Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Sep 2018 03:55:56 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 231080] callout struture corruption and panic
Message-ID:  <bug-231080-227-nHf4xMV0S2@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-231080-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-231080-227@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231080

--- Comment #17 from Mark Johnston <markj@FreeBSD.org> ---
(In reply to Sean Bruno from comment #16)
The new kernel dump is more useful.  The callout looks like this:

$2 =3D {
  c_links =3D {
    le =3D {
      le_next =3D 0x11777be9162acbc1,
      le_prev =3D 0xffffffff80c9a01a
    },
    sle =3D {
      sle_next =3D 0x11777be9162acbc1
    },
    tqe =3D {
      tqe_next =3D 0x11777be9162acbc1,
      tqe_prev =3D 0xffffffff80c9a01a
    }
  },
  c_time =3D 577765376,
  c_precision =3D 0,
  c_arg =3D 0x6,
  c_func =3D 0x158,
  c_lock =3D 0x0,
  c_flags =3D 0,
  c_iflags =3D 0,
  c_cpu =3D 0
}
(kgdb) x/s 0xffffffff80c9a01a
0xffffffff80c9a01a:     "dr->dt.di.dr_mtx"

So the second long word is the beginning of the dr_mtx field of a
dbuf_dirty_record_t.  (The 0x6 indicates that the lock is already destroyed=
.)
It thus looks like the structure containing the callout was freed and
reused for a dbuf_dirty_record_t.  These records are allocated using malloc=
(9)
and would come from the 512 byte zone (the mutex is at byte offset 192), so
we're looking for a structure between 256 and 512 bytes in size containing
a struct callout at byte offset 184, assuming that nothing called uma_recla=
im()
before the dbuf_dirty_record_t was allocated.  Since there's been very litt=
le
page daemon activity on this system, I think that's a safe assumption for n=
ow.

Using ctfdump -t on the kernel and modules, I find two structures with these
properties: struct ata_request and struct lle_entry.  The latter seems to b=
e a
more likely candidate for use-after-free.

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231080-227-nHf4xMV0S2>