From owner-freebsd-net@FreeBSD.ORG Wed Apr 30 12:35:38 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB6FF37B401 for ; Wed, 30 Apr 2003 12:35:38 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 063BB43F85 for ; Wed, 30 Apr 2003 12:35:38 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 32325 invoked from network); 30 Apr 2003 19:35:36 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 30 Apr 2003 19:35:36 -0000 X-pair-Authenticated: 209.68.2.70 Date: Wed, 30 Apr 2003 14:35:23 -0500 (CDT) From: Mike Silbersack To: freebsd-net@freebsd.org Message-ID: <20030430142532.F3741@odysseus.silby.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-1764443641-1051731323=:3741" Subject: Review needed: Mbuf double-free detection patch X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Apr 2003 19:35:39 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1764443641-1051731323=:3741 Content-Type: TEXT/PLAIN; charset=US-ASCII I'd be interested in comments on the attached patch from anyone who's been doing work with network drivers & such. All it does is add a M_FREELIST flag which is set whenever a mbuf is freed. If m_free or m_freem find this flag to be set, they will panic, as this is a clear sign that the mbuf was freed twice. (All flags are cleared whenever a mbuf is taken off the freelist, so false M_FREELIST hits shouldn't occur.) The system isn't perfect, as it won't catch mbufs which are reallocated before their second free occurs. However, it does seem to do a good job in catching simple double-free errors, which previously caused corruption that lead to panics in codepaths totally unrelated to the original double-free. (One of my double-free tests without this code managed to cause a mutex-related panic, somehow!) I could probably make this code test for use-after-free by checksumming the entire mbuf when M_FREELIST is set and verifying that the checksum has not changed when the mbuf is reallocated, but I think this code is useful enough as it is. Comments? Thanks, Mike "Silby" Silbersack --0-1764443641-1051731323=:3741 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="mbuf_double_free_detection.patch" Content-Transfer-Encoding: BASE64 Content-ID: <20030430143523.B3741@odysseus.silby.com> Content-Description: Content-Disposition: attachment; filename="mbuf_double_free_detection.patch" ZGlmZiAtdSAtciAvdXNyL3NyYy9zeXMub2xkL2tlcm4vc3Vicl9tYnVmLmMg L3Vzci9zcmMvc3lzL2tlcm4vc3Vicl9tYnVmLmMNCi0tLSAvdXNyL3NyYy9z eXMub2xkL2tlcm4vc3Vicl9tYnVmLmMJV2VkIEFwciAzMCAwMDowNTowMyAy MDAzDQorKysgL3Vzci9zcmMvc3lzL2tlcm4vc3Vicl9tYnVmLmMJV2VkIEFw ciAzMCAxNDoyODozMSAyMDAzDQpAQCAtMTM4MCw2ICsxMzgwLDkgQEANCiAJ aW50IGNjaG51bTsNCiAJc2hvcnQgcGVyc2lzdCA9IDA7DQogDQorCWlmICht Yi0+bV9mbGFncyAmIE1fRlJFRUxJU1QpDQorCQlwYW5pYygibV9mcmVlIGRl dGVjdGVkIGEgbWJ1ZiBkb3VibGUtZnJlZSIpOw0KKwltYi0+bV9mbGFncyB8 PSBNX0ZSRUVMSVNUOw0KIAlpZiAoKG1iLT5tX2ZsYWdzICYgTV9QS1RIRFIp ICE9IDApDQogCQltX3RhZ19kZWxldGVfY2hhaW4obWIsIE5VTEwpOw0KIAlu YiA9IG1iLT5tX25leHQ7DQpAQCAtMTQyMiw2ICsxNDI1LDkgQEANCiAJc2hv cnQgcGVyc2lzdDsNCiANCiAJd2hpbGUgKG1iICE9IE5VTEwpIHsNCisJCWlm IChtYi0+bV9mbGFncyAmIE1fRlJFRUxJU1QpDQorCQkJcGFuaWMoIm1fZnJl ZW0gZGV0ZWN0ZWQgYSBtYnVmIGRvdWJsZS1mcmVlIik7DQorCQltYi0+bV9m bGFncyB8PSBNX0ZSRUVMSVNUOw0KIAkJaWYgKChtYi0+bV9mbGFncyAmIE1f UEtUSERSKSAhPSAwKQ0KIAkJCW1fdGFnX2RlbGV0ZV9jaGFpbihtYiwgTlVM TCk7DQogCQlwZXJzaXN0ID0gMDsNCmRpZmYgLXUgLXIgL3Vzci9zcmMvc3lz Lm9sZC9zeXMvbWJ1Zi5oIC91c3Ivc3JjL3N5cy9zeXMvbWJ1Zi5oDQotLS0g L3Vzci9zcmMvc3lzLm9sZC9zeXMvbWJ1Zi5oCVdlZCBBcHIgMzAgMDA6MDQ6 MDAgMjAwMw0KKysrIC91c3Ivc3JjL3N5cy9zeXMvbWJ1Zi5oCVdlZCBBcHIg MzAgMTI6NDk6NTIgMjAwMw0KQEAgLTE1Myw2ICsxNTMsNyBAQA0KICNkZWZp bmUJTV9QUk9UTzMJMHgwMDQwCS8qIHByb3RvY29sLXNwZWNpZmljICovDQog I2RlZmluZQlNX1BST1RPNAkweDAwODAJLyogcHJvdG9jb2wtc3BlY2lmaWMg Ki8NCiAjZGVmaW5lCU1fUFJPVE81CTB4MDEwMAkvKiBwcm90b2NvbC1zcGVj aWZpYyAqLw0KKyNkZWZpbmUgTV9GUkVFTElTVAkweDQwMDAJLyogbWJ1ZiBp cyBvbiB0aGUgZnJlZSBsaXN0ICovDQogDQogLyoNCiAgKiBtYnVmIHBrdGhk ciBmbGFncyAoYWxzbyBzdG9yZWQgaW4gbV9mbGFncykuDQo= --0-1764443641-1051731323=:3741--