From owner-freebsd-hackers@FreeBSD.ORG  Mon May  4 16:55:03 2015
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 5B58C5B8
 for <freebsd-hackers@freebsd.org>; Mon,  4 May 2015 16:55:03 +0000 (UTC)
Received: from mx142.netapp.com (mx142.netapp.com [216.240.21.19])
 (using TLSv1 with cipher RC4-SHA (128/128 bits))
 (Client CN "mx142.netapp.com",
 Issuer "VeriSign Class 3 International Server CA - G3" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 184231793
 for <freebsd-hackers@freebsd.org>; Mon,  4 May 2015 16:55:02 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.13,366,1427785200"; d="scan'208,217";a="38917607"
Received: from hioexcmbx03-prd.hq.netapp.com ([10.122.105.36])
 by mx142-out.netapp.com with ESMTP; 04 May 2015 09:49:47 -0700
Received: from HIOEXCMBX03-PRD.hq.netapp.com (10.122.105.36) by
 hioexcmbx03-prd.hq.netapp.com (10.122.105.36) with Microsoft SMTP Server
 (TLS) id 15.0.995.29; Mon, 4 May 2015 09:49:46 -0700
Received: from HIOEXCMBX03-PRD.hq.netapp.com ([::1]) by
 hioexcmbx03-prd.hq.netapp.com ([fe80::4c9:7f9e:4b9f:2c9c%21]) with mapi id
 15.00.0995.031; Mon, 4 May 2015 09:49:46 -0700
From: "Gumpula, Suresh" <Suresh.Gumpula@netapp.com>
To: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>
Subject: Use after free check for all private zones too
Thread-Topic: Use after free check for all private zones too
Thread-Index: AQHQhopTQv6FyLvjkE2duWbwV+tNQQ==
Date: Mon, 4 May 2015 16:49:46 +0000
Message-ID: <D16D1B68.377D6%gsuresh@netapp.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [10.122.56.79]
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2015 16:55:03 -0000

Hi ,
     Currently use after free check is available for  power of 2 malloc zon=
es ( mt_rash_ctor/ m_trash_dotr ) which writes uma_junk(0xdeadc0de) on free=
d memory and
validates on reusing the object for others .
   Similary we( NETAPP)  have added a check for all  other private zones to=
o with  trash_ctor/ trash_dtor .    We pass the trash_ctor/trash_dtor to um=
a_zcreate(9) if  it is called with NULL for constructor/destructor.
This change uncovered the couple of bugs inernally.  One  of this is in tcp=
 timer bug
https://svnweb.freebsd.org/base?view=3Drevision&revision=3D281599

Its a useful check and uncovers use after free bugs .  Would like to push t=
his change .  Any comments/suggestions  please ?

Thanks
Suresh