From owner-freebsd-net@FreeBSD.ORG  Tue Dec 11 01:37:18 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id B8F8C9F3;
 Tue, 11 Dec 2012 01:37:18 +0000 (UTC)
 (envelope-from yanegomi@gmail.com)
Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com
 [209.85.219.54])
 by mx1.freebsd.org (Postfix) with ESMTP id 44F1A8FC0C;
 Tue, 11 Dec 2012 01:37:17 +0000 (UTC)
Received: by mail-oa0-f54.google.com with SMTP id n9so4142047oag.13
 for <multiple recipients>; Mon, 10 Dec 2012 17:37:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=cWNkoDULkc/Uje2L8kLnPciq24V/jCjHh6F67TwbbCs=;
 b=DPStZoY6aAiAnOFNpGRbfmDnp1AuCtrxcqNbjv6toRWtg1uAPOh3g9UQ4dW8gwFb/t
 OemnD4Q2Qjro67dhRGhO0AoEOv/qfqq/R6akZ0q9OEHSWyzJIFjYO2aeMv7eX54T9eaS
 yRilSvZ7P9gaozFo9V7ECEfItIpd/BOHxTNohmeDkZ4gqKkk8hLK2iv/5J+3TcKJZutM
 aIhNo6A/dAUXuz/sinSA09F2iosXcBLULpOYytRdAF7hsiNWUh9mqXhEttEzLiU3PlAp
 N9moztY8vzT7Bziw0blXS6dbj3fATei0yGXMGJ25ggEbBCuwegt8F59xUZ3gyXsFcdd0
 IzoA==
MIME-Version: 1.0
Received: by 10.182.131.100 with SMTP id ol4mr8421128obb.38.1355189837412;
 Mon, 10 Dec 2012 17:37:17 -0800 (PST)
Received: by 10.76.143.33 with HTTP; Mon, 10 Dec 2012 17:37:17 -0800 (PST)
In-Reply-To: <CAJ-Vmok2C_hWd4sDzoVLNWuAzgeP9Cmv6VNfcikDogG_rw8JYg@mail.gmail.com>
References: <CAGH67wQKUDLQmL8cnWwgzQpWAN2OhKLu0AemPNuy7EOC-i1p9g@mail.gmail.com>
 <CAJ-Vmo=MsSV3DhAVEP36d+FccHDdQz7+y7v5xTjYKyBP0PfQoQ@mail.gmail.com>
 <CAMBSHm96ZEiF4mOhUyk-aDS+Gs+hDsh_dMsd-WFcmZ+Sm6Zk+A@mail.gmail.com>
 <CAJ-Vmok2C_hWd4sDzoVLNWuAzgeP9Cmv6VNfcikDogG_rw8JYg@mail.gmail.com>
Date: Mon, 10 Dec 2012 17:37:17 -0800
Message-ID: <CAGH67wSQMwUHWRkTde7xkeTx2AR5Q=1dV-6amKgDE_HbOA-U7g@mail.gmail.com>
Subject: Re: "Memory modified after free" - by whom?
From: Garrett Cooper <yanegomi@gmail.com>
To: Adrian Chadd <adrian@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Cc: mdf@freebsd.org, FreeBSD Current <freebsd-current@freebsd.org>,
 freebsd-net@freebsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Dec 2012 01:37:18 -0000

On Mon, Dec 10, 2012 at 3:21 PM, Adrian Chadd <adrian@freebsd.org> wrote:
> On 10 December 2012 15:18,  <mdf@freebsd.org> wrote:
>> On Mon, Dec 10, 2012 at 3:10 PM, Adrian Chadd <adrian@freebsd.org> wrote:
>>> 9216 sounds like a jumbo frame mbuf. So the NIC is writing to an mbuf
>>> after it's finalised/freed.
>>>
>>> I have a similar bug showing up on ath(4) RX. :(
>>
>> Compile with DEBUG_MEMGUARD in the kernel configuration, and then set
>> vm.memguard.desc to the name of the UMA zone used for the 9216 byte
>> allocations, mbuf_jumbo_9k.  This should cause a panic when the memory
>> is touched after free.
>
> Right, but I think its a _hardware_ access after the buffer has been freed..

    At least that will give me an idea of who to punt the bug over to
next (assuming it lists the driver) -- one of the network folks, jfv,
or np :). It seems to be a recent change that's causing this (it's
spewing out these warnings every couple seconds), but that might also
be related to me getting lagg working on CURRENT as my last known base
was 9-STABLE and a lot of networking changes haven't been MFCed :).
    I could probably look through the code too after compiling it, but
it would take too long.
Thanks!
-Garrett