258152 – Memory modified after free

Bug 258152 - Memory modified after free

Summary: Memory modified after free

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	amd64 Any

Importance:	--- Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-08-29 20:50 UTC by tschweikle
Modified:	2021-09-05 16:32 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
backtrace (182.91 KB, text/plain) 2021-08-31 04:34 UTC, tschweikle	no flags	Details
System info (568 bytes, text/plain) 2021-08-31 04:35 UTC, tschweikle	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tschweikle 2021-08-29 20:50:31 UTC

panic: Memory modified after free 0xfffff801e293000(4096) val=dcadc0de @ 0xfffff801e29639c4
cpuid = 0
time = 1630263690
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe0075f3c9c0
vpanic() at vpanic+0x187/frame 0xfffffe0075f3ca80
trash_fini() at trash_fini+047/frame 0xfffffe0075f3ca90
keg_free_slab() at keg_free_slab+0x74/frame 0xfffffe0075f3cad0
keg_drain_domain() at keg_drain_domain+0x200/frame 0xfffffe0075f3cb10
zone_reclaim() at zone_reclaim+0x19a/frame 0xfffffe0075f3cb50
arc_reap_cb() at arc_reap_cb+0x9/frame 0xfffffe0075f3cb60
zthr_procedure() at zthr_procedure+0x9f/frame 0xfffffe0075f3cbb0
fork_exit() at fork_exit+0x80/frame 0xfffffe0075f3cbf0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0075f3cbf0
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
[ thread pid 6 tid 100070 ]
Stopped at kdb_enter+0x37: movq $0,0x127bcf3(%rip)
db > cont
Dumping 1700 out of 6122MB ...

At this time uptime was 6h+

# uname -a:
FreeBSD fbsd14.bfs.de 14.0-CURRENT FreeBSD 14.0-CURRENT #0 main-n248543-04389c855e56: Mon Aug  9 07:35:33 CEST 2021     root@fbsd14.bfs.de:/usr/obj/usr/src/amd64.amd64/sys/FBSD14  amd64

# freebsd-version -rku
14.0-CURRENT
14.0-CURRENT
14.0-CURRENT

# clang --version
FreeBSD clang version 12.0.1 (git@github.com:llvm/llvm-project.git llvmorg-12.0.1-0-gfed41342a82f)
Target: x86_64-unknown-freebsd14.0
Thread model: posix
InstalledDir: /usr/bin

# update us
Sun Aug 29 22:43:58 CEST 2021 -- "Updating source tree for fbsd14"
>>> git reset --hard origin/main
Reset to HEAD ...
HEAD is now at d98954e22981 routing: Bring back the ability to specify transmit interface via its name.
>>> git clean -ff -d -x -e /distfiles -e /packages
Cleanup ...
>>> git pull --quiet --progress
Pull ...
>>> git branch
* main

Comment 1 tschweikle 2021-08-31 04:34:11 UTC

Created attachment 227562 [details]
backtrace

Comment 2 tschweikle 2021-08-31 04:35:35 UTC

Created attachment 227563 [details]
System info

Comment 3 tschweikle 2021-08-31 04:37:09 UTC

vmcore.last is available too.

Comment 4 tschweikle 2021-08-31 04:41:02 UTC

Since this "Use after free" is not permanently generated, I was able to compile userland and kernel, then installing the latest CURRENT kernel. The crash took place installing world the first time. Second try again. Hopefully the third try will come to an end without crashing …!

Comment 5 tschweikle 2021-08-31 04:43:48 UTC

I could observe these crashes with FreeBSD-13-STABLE and FreeBSD-12-STABLE too. More seldom, but same cause: "Memory use after free".