FreeBSD Bugzilla – Attachment 182123 Details for
Bug 218911
[uma] Memory corruption with certain item sizes
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
graid modification to reproduce the issue more conveniently
graid-modification-to-trigger-uma-corruption.diff (text/plain), 14.27 KB, created by
Fabian Keil
on 2017-04-27 11:20:23 UTC
(
hide
)
Description:
graid modification to reproduce the issue more conveniently
Filename:
MIME Type:
Creator:
Fabian Keil
Created:
2017-04-27 11:20:23 UTC
Size:
14.27 KB
patch
obsolete
>From b542966614f2e8afae3ac101e17dd847302c0b66 Mon Sep 17 00:00:00 2001 >From: Fabian Keil <fk@fabiankeil.de> >Date: Tue, 25 Apr 2017 19:07:11 +0200 >Subject: [PATCH 1/3] graid: Add unrelated test code for UMA debugging purposes > >Currently certain UMA zone item sizes result in memory curruption. > >Abuse g_raid_init() to create a zone with item size >kern.geom.raid.uma_test_zone_item_size and do a couple >of allocations and frees to trigger the problem. > >With the defaults (and INVARIANTS enabled) loading the module will end with: > > GEOM_RAID[1]: Freeing item after filling 65420 bytes. > GEOM_RAID[1]: Freeing item after filling 65421 bytes. > GEOM_RAID[1]: Freeing item after filling 65422 bytes. > GEOM_RAID[1]: Freeing item after filling 65423 bytes. > GEOM_RAID[1]: Freeing item after filling 65424 bytes. > GEOM_RAID[1]: Freeing item after filling 65425 bytes. > > Fatal trap 18: integer divide fault while in kernel mode > cpuid = 0; apic id = 00 > instruction pointer = 0x20:0xffffffff80b5c46d > stack pointer = 0x28:0xfffffe00c3c42aa0 > frame pointer = 0x28:0xfffffe00c3c42ac0 > code segment = base 0x0, limit 0xfffff, type 0x1b > = DPL 0, pres 1, long 1, def32 0, gran 1 > processor eflags = interrupt enabled, resume, IOPL = 0 > current process = 13 (g_event) > [ thread pid 13 tid 100013 ] > Stopped at uma_dbg_free+0x11d: divq %rsi,%eax > db> where > Tracing pid 13 tid 100013 td 0xfffff80002a1da40 > uma_dbg_free() at uma_dbg_free+0x11d/frame 0xfffffe00c3c42ac0 > uma_zfree_arg() at uma_zfree_arg+0xbc/frame 0xfffffe00c3c42b10 > g_raid_init() at g_raid_init+0xf7/frame 0xfffffe00c3c42b40 > g_load_class() at g_load_class+0x155/frame 0xfffffe00c3c42b70 > g_run_events() at g_run_events+0x317/frame 0xfffffe00c3c42bb0 > fork_exit() at fork_exit+0x84/frame 0xfffffe00c3c42bf0 > fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00c3c42bf0 > --- trap 0, rip = 0, rsp = 0, rbp = 0 --- > > Reading symbols from /boot/kernel/geom_raid.ko...Reading symbols from /usr/lib/debug//boot/kernel/geom_raid.ko.debug...done. > done. > Loaded symbols for /boot/kernel/geom_raid.ko > #0 doadump (textdump=0) at pcpu.h:222 > 222 pcpu.h: No such file or directory. > in pcpu.h > (kgdb) where > #0 doadump (textdump=0) at pcpu.h:222 > #1 0xffffffff80373dbb in db_dump (dummy=<value optimized out>, > dummy2=<value optimized out>, dummy3=<value optimized out>, > dummy4=<value optimized out>) at /usr/src/sys/ddb/db_command.c:533 > #2 0xffffffff80373baf in db_command (cmd_table=<value optimized out>) > at /usr/src/sys/ddb/db_command.c:440 > #3 0xffffffff803738e4 in db_command_loop () > at /usr/src/sys/ddb/db_command.c:493 > #4 0xffffffff8037693f in db_trap (type=<value optimized out>, > code=<value optimized out>) at /usr/src/sys/ddb/db_main.c:248 > #5 0xffffffff80917443 in kdb_trap (type=18, code=0, tf=<value optimized out>) > at /usr/src/sys/kern/subr_kdb.c:654 > #6 0xffffffff80baf5c2 in trap_fatal (frame=0xfffffe00c3c429e0, eva=0) > at /usr/src/sys/amd64/amd64/trap.c:796 > #7 0xffffffff80baebce in trap (frame=0xfffffe00c3c429e0) at pcpu.h:222 > #8 0xffffffff80b910f1 in calltrap () > at /usr/src/sys/amd64/amd64/exception.S:236 > #9 0xffffffff80b5c46d in uma_dbg_free (zone=0xfffff80002decc00, > slab=0xfffffe0078366f90, item=0xfffffe0078357000) > at /usr/src/sys/vm/uma_core.c:3601 > #10 0xffffffff80b5bf6c in uma_zfree_arg (zone=0xfffff80002decc00, > item=0xfffffe0078357000, udata=0x0) at pcpu.h:222 > #11 0xffffffff81a19327 in g_raid_init (mp=0xffffffff81a4cbb8) at uma.h:364 > ---Type <return> to continue, or q <return> to quit--- > #12 0xffffffff80851b25 in g_load_class (arg=<value optimized out>, > flag=<value optimized out>) at /usr/src/sys/geom/geom_subr.c:124 > #13 0xffffffff8084e1c7 in g_run_events () at /usr/src/sys/geom/geom_event.c:264 > #14 0xffffffff80898864 in fork_exit ( > callout=0xffffffff80850460 <g_event_procbody>, arg=0x0, > frame=0xfffffe00c3c42c00) at /usr/src/sys/kern/kern_fork.c:1040 > #15 0xffffffff80b9162e in fork_trampoline () > at /usr/src/sys/amd64/amd64/exception.S:611 > #16 0x0000000000000000 in ?? () > Current language: auto; currently minimal > (kgdb) f 9 > #9 0xffffffff80b5c46d in uma_dbg_free (zone=0xfffff80002decc00, > slab=0xfffffe0078366f90, item=0xfffffe0078357000) > at /usr/src/sys/vm/uma_core.c:3601 > 3601 freei = ((uintptr_t)item - (uintptr_t)slab->us_data) / keg->uk_rsize; > (kgdb) p *slab > $1 = {us_keg = 0xfffff80002def410, us_type = {_us_link = {le_next = 0x0, > le_prev = 0xfffff80002def528}, _us_size = 0}, us_hlink = { > sle_next = 0x0}, > us_data = 0xfffffe0078357000 '\020' <repeats 200 times>..., us_free = { > __bits = 0xfffffe0078366fb8}, us_debugfree = { > __bits = 0xfffffe0078366fd8}, us_freecount = 0, us_flags = 2 '\002', > us_pad = 0 '\0'} > (kgdb) p keg > $2 = 0xfffff80002def410 > (kgdb) p *keg > $3 = {uk_lock = {lock_object = {lo_name = 0x0, lo_flags = 2162372662, > lo_data = 4294967295, lo_witness = 0xfffff80002def180}, > mtx_lock = 18446735277664695712}, uk_hash = { > uh_slab_hash = 0xfffffe0077a23f80, uh_hashsize = 4, uh_hashmask = 0}, > uk_zones = {lh_first = 0x0}, uk_part_slab = {lh_first = 0x0}, > uk_free_slab = {lh_first = 0x0}, uk_full_slab = {lh_first = 0x0}, > uk_align = 0, uk_pages = 0, uk_free = 0, uk_reserve = 0, uk_size = 0, > uk_rsize = 0, uk_maxpages = 0, uk_init = 0, uk_fini = 0, uk_allocf = 0, > uk_freef = 0, uk_offset = 0, uk_kva = 0, uk_slabzone = 0xfffff80002decc00, > uk_pgoff = 0, uk_ppera = 0, uk_ipers = 0, uk_flags = 0, > uk_name = 0xfffffe0078366f90 "\020\002", uk_link = { > le_next = 0x2000000000, le_prev = 0x0}} > >Obtained from: ElectroBSD >--- > sys/geom/raid/g_raid.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > >diff --git a/sys/geom/raid/g_raid.c b/sys/geom/raid/g_raid.c >index e590e356c53a..36e5036104c0 100644 >--- a/sys/geom/raid/g_raid.c >+++ b/sys/geom/raid/g_raid.c >@@ -2478,10 +2478,26 @@ g_raid_shutdown_post_sync(void *arg, int howto) > g_topology_unlock(); > } > >+static int uma_test_zone_item_size = 129024; >+SYSCTL_UINT(_kern_geom_raid, OID_AUTO, uma_test_zone_item_size, CTLFLAG_RWTUN, >+ &uma_test_zone_item_size, 0, "Item size for uma test zone"); >+ > static void > g_raid_init(struct g_class *mp) > { >+ uma_zone_t uma_test_zone; >+ void *p; >+ static int i; >+ >+ uma_test_zone = uma_zcreate("uma_test", uma_test_zone_item_size, NULL, NULL, >+ NULL, NULL, 0, UMA_ZONE_NOFREE); > >+ for (i = 0; i <= uma_test_zone_item_size; i++) { >+ p = uma_zalloc(uma_test_zone, M_WAITOK); >+ memset(p, 0x10, i); >+ G_RAID_DEBUG(1, "Freeing item after filling %d bytes.", i); >+ uma_zfree(uma_test_zone, p); >+ } > g_raid_post_sync = EVENTHANDLER_REGISTER(shutdown_post_sync, > g_raid_shutdown_post_sync, mp, SHUTDOWN_PRI_FIRST); > if (g_raid_post_sync == NULL) >-- >2.12.1 > > >From 3c2e2c07a397ac49c1349fb0151ce21896932a2f Mon Sep 17 00:00:00 2001 >From: Fabian Keil <fk@fabiankeil.de> >Date: Wed, 26 Apr 2017 10:27:09 +0200 >Subject: [PATCH 2/3] sys/geom/raid: Remove UMA_ZONE_NOFREE to trigger the > panic without touching the item first > >This results in: > > (kgdb) where > #0 __curthread () at ./machine/pcpu.h:222 > #1 doadump (textdump=1) at /usr/src/sys/kern/kern_shutdown.c:298 > #2 0xffffffff80555465 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:366 > #3 0xffffffff80555a40 in vpanic (fmt=<optimized out>, ap=0xfffffe0113d69980) at /usr/src/sys/kern/kern_shutdown.c:759 > #4 0xffffffff80555876 in kassert_panic (fmt=0xffffffff808c521f "Assertion %s failed at %s:%d") at /usr/src/sys/kern/kern_shutdown.c:649 > #5 0xffffffff807dd333 in keg_fetch_slab (keg=0xfffff80005b52480, zone=0xfffff80005b53700, flags=2) at /usr/src/sys/vm/uma_core.c:2343 > #6 0xffffffff807dc9ae in zone_fetch_slab (zone=0xfffff80005b53700, keg=0xfffff80005b52480, flags=2) at /usr/src/sys/vm/uma_core.c:2368 > #7 0xffffffff807dca40 in zone_import (zone=0xfffff80005b53700, bucket=0xfffff800d7eae9f8, max=1, flags=2) at /usr/src/sys/vm/uma_core.c:2494 > #8 0xffffffff807d9341 in zone_alloc_bucket (zone=0xfffff80005b53700, udata=0x0, flags=2) at /usr/src/sys/vm/uma_core.c:2524 > #9 uma_zalloc_arg (zone=0xfffff80005b53700, udata=0x0, flags=<optimized out>) at /usr/src/sys/vm/uma_core.c:2250 > #10 0xffffffff8182329f in uma_zalloc (flags=2, zone=<optimized out>) at /usr/src/sys/vm/uma.h:336 > #11 g_raid_init (mp=0xffffffff81856838 <g_raid_class>) at /usr/src/sys/modules/geom/geom_raid/../../../geom/raid/g_raid.c:2496 > #12 0xffffffff804d1125 in g_load_class (arg=<optimized out>, flag=<optimized out>) at /usr/src/sys/geom/geom_subr.c:124 > #13 0xffffffff804cd7c7 in one_event () at /usr/src/sys/geom/geom_event.c:264 > #14 g_run_events () at /usr/src/sys/geom/geom_event.c:286 > #15 0xffffffff80517e64 in fork_exit (callout=0xffffffff804cfa60 <g_event_procbody>, arg=0x0, frame=0xfffffe0113d69c00) at /usr/src/sys/kern/kern_fork.c:1040 > #16 <signal handler called> > (kgdb) f 12 > #12 0xffffffff804d1125 in g_load_class (arg=<optimized out>, flag=<optimized out>) at /usr/src/sys/geom/geom_subr.c:124 > warning: Source file is more recent than executable. > 124 mp->init(mp); > (kgdb) f 5 > #5 0xffffffff807dd333 in keg_fetch_slab (keg=0xfffff80005b52480, zone=0xfffff80005b53700, flags=2) at /usr/src/sys/vm/uma_core.c:2343 > warning: Source file is more recent than executable. > 2343 MPASS(slab->us_keg == keg); > (kgdb) p slab->us_keg > $1 = (uma_keg_t) 0xdeadc0dedeadc0de > (kgdb) f 9 > #9 uma_zalloc_arg (zone=0xfffff80005b53700, udata=0x0, flags=<optimized out>) at /usr/src/sys/vm/uma_core.c:2250 > 2250 bucket = zone_alloc_bucket(zone, udata, flags); > (kgdb) p zone > $2 = (uma_zone_t) 0xfffff80005b53700 > (kgdb) p *zone > $3 = {uz_lock = {lock_object = {lo_name = 0xffffffff8184f85a "uma_test", lo_flags = 21168128, lo_data = 0, lo_witness = 0xfffffe0000a0cf80}, mtx_lock = 4}, uz_lockptr = 0xfffff80005b52480, > uz_name = 0xffffffff8184f85a "uma_test", uz_link = {le_next = 0x0, le_prev = 0xfffff80005b52510}, uz_buckets = {lh_first = 0x0}, uz_kegs = {lh_first = 0xfffff80005b537b0}, uz_klink = {kl_link = {le_next = 0x0, > le_prev = 0xfffff80005b537a8}, kl_keg = 0xfffff80005b52480}, uz_slab = 0xffffffff807dc940 <zone_fetch_slab>, uz_ctor = 0xffffffff807dd730 <trash_ctor>, uz_dtor = 0xffffffff807dd780 <trash_dtor>, uz_init = 0x0, > uz_fini = 0x0, uz_import = 0xffffffff807dc9f0 <zone_import>, uz_release = 0xffffffff807dcc90 <zone_release>, uz_arg = 0xfffff80005b53700, uz_flags = 0, uz_size = 129024, uz_allocs = 0, uz_fails = 0, uz_frees = 0, > uz_sleeps = 0, uz_count = 1, uz_count_min = 1, uz_warning = 0x0, uz_ratecheck = {tv_sec = 0, tv_usec = 0}, uz_maxaction = {ta_link = {stqe_next = 0x0}, ta_pending = 0, ta_priority = 0, ta_func = 0x0, ta_context = 0x0}, > uz_cpu = {{uc_freebucket = 0x0, uc_allocbucket = 0x0, uc_allocs = 0, uc_frees = 0}}} > (kgdb) f 11 > #11 g_raid_init (mp=0xffffffff81856838 <g_raid_class>) at /usr/src/sys/modules/geom/geom_raid/../../../geom/raid/g_raid.c:2496 > 2496 p = uma_zalloc(uma_test_zone, M_WAITOK); > (kgdb) p i > $4 = 0 > (kgdb) l - > 2491 > 2492 uma_test_zone = uma_zcreate("uma_test", uma_test_zone_item_size, NULL, NULL, > 2493 NULL, NULL, 0, 0); > 2494 > 2495 for (i = 0; i <= uma_test_zone_item_size; i++) { > 2496 p = uma_zalloc(uma_test_zone, M_WAITOK); > 2497 memset(p, 0x10, i); > 2498 G_RAID_DEBUG(1, "Freeing item after filling %d bytes.", i); > 2499 uma_zfree(uma_test_zone, p); > 2500 } > >NB: Setting UMA_ZONE_OFFPAGE|UMA_ZONE_HASH works around the problem. > >Obtained from: ElectroBSD >--- > sys/geom/raid/g_raid.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/sys/geom/raid/g_raid.c b/sys/geom/raid/g_raid.c >index 36e5036104c0..11f1fc106f0c 100644 >--- a/sys/geom/raid/g_raid.c >+++ b/sys/geom/raid/g_raid.c >@@ -2490,7 +2490,7 @@ g_raid_init(struct g_class *mp) > static int i; > > uma_test_zone = uma_zcreate("uma_test", uma_test_zone_item_size, NULL, NULL, >- NULL, NULL, 0, UMA_ZONE_NOFREE); >+ NULL, NULL, 0, 0); > > for (i = 0; i <= uma_test_zone_item_size; i++) { > p = uma_zalloc(uma_test_zone, M_WAITOK); >-- >2.12.1 > > >From 37635941f923458dd775f2da5d671134e5d01241 Mon Sep 17 00:00:00 2001 >From: Fabian Keil <fk@fabiankeil.de> >Date: Wed, 26 Apr 2017 13:29:43 +0200 >Subject: [PATCH 3/3] sys/geom/raid: Factor out uma_test() and improve debug > messages > >Obtained from: ElectroBSD >--- > sys/geom/raid/g_raid.c | 24 +++++++++++++++++++----- > 1 file changed, 19 insertions(+), 5 deletions(-) > >diff --git a/sys/geom/raid/g_raid.c b/sys/geom/raid/g_raid.c >index 11f1fc106f0c..45c4392e8fed 100644 >--- a/sys/geom/raid/g_raid.c >+++ b/sys/geom/raid/g_raid.c >@@ -2481,23 +2481,37 @@ g_raid_shutdown_post_sync(void *arg, int howto) > static int uma_test_zone_item_size = 129024; > SYSCTL_UINT(_kern_geom_raid, OID_AUTO, uma_test_zone_item_size, CTLFLAG_RWTUN, > &uma_test_zone_item_size, 0, "Item size for uma test zone"); >- >-static void >-g_raid_init(struct g_class *mp) >+static void uma_test(void) > { > uma_zone_t uma_test_zone; > void *p; > static int i; >+ static int zone_item_size; > >- uma_test_zone = uma_zcreate("uma_test", uma_test_zone_item_size, NULL, NULL, >+ zone_item_size = uma_test_zone_item_size; >+ >+ G_RAID_DEBUG(1, "Creating uma zone with item size: %d", >+ zone_item_size); >+ uma_test_zone = uma_zcreate("uma_test", zone_item_size, NULL, NULL, > NULL, NULL, 0, 0); > >- for (i = 0; i <= uma_test_zone_item_size; i++) { >+ for (i = 0; i <= zone_item_size; i++) { > p = uma_zalloc(uma_test_zone, M_WAITOK); > memset(p, 0x10, i); > G_RAID_DEBUG(1, "Freeing item after filling %d bytes.", i); > uma_zfree(uma_test_zone, p); > } >+ >+ G_RAID_DEBUG(1, "Destroying uma zone with item size: %d", >+ zone_item_size); >+ uma_zdestroy(uma_test_zone); >+} >+ >+static void >+g_raid_init(struct g_class *mp) >+{ >+ >+ uma_test(); > g_raid_post_sync = EVENTHANDLER_REGISTER(shutdown_post_sync, > g_raid_shutdown_post_sync, mp, SHUTDOWN_PRI_FIRST); > if (g_raid_post_sync == NULL) >-- >2.12.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=182123">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 218911
:
182122
| 182123