Date: Thu, 31 Jan 2019 17:52:48 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r343616 - head/sys/vm Message-ID: <201901311752.x0VHqmmq034576@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Thu Jan 31 17:52:48 2019 New Revision: 343616 URL: https://svnweb.freebsd.org/changeset/base/343616 Log: In zone_alloc_bucket() max argument was calculated based on uz_count. Then bucket_alloc() also selects bucket size based on uz_count. However, since zone lock is dropped, uz_count may reduce. In this case max may be greater than ub_entries and that would yield into writing beyond end of the allocation. Reported by: pho Modified: head/sys/vm/uma_core.c Modified: head/sys/vm/uma_core.c ============================================================================== --- head/sys/vm/uma_core.c Thu Jan 31 17:06:59 2019 (r343615) +++ head/sys/vm/uma_core.c Thu Jan 31 17:52:48 2019 (r343616) @@ -2844,7 +2844,7 @@ zone_alloc_bucket(uma_zone_t zone, void *udata, int do return (NULL); bucket->ub_cnt = zone->uz_import(zone->uz_arg, bucket->ub_bucket, - max, domain, flags); + MIN(max, bucket->ub_entries), domain, flags); /* * Initialize the memory if necessary.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201901311752.x0VHqmmq034576>