Date: Wed, 26 Sep 2018 03:55:56 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 231080] callout struture corruption and panic Message-ID: <bug-231080-227-nHf4xMV0S2@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-231080-227@https.bugs.freebsd.org/bugzilla/> References: <bug-231080-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231080 --- Comment #17 from Mark Johnston <markj@FreeBSD.org> --- (In reply to Sean Bruno from comment #16) The new kernel dump is more useful. The callout looks like this: $2 =3D { c_links =3D { le =3D { le_next =3D 0x11777be9162acbc1, le_prev =3D 0xffffffff80c9a01a }, sle =3D { sle_next =3D 0x11777be9162acbc1 }, tqe =3D { tqe_next =3D 0x11777be9162acbc1, tqe_prev =3D 0xffffffff80c9a01a } }, c_time =3D 577765376, c_precision =3D 0, c_arg =3D 0x6, c_func =3D 0x158, c_lock =3D 0x0, c_flags =3D 0, c_iflags =3D 0, c_cpu =3D 0 } (kgdb) x/s 0xffffffff80c9a01a 0xffffffff80c9a01a: "dr->dt.di.dr_mtx" So the second long word is the beginning of the dr_mtx field of a dbuf_dirty_record_t. (The 0x6 indicates that the lock is already destroyed= .) It thus looks like the structure containing the callout was freed and reused for a dbuf_dirty_record_t. These records are allocated using malloc= (9) and would come from the 512 byte zone (the mutex is at byte offset 192), so we're looking for a structure between 256 and 512 bytes in size containing a struct callout at byte offset 184, assuming that nothing called uma_recla= im() before the dbuf_dirty_record_t was allocated. Since there's been very litt= le page daemon activity on this system, I think that's a safe assumption for n= ow. Using ctfdump -t on the kernel and modules, I find two structures with these properties: struct ata_request and struct lle_entry. The latter seems to b= e a more likely candidate for use-after-free. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231080-227-nHf4xMV0S2>