From owner-freebsd-bugs@FreeBSD.ORG  Tue Jun  1 11:50:23 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 91D0516A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  1 Jun 2004 11:50:23 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6FF4043D46
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  1 Jun 2004 11:50:23 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i51IoNuG088760	for <freebsd-bugs@freefall.freebsd.org>;
	Tue, 1 Jun 2004 11:50:23 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i51IoNNZ088759;
	Tue, 1 Jun 2004 11:50:23 -0700 (PDT)
	(envelope-from gnats)
Resent-Date: Tue, 1 Jun 2004 11:50:23 -0700 (PDT)
Resent-Message-Id: <200406011850.i51IoNNZ088759@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Uwe Doering <gemini@geminix.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5BBBA16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  1 Jun 2004 11:47:21 -0700 (PDT)
Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net
	[213.73.91.129])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1273F43D46
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  1 Jun 2004 11:47:21 -0700 (PDT)
	(envelope-from gemini@geminix.org)
Received: from gemini by geminix.org with local (Exim 3.36 #1)
	id 1BVEI8-0009i8-00; Tue, 01 Jun 2004 20:47:16 +0200
Message-Id: <E1BVEI8-0009i8-00@geminix.org>
Date: Tue, 01 Jun 2004 20:47:16 +0200
From: Uwe Doering <gemini@geminix.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/67460: pmap_prefault_pageorder array initialization is broken
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Uwe Doering <gemini@geminix.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jun 2004 18:50:23 -0000


>Number:         67460
>Category:       kern
>Synopsis:       pmap_prefault_pageorder array initialization is broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 01 11:50:22 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Uwe Doering
>Release:        FreeBSD 4.5-RELEASE i386
>Organization:
EscapeBox - Managed On-Demand UNIX Servers
>Environment:
System: FreeBSD geminix.org 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Thu May 27 11:49:01 GMT 2004 root@localhost:/STABLE_Enhanced_Edition i386

>Description:
There is a comma missing in the table initializing the
pmap_prefault_pageorder array.  This has two effects:

1. The resulting bogus contents of the array thwarts part of the
optimization effect pmap_prefault() is supposed to have.

2. The resulting array is only 7 elements long (auto-sized), while
pmap_prefault() expects it to be the intended 8 elements.  So this
function in fact accesses memory beyond the end of the array.
Fortunately though, if the data at this location is out of bounds it
will be ignored.

This bug dates back more than 6 years.  It has been introduced in
revision 1.178.  Please note that pmap.c for alpha is broken in the
same way.

>How-To-Repeat:
Look at what's actually in the array:

  gdb -k /kernel
  (kgdb) print (&pmap_prefault_pageorder)[0]
  (kgdb) print (&pmap_prefault_pageorder)[1]
    ...
  (kgdb) print (&pmap_prefault_pageorder)[7]

>Fix:
Please consider the following patch:

--- pmap.c.diff begins here ---
--- src/sys/i386/i386/pmap.c.orig	Sun Jan 13 12:30:58 2002
+++ src/sys/i386/i386/pmap.c	Tue Jun  1 19:20:46 2004
@@ -2464,7 +2464,7 @@
 static int pmap_prefault_pageorder[] = {
 	-PAGE_SIZE, PAGE_SIZE,
 	-2 * PAGE_SIZE, 2 * PAGE_SIZE,
-	-3 * PAGE_SIZE, 3 * PAGE_SIZE
+	-3 * PAGE_SIZE, 3 * PAGE_SIZE,
 	-4 * PAGE_SIZE, 4 * PAGE_SIZE
 };
 
--- pmap.c.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: