Nice find!
Jonathan
On Wed, Nov 7, 2018 at 6:28 PM Mark Johnston wrote:
> Author: markj
> Date: Wed Nov 7 23:28:11 2018
> New Revision: 340241
> URL: https://svnweb.freebsd.org/changeset/base/340241
>
> Log:
> Fix a use-after-free in swp_pager_meta_free().
>
> This was introduced in r326329 and explains the crashes mentioned in
> the commit log message for r339934. In particular, on INVARIANTS
> kernels, UMA trashing causes the loop to exit early, leaving swap
> blocks behind when they should have been freed. After r336984 this
> became more problematic since new anonymous mappings were more
> likely to reuse swapped-out subranges of existing VM objects, so faults
> would trigger pageins of freed memory rather than returning zeroed
> pages.
>
> Reviewed by: kib
> MFC after:3 days
> Sponsored by: The FreeBSD Foundation
> Differential Revision:https://reviews.freebsd.org/D17897
>
> Modified:
> head/sys/vm/swap_pager.c
>
> Modified: head/sys/vm/swap_pager.c
>
> ==
> --- head/sys/vm/swap_pager.cWed Nov 7 21:36:52 2018(r340240)
> +++ head/sys/vm/swap_pager.cWed Nov 7 23:28:11 2018(r340241)
> @@ -1972,13 +1972,13 @@ swp_pager_meta_free(vm_object_t object,
> vm_pindex_t pi
> swp_pager_update_freerange(_free, _free,
> sb->d[i]);
> sb->d[i] = SWAPBLK_NONE;
> }
> + pindex = sb->p + SWAP_META_PAGES;
> if (swp_pager_swblk_empty(sb, 0, start) &&
> swp_pager_swblk_empty(sb, limit, SWAP_META_PAGES)) {
> SWAP_PCTRIE_REMOVE(>un_pager.swp.swp_blks,
> sb->p);
> uma_zfree(swblk_zone, sb);
> }
> - pindex = sb->p + SWAP_META_PAGES;
> }
> swp_pager_freeswapspace(s_free, n_free);
> }
>
>
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
