From owner-freebsd-current@freebsd.org Thu Aug 27 07:22:57 2015 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C9849C45D7 for ; Thu, 27 Aug 2015 07:22:57 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id E2B64134E; Thu, 27 Aug 2015 07:22:55 +0000 (UTC) (envelope-from avg@FreeBSD.org) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id KAA08474; Thu, 27 Aug 2015 10:22:45 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1ZUrWH-000Mtc-Cg; Thu, 27 Aug 2015 10:22:45 +0300 Subject: Re: Instant panic while trying run ports-mgmt/poudriere To: John-Mark Gurney References: <20150713231205.627bab36@FreeBSD.org> <20150714223829.GY8523@funkthat.com> <20150715174616.652d0aea@FreeBSD.org> <20150715180526.GM8523@funkthat.com> <20150715223703.78b9197c@FreeBSD.org> <20150806233328.47a02594@FreeBSD.org> <55CB5428.2090505@room52.net> <55D96E24.9060106@FreeBSD.org> <20150826233616.GU33167@funkthat.com> Cc: FreeBSD Current , Lawrence Stewart , Pawel Pekala , "K. Macy" From: Andriy Gapon X-Enigmail-Draft-Status: N1110 Message-ID: <55DEBA8B.5060009@FreeBSD.org> Date: Thu, 27 Aug 2015 10:21:47 +0300 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: <20150826233616.GU33167@funkthat.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2015 07:22:57 -0000 On 27/08/2015 02:36, John-Mark Gurney wrote: > We should/cannot get here w/ an empty list. If we do, then there is > something seriously wrong... The current kn (which we must have as we > are here) MUST be on the list, but as you just showed, there are no > knotes on the list. > > Can you get me a print of the knote? That way I can see what flags > are on it? Apologies if the following might sound a little bit patronizing, but it seems that you have got all the facts correctly, but somehow the connection between them did not become clear. So: 1. The list originally is NOT empty. I guess that it has one entry, but that's an unimportant detail. 2. This is why the loop is entered. It's a fact that it is entered. 3. The list becomes empty precisely because the entry is removed during the iteration in the loop (as kib has explained). It's a fact that the list became empty at least in the panic that I reported. 4. The element is not only unlinked from the list, but its memory is also freed. 5. That's why we have the use after free: SLIST_FOREACH is trying to get a pointer to a next element from the freed memory. 6. This is why the commit for trashing the freed memory made all the difference: previously the freed memory was unlikely to be re-used / modified, so the use-after-free had a high chance of succeeding. It's a fact that in my panic there was an attempt to dereference a trashed pointer. 7. Finally, this is why SLIST_FOREACH_SAFE helps here: we stash the pointer to the next element beforehand and, thus, we do not access the freed memory. Please let me know if you see any fault in above reasoning or if something is still no clear. -- Andriy Gapon