Site Navigation

Date:      Thu, 6 Aug 2015 04:06:40 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        Ed Maste <emaste@freebsd.org>
Cc:        FreeBSD Current <freebsd-current@freebsd.org>
Subject:   Re: Memory modified after free, seemingly geli related
Message-ID:  <20150806020639.GA72832@garage.freebsd.pl>
In-Reply-To: <CAPyFy2B3hN3z%2BTonbCDiKPxL5v53ZTtms1BXZgdofWzDzZ4X0A@mail.gmail.com>
References:  <CAPyFy2B3hN3z%2BTonbCDiKPxL5v53ZTtms1BXZgdofWzDzZ4X0A@mail.gmail.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Aug 05, 2015 at 03:24:26AM +0000, Ed Maste wrote:
> I've encountered a few memory modified after free panics recently,
> which seem to be from geli. I don't yet have any debugging to
> completely confirm it's geli, but it has not happened on my other test
> laptop which configured similarly but without geli.
>=20
> This has a few local patches from my to-commit-to-HEAD queue.
> FreeBSD volta 11.0-CURRENT FreeBSD 11.0-CURRENT #10
> r284409+6a002d9(staging): Tue Jul  7 17:57:01 EDT 2015
>=20
> panic: Memory modified after free 0xfffff80009d504d8(248) val=3D0 @
> 0xfffff80009d50518

I'm seeing it too. I tracked it down to ZFS. The bio was last owned by
the ZFS::VDEV GEOM class, which is modyfing bio_error on freed bio. I'm
investigating further and will let you know here once I find the
cause.

> cpuid =3D 1
> KDB: stack backtrace:
> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe01141=
4a880
> vpanic() at vpanic+0x189/frame 0xfffffe011414a900
> panic() at panic+0x43/frame 0xfffffe011414a960
> trash_ctor() at trash_ctor+0x48/frame 0xfffffe011414a970
> uma_zalloc_arg() at uma_zalloc_arg+0x573/frame 0xfffffe011414a9e0
> g_clone_bio() at g_clone_bio+0x1d/frame 0xfffffe011414aa00
> g_eli_start() at g_eli_start+0xbd/frame 0xfffffe011414aa30
> g_io_schedule_down() at g_io_schedule_down+0xe6/frame 0xfffffe011414aa60
> g_down_procbody() at g_down_procbody+0x7d/frame 0xfffffe011414aa70
> fork_exit() at fork_exit+0x84/frame 0xfffffe011414aab0
> fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe011414aab0
> --- trap 0, rip =3D 0, rsp =3D 0xfffffe011414ab70, rbp =3D 0 ---

--=20
Pawel Jakub Dawidek                       http://www.wheelsystems.com
FreeBSD committer                         http://www.FreeBSD.org
Am I Evil? Yes, I Am!                     http://mobter.com

--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJVwsEvAAoJEJVLhSuxKFt1tfcQANiY/At3ViEqnoPjOLfkojek
XXjrkt8VJZK1W5C6IsHMleVUPC/m0InzoC+y0VCzciAgodPw0QcqNFlAu2N1jCwo
rbXiw0qsz/+hTKKtW8HnysnX8arKLSLN3dtsyIHezfOgDaTcAWk+idJS3H1VGNSt
IpPcJuhZgOJ746YK+nIqPVWoxWcLTZXyvxqVhc5UaJUffTjZHGHxSfWUQ29QcGah
nYAzkm8RXAInxw4sOaoQDDY75kJvSAm3m0pHCUzOaypECeXxDNoi0/JFYF2VBYpB
OMapPe/LTx9nznnrpu8BgfmOqeIw99SvmxFYm/2FuQGkwTri4QHX/OCnSfGiuUya
XzWtT7Gje1UZ494TPzktm6uWZbGVWX/64ABP2473a8244Kh7WqHKV2hGh7+hV1Iu
bpRfjDcPr8lpOsuomir0CeVJfmbzBmjzp/bMqZezSEPFLH7X1RQlpXmVcAhxRMBa
aSbg5Rxe/L1o+eb2UpzpVm0TIa7gGL0KKwRnJDTtNVmHvE9BoHYznwrp1SDw7VQM
0Ejr4wSGZxTHyuDrKykOwAwMh8LDyCH88XqHL9/DqNT9RgY5R/yOGUGl6zwTFadL
EGIlvh/QqP46PbYce0yCAZoplaRZTSe1v4JwJUzhyOWQpQa1Bfh5rc6+lLDNWIzo
gEszTW1SwjW8c2m2eaSU
=RFAh
-----END PGP SIGNATURE-----

--qDbXVdCdHGoSgWSk--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150806020639.GA72832>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact