From owner-freebsd-current@freebsd.org Thu Aug 6 03:10:06 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD6D89B3A53 for ; Thu, 6 Aug 2015 03:10:06 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from mail.dawidek.net (garage.dawidek.net [91.121.88.72]) by mx1.freebsd.org (Postfix) with ESMTP id 89FD524B; Thu, 6 Aug 2015 03:10:06 +0000 (UTC) (envelope-from pawel@dawidek.net) Received: from localhost (unknown [91.206.210.19]) by mail.dawidek.net (Postfix) with ESMTPSA id B5FFCFAF; Thu, 6 Aug 2015 05:10:04 +0200 (CEST) Date: Thu, 6 Aug 2015 05:11:57 +0200 From: Pawel Jakub Dawidek To: Ed Maste Cc: FreeBSD Current Subject: Re: Memory modified after free, seemingly geli related Message-ID: <20150806031157.GA1116@garage.freebsd.pl> References: <20150806020639.GA72832@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline In-Reply-To: <20150806020639.GA72832@garage.freebsd.pl> X-OS: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Aug 2015 03:10:06 -0000 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 06, 2015 at 04:06:40AM +0200, Pawel Jakub Dawidek wrote: > On Wed, Aug 05, 2015 at 03:24:26AM +0000, Ed Maste wrote: > > I've encountered a few memory modified after free panics recently, > > which seem to be from geli. I don't yet have any debugging to > > completely confirm it's geli, but it has not happened on my other test > > laptop which configured similarly but without geli. > >=20 > > This has a few local patches from my to-commit-to-HEAD queue. > > FreeBSD volta 11.0-CURRENT FreeBSD 11.0-CURRENT #10 > > r284409+6a002d9(staging): Tue Jul 7 17:57:01 EDT 2015 > >=20 > > panic: Memory modified after free 0xfffff80009d504d8(248) val=3D0 @ > > 0xfffff80009d50518 >=20 > I'm seeing it too. I tracked it down to ZFS. The bio was last owned by > the ZFS::VDEV GEOM class, which is modyfing bio_error on freed bio. I'm > investigating further and will let you know here once I find the > cause. Ok. It was bio from ZFS in my case, but it was GELI which modified bio_error after delivering bio. This patch fixes the race: http://people.freebsd.org/~pjd/patches/geom_eli.patch Using bio after calling crypto_dispatch() is a bug. 'done' callbacks might have already called g_io_deliver() and upper layer might have already freed the bio. I'm not fully convinced that panic is the right response to crypto_dispatch() failure. It means that the driver failed our request and didn't call our callback, which is bad as we never complete the I/O. The crypto drivers tend to return errors only if the request itself is bogus, but that is program's bug and not a runtime condition. In other words panic should be fine here. --=20 Pawel Jakub Dawidek http://www.wheelsystems.com FreeBSD committer http://www.FreeBSD.org Am I Evil? Yes, I Am! http://mobter.com --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJVwtB8AAoJEJVLhSuxKFt1hskQAM+kFb9+WyRSbbGuJFgtLoIz SbP8LDCo59z6Tj+U4CbB8LtIWn2iN2v5CXX59eZvWeU175mfcZN2H4z6nBdcFFB8 ZmYzR5ua8a1WGgjs3npxfZsZDrntteVA/j4Xf4SwW4pvtjwYGzyPDKTjjXcsXSQU UK8JV0yfn5M5yweDP17ghgFnk5z3lr1iFPvCjrg/VRjHds9LDT864gmpLYc+mTHU WLByFEA5rHO7+9ZKY0SqGxU9hLCQ1FpgicGnUK/tbNd6uTxR5fILrLZ40TPkkDXx HlQ8cCrj88PxQY/dkB52RxR3t/DM9IqswM8lsLz2iuzkYoBeAWQFyM9WilXNZfbS hitwze2uRGY5roZZRxfdykL9W5IEy0gAm3A8OeBod+VA0a6W4KMSuMC8osv9bHtR RBDSwqUlzKIHjU3sODl/GDDL130HRj4IinVjdh0pcCUaSbDf2HdNPHwEv7g5YMtH jJJOCqD9OI+bf8CkDaiUh3ahn2WA176R1QrDQVXYDEOZLiBrj8F89S95iT20SPD8 SFWfgTtfjW46m3dIItKJYu0QmdwRXl98gpNb2dQGRp22MBED8aNvDhkqshC2CZ0u gRuH+N1btFBXFaNgW0A05kCtJ+TX50Ydfedbd4CCCi33+EPV3CWKbbf925zoonaR tPrUnrlmVpoBhF7PmVoT =rfyX -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM--