Date: Wed, 07 Jan 2015 13:44:34 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 191359] [memguard] [panic] Memory modified after free w/MEMGUARD build Message-ID: <bug-191359-8-x4uwKr40jZ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-191359-8@https.bugs.freebsd.org/bugzilla/> References: <bug-191359-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=191359 luke.tw@gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |luke.tw@gmail.com --- Comment #1 from luke.tw@gmail.com --- Dear Peter, I managed to find the root cause. The bug can be reproduced by setting "sysctl vm.memguard.options=2" and ssh activity 1. memguard.options = 2 enable memguard to protect all allocations that are bigger than PAGE_SIZE. 2. ssh activity allocates mbuf that uses zone with UMA_ZONE_REFCNT flag. The zone is protected by memguard. However, these two features save values in the same union plinks in vm_page 1. memguard save allocation size in vm_page->plinks.memguard.v 2. UMA_ZONE_REFCNT save refcount in vm_page->plinks.s.pv The following patch can work around this bug. Index: sys/vm/memguard.c =================================================================== --- sys/vm/memguard.c (revision 276729) +++ sys/vm/memguard.c (working copy) @@ -506,6 +506,9 @@ zone->uz_flags & UMA_ZONE_NOFREE) return (0); + if (zone->uz_flags & UMA_ZONE_REFCNT) + return (0); + if (memguard_cmp(zone->uz_size)) return (1); -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-191359-8-x4uwKr40jZ>