Date: Tue, 05 Feb 2019 18:52:38 +0000 From: bugzilla-noreply@freebsd.org To: ppc@FreeBSD.org Subject: [Bug 233377] [PowerPC64] Panic during high disk I/O activity Message-ID: <bug-233377-21-KQJGrwM8jT@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-233377-21@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233377 --- Comment #12 from Mark Johnston <markj@FreeBSD.org> --- (In reply to Leandro Lupori from comment #11) Prior to rXXXXXX, zone_alloc_bucket() did: max = MIN(bucket->ub_entries, zone->uz_count); bucket->ub_cnt = zone->uz_import(zone->uz_arg, bucket->ub_bucket, max, domain, flags); However, the zone lock is not held at this point, so uz_count may change. In particular, since MIN is a macro that evaluates its arguments twice, I believe it's possible for max to end up being larger than bucket->ub_entries, which would result in a use-after-free. r343026 fixed this problem as part of some refactoring, so that might explain why you don't see it anymore. -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233377-21-KQJGrwM8jT>