Date: Tue, 05 Feb 2019 18:52:38 +0000 From: bugzilla-noreply@freebsd.org To: ppc@FreeBSD.org Subject: [Bug 233377] [PowerPC64] Panic during high disk I/O activity Message-ID: <bug-233377-21-KQJGrwM8jT@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-233377-21@https.bugs.freebsd.org/bugzilla/> References: <bug-233377-21@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D233377 --- Comment #12 from Mark Johnston <markj@FreeBSD.org> --- (In reply to Leandro Lupori from comment #11) Prior to rXXXXXX, zone_alloc_bucket() did: max =3D MIN(bucket->ub_entries, zone->uz_count); bucket->ub_cnt =3D zone->uz_import(zone->uz_arg, bucket->ub_bucket, max, domain, flags); However, the zone lock is not held at this point, so uz_count may change. = In particular, since MIN is a macro that evaluates its arguments twice, I beli= eve it's possible for max to end up being larger than bucket->ub_entries, which would result in a use-after-free. r343026 fixed this problem as part of some refactoring, so that might expla= in why you don't see it anymore. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233377-21-KQJGrwM8jT>