From owner-freebsd-bugs@FreeBSD.ORG Thu Jul 24 18:04:19 2014 Return-Path: Delivered-To: freebsd-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 81550BB2 for ; Thu, 24 Jul 2014 18:04:19 +0000 (UTC) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 621A62B40 for ; Thu, 24 Jul 2014 18:04:19 +0000 (UTC) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s6OI4JqW088533 for ; Thu, 24 Jul 2014 18:04:19 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 192098] New: DEBUG_MEMGUARD and INVARIANTS duplicate "double-free" detection logic Date: Thu, 24 Jul 2014 18:04:19 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: yaneurabeya@gmail.com X-Bugzilla-Status: Needs Triage X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jul 2014 18:04:19 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192098 Bug ID: 192098 Summary: DEBUG_MEMGUARD and INVARIANTS duplicate "double-free" detection logic Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: Needs Triage Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: yaneurabeya@gmail.com The code in sys/vm/memguard.c and sys/vm/uma_dbg.c both attempt to detect double-frees, but when I have both DEBUG_MEMGUARD and INVARIANTS compiled in and try to run my "bad_memory" kld, a double-free trips the panic in uma_dbg.c, not memguard.c: memguard.c: 252 static u_long * 253 v2sizep(vm_offset_t va) 254 { 255 vm_paddr_t pa; 256 struct vm_page *p; 257 258 pa = pmap_kextract(va); 259 if (pa == 0) 260 panic("MemGuard detected double-free of %p", (void *)va); 261 p = PHYS_TO_VM_PAGE(pa); 262 KASSERT(p->wire_count != 0 && p->queue == PQ_NONE, 263 ("MEMGUARD: Expected wired page %p in vtomgfifo!", p)); 264 return (&p->plinks.memguard.p); 265 } 266 267 static u_long * 268 v2sizev(vm_offset_t va) 269 { 270 vm_paddr_t pa; 271 struct vm_page *p; 272 273 pa = pmap_kextract(va); 274 if (pa == 0) 275 panic("MemGuard detected double-free of %p", (void *)va); 276 p = PHYS_TO_VM_PAGE(pa); 277 KASSERT(p->wire_count != 0 && p->queue == PQ_NONE, 278 ("MEMGUARD: Expected wired page %p in vtomgfifo!", p)); 279 return (&p->plinks.memguard.v); 280 } uma_dbg.c: 282 283 if (!BIT_ISSET(SLAB_SETSIZE, freei, &slab->us_debugfree)) 284 panic("Duplicate free of %p from zone %p(%s) slab %p(%d)\n", 285 item, zone, zone->uz_name, slab, freei); Unread portion of the kernel message buffer: Running callback for double_free panic: Duplicate free of 0xfffff80003d1cf40 from zone 0xfffff800bfee4000(16) slab 0xfffff80003d1cf90(244) cpuid = 0 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe030c759530 kdb_backtrace() at kdb_backtrace+0x39/frame 0xfffffe030c7595e0 vpanic() at vpanic+0x126/frame 0xfffffe030c759620 panic() at panic+0x43/frame 0xfffffe030c759680 uma_dbg_free() at uma_dbg_free+0x101/frame 0xfffffe030c7596b0 uma_zfree_arg() at uma_zfree_arg+0xf6/frame 0xfffffe030c759730 free() at free+0xad/frame 0xfffffe030c759760 sysctl_test_bad_memory_operation() at sysctl_test_bad_memory_operation+0x88/frame 0xfffffe030c7597a0 sysctl_root_handler_locked() at sysctl_root_handler_locked+0x68/frame 0xfffffe030c7597e0 sysctl_root() at sysctl_root+0x18e/frame 0xfffffe030c759830 userland_sysctl() at userland_sysctl+0x192/frame 0xfffffe030c7598d0 sys___sysctl() at sys___sysctl+0x74/frame 0xfffffe030c759980 amd64_syscall() at amd64_syscall+0x2b3/frame 0xfffffe030c759ab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe030c759ab0 --- syscall (202, FreeBSD ELF64, sys___sysctl), rip = 0x80094491a, rsp = 0x7fffffffda18, rbp = 0x7fffffffda50 --- KDB: enter: panic Reading symbols from /boot/kernel/aio.ko.symbols...done. Loaded symbols for /boot/kernel/aio.ko.symbols Reading symbols from /boot/kernel/bad_memory.ko...done. Loaded symbols for /boot/kernel/bad_memory.ko #0 doadump (textdump=60780544) at pcpu.h:219 219 pcpu.h: No such file or directory. in pcpu.h (kgdb) #0 doadump (textdump=60780544) at pcpu.h:219 #1 0xffffffff80348655 in db_fncall (dummy1=, dummy2=, dummy3=, dummy4=) at /usr/src/sys/ddb/db_command.c:578 #2 0xffffffff8034833d in db_command (cmd_table=0x0) at /usr/src/sys/ddb/db_command.c:449 #3 0xffffffff803480b4 in db_command_loop () at /usr/src/sys/ddb/db_command.c:502 #4 0xffffffff8034ab30 in db_trap (type=, code=0) at /usr/src/sys/ddb/db_main.c:231 #5 0xffffffff8094cae9 in kdb_trap (type=3, code=0, tf=) at /usr/src/sys/kern/subr_kdb.c:654 #6 0xffffffff80d34b42 in trap (frame=0xfffffe030c759510) at /usr/src/sys/amd64/amd64/trap.c:541 #7 0xffffffff80d16c89 in skiphook () at /usr/src/sys/amd64/amd64/exception.S:245 #8 0xffffffff815c5e20 in cnputs_mtx () #9 0x0000000000000080 in ?? () #10 0xfffffe030c7594c0 in ?? () #11 0x0000000000000080 in ?? () #12 0x0000000000000000 in ?? () Current language: auto; currently minimal The checks in memguard.c should be guarded by `#if !defined(INVARIANTS) ... #endif' to eliminate unnecessary overhead double-checking this condition. Reproduction steps: Run the following commands as root: - git clone https://github.com/yaneurabeya/scratch - cd scratch/testing/tools/bad_memory - for s in obj depend all install; do make $s || break; done - kldload bad_memory - sysctl test.bad_memory_operation=double_free -- You are receiving this mail because: You are the assignee for the bug.