Date: Sun, 28 Aug 2016 05:30:20 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-fs@FreeBSD.org Subject: [Bug 212168] [panic] [UFS] use-after-free panic (0xdeadc0dedeadc0de) Message-ID: <bug-212168-3630-WfJsy7Wp9n@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-212168-3630@https.bugs.freebsd.org/bugzilla/> References: <bug-212168-3630@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D212168 --- Comment #6 from Peter Wemm <peter@FreeBSD.org> --- It is very confusing as the compiler is doing extensive inlining. As near as I can tell, the area you asked about is like this: softdep_freefile(): handle_bufwait(inodedep, &freefile->fx_jwork); 7568 clear_unlinked_inodedep(inodedep); -> clear_unlinked_inodedep(): 9685: bwrite(bp); ACQUIRE_LOCK(ump); ->=20 bwrite(): 393: return (BO_WRITE(bp->b_bufobj, bp)); -> I'm confused after here. The return address of the frame is softdep_freefile+0x66c, which is the inlined sys/buf.h BO_WRITE macro. I *think* the chain continues from BO_WRITE() -> ffs_bufwrite() -> bufwrite= () -> bstrategy()-> ffs_geom_strategy(). I am 100% confident that it is originating from clear_unlinked_inodedep(). = 99% sure it is the first bwrite(), not the second one at line 9699. Is this of any help? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-212168-3630-WfJsy7Wp9n>