSD 11.0-CURRENT amd64
User-Agent: Mutt/1.5.23 (2014-03-12)
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 02:04:56 -0000


--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 05, 2015 at 03:24:26AM +0000, Ed Maste wrote:
> I've encountered a few memory modified after free panics recently,
> which seem to be from geli. I don't yet have any debugging to
> completely confirm it's geli, but it has not happened on my other test
> laptop which configured similarly but without geli.
>=20
> This has a few local patches from my to-commit-to-HEAD queue.
> FreeBSD volta 11.0-CURRENT FreeBSD 11.0-CURRENT #10
> r284409+6a002d9(staging): Tue Jul  7 17:57:01 EDT 2015
>=20
> panic: Memory modified after free 0xfffff80009d504d8(248) val=3D0 @
> 0xfffff80009d50518

I'm seeing it too. I tracked it down to ZFS. The bio was last owned by
the ZFS::VDEV GEOM class, which is modyfing bio_error on freed bio. I'm
investigating further and will let you know here once I find the
cause.

> cpuid =3D 1
> KDB: stack backtrace:
> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01141=
4a880
> vpanic() at vpanic+0x189/frame 0xfffffe011414a900
> panic() at panic+0x43/frame 0xfffffe011414a960
> trash_ctor() at trash_ctor+0x48/frame 0xfffffe011414a970
> uma_zalloc_arg() at uma_zalloc_arg+0x573/frame 0xfffffe011414a9e0
> g_clone_bio() at g_clone_bio+0x1d/frame 0xfffffe011414aa00
> g_eli_start() at g_eli_start+0xbd/frame 0xfffffe011414aa30
> g_io_schedule_down() at g_io_schedule_down+0xe6/frame 0xfffffe011414aa60
> g_down_procbody() at g_down_procbody+0x7d/frame 0xfffffe011414aa70
> fork_exit() at fork_exit+0x84/frame 0xfffffe011414aab0
> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe011414aab0
> --- trap 0, rip =3D 0, rsp =3D 0xfffffe011414ab70, rbp =3D 0 ---

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com

--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVwsEvAAoJEJVLhSuxKFt1tfcQANiY/At3ViEqnoPjOLfkojek
XXjrkt8VJZK1W5C6IsHMleVUPC/m0InzoC+y0VCzciAgodPw0QcqNFlAu2N1jCwo
rbXiw0qsz/+hTKKtW8HnysnX8arKLSLN3dtsyIHezfOgDaTcAWk+idJS3H1VGNSt
IpPcJuhZgOJ746YK+nIqPVWoxWcLTZXyvxqVhc5UaJUffTjZHGHxSfWUQ29QcGah
nYAzkm8RXAInxw4sOaoQDDY75kJvSAm3m0pHCUzOaypECeXxDNoi0/JFYF2VBYpB
OMapPe/LTx9nznnrpu8BgfmOqeIw99SvmxFYm/2FuQGkwTri4QHX/OCnSfGiuUya
XzWtT7Gje1UZ494TPzktm6uWZbGVWX/64ABP2473a8244Kh7WqHKV2hGh7+hV1Iu
bpRfjDcPr8lpOsuomir0CeVJfmbzBmjzp/bMqZezSEPFLH7X1RQlpXmVcAhxRMBa
aSbg5Rxe/L1o+eb2UpzpVm0TIa7gGL0KKwRnJDTtNVmHvE9BoHYznwrp1SDw7VQM
0Ejr4wSGZxTHyuDrKykOwAwMh8LDyCH88XqHL9/DqNT9RgY5R/yOGUGl6zwTFadL
EGIlvh/QqP46PbYce0yCAZoplaRZTSe1v4JwJUzhyOWQpQa1Bfh5rc6+lLDNWIzo
gEszTW1SwjW8c2m2eaSU
=RFAh
-----END PGP SIGNATURE-----

--qDbXVdCdHGoSgWSk--