From owner-freebsd-net@FreeBSD.ORG  Mon Dec 10 23:21:46 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 145838EA;
 Mon, 10 Dec 2012 23:21:46 +0000 (UTC)
 (envelope-from adrian.chadd@gmail.com)
Received: from mail-vb0-f54.google.com (mail-vb0-f54.google.com
 [209.85.212.54])
 by mx1.freebsd.org (Postfix) with ESMTP id 9043D8FC13;
 Mon, 10 Dec 2012 23:21:45 +0000 (UTC)
Received: by mail-vb0-f54.google.com with SMTP id l1so4011130vba.13
 for <multiple recipients>; Mon, 10 Dec 2012 15:21:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date
 :x-google-sender-auth:message-id:subject:from:to:cc:content-type;
 bh=KgcJGKZWpZSMhGc6NXwpKpFHRWM6NdN5JQUMoRt2H0M=;
 b=UDohXtR8AUHB4lMTLKFskKu2qk8TtmFEFQMJEfqDEBjyigysaNsekFVmtkgF7Q1vW/
 HzYveLYOVHhHM7DAQ+51SvRgPnqxAFjymYPfWhmrqRypacKguWU/lrlcnYbiRgX/5zwl
 auk+y6WeziFpRBNltiPKwe0xPIuznFuBDs9sasLYXRPYsaHnHSYGuIFQkKdsk3SeUX0l
 JF3hx89o/dCLlqS3rHTiFy9I4K2q6ZpgKoY0Tjcey+SAaCmqKkG7RANPBG2U8JtlOSTU
 WNQDQoMq1qQXRG8KDAsCeZ4vLsOCmNZ6LkB3M/CwEVA1ubjiTJtkZr5gBQnEseX7a30N
 sE9Q==
MIME-Version: 1.0
Received: by 10.58.239.162 with SMTP id vt2mr10326635vec.1.1355181704741; Mon,
 10 Dec 2012 15:21:44 -0800 (PST)
Sender: adrian.chadd@gmail.com
Received: by 10.58.201.202 with HTTP; Mon, 10 Dec 2012 15:21:44 -0800 (PST)
In-Reply-To: <CAMBSHm96ZEiF4mOhUyk-aDS+Gs+hDsh_dMsd-WFcmZ+Sm6Zk+A@mail.gmail.com>
References: <CAGH67wQKUDLQmL8cnWwgzQpWAN2OhKLu0AemPNuy7EOC-i1p9g@mail.gmail.com>
 <CAJ-Vmo=MsSV3DhAVEP36d+FccHDdQz7+y7v5xTjYKyBP0PfQoQ@mail.gmail.com>
 <CAMBSHm96ZEiF4mOhUyk-aDS+Gs+hDsh_dMsd-WFcmZ+Sm6Zk+A@mail.gmail.com>
Date: Mon, 10 Dec 2012 15:21:44 -0800
X-Google-Sender-Auth: 9lN_vMmu972aJdTl6GNcFAu1w6c
Message-ID: <CAJ-Vmok2C_hWd4sDzoVLNWuAzgeP9Cmv6VNfcikDogG_rw8JYg@mail.gmail.com>
Subject: Re: "Memory modified after free" - by whom?
From: Adrian Chadd <adrian@freebsd.org>
To: mdf@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Cc: Garrett Cooper <yanegomi@gmail.com>, freebsd-net@freebsd.org,
 FreeBSD Current <freebsd-current@freebsd.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 23:21:46 -0000

On 10 December 2012 15:18,  <mdf@freebsd.org> wrote:
> On Mon, Dec 10, 2012 at 3:10 PM, Adrian Chadd <adrian@freebsd.org> wrote:
>> 9216 sounds like a jumbo frame mbuf. So the NIC is writing to an mbuf
>> after it's finalised/freed.
>>
>> I have a similar bug showing up on ath(4) RX. :(
>
> Compile with DEBUG_MEMGUARD in the kernel configuration, and then set
> vm.memguard.desc to the name of the UMA zone used for the 9216 byte
> allocations, mbuf_jumbo_9k.  This should cause a panic when the memory
> is touched after free.

Right, but I think its a _hardware_ access after the buffer has been freed..


Adrian