Date: Thu, 29 Oct 2009 16:12:00 -0700 From: Matt Reimer <mattjreimer@gmail.com> To: fs@freebsd.org Subject: Re: Bogus malloc in zfsboot.c? Message-ID: <f383264b0910291612q4442a1f9x196a34c346698412@mail.gmail.com> In-Reply-To: <f383264b0910291207t24a922aaxf03032b68786c7f6@mail.gmail.com> References: <f383264b0910291207t24a922aaxf03032b68786c7f6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 29, 2009 at 12:07 PM, Matt Reimer <mattjreimer@gmail.com> wrote=
:
> I'm trying to debug why I suddenly can't boot an amd64 machine off a
> raidz2 pool, after using freebsd-update to go from -rc1 to rc2. I'm
> getting an error, "ZFS: out of temporary buffer space."
>
> Is zfsboot.c's malloc really correct in the way it sets up its heap?
>
> =A0 =A0heap_next =3D (char *) dmadat + sizeof(*dmadat);
> =A0 =A0heap_end =3D (char *) (640*1024);
>
> If I'm reading the code correctly, it assumes that dmadat is the last
> item in bss, and that it can use all the memory from the end of dmadat
> to 640KB.
>
> But dmadat is not the last item in bss, as zfsimpl.c gets included and
> it defines its own variables that end up in bss, with the result that
> malloc could overwrite ZFS variables.
>
> Am I reading this correctly?
Probably not; I missed this:
dmadat =3D (void *)(roundup2(__base + (int32_t)&_end, 0x10000) - __base=
);
Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f383264b0910291612q4442a1f9x196a34c346698412>