Author: glebius
Date: Thu Jan 31 17:52:48 2019
New Revision: 343616
URL: https://svnweb.freebsd.org/changeset/base/343616
Log:
In zone_alloc_bucket() max argument was calculated based on uz_count.
Then bucket_alloc() also selects bucket size based on uz_count. However,
since zone lock is dropped, uz_count may reduce. In this case max may
be greater than ub_entries and that would yield into writing beyond end
of the allocation.
Reported by: pho
Modified:
head/sys/vm/uma_core.c
Modified: head/sys/vm/uma_core.c
==============================================================================
--- head/sys/vm/uma_core.c Thu Jan 31 17:06:59 2019 (r343615)
+++ head/sys/vm/uma_core.c Thu Jan 31 17:52:48 2019 (r343616)
@@ -2844,7 +2844,7 @@ zone_alloc_bucket(uma_zone_t zone, void *udata, int do
return (NULL);
bucket->ub_cnt = zone->uz_import(zone->uz_arg, bucket->ub_bucket,
- max, domain, flags);
+ MIN(max, bucket->ub_entries), domain, flags);
/*
* Initialize the memory if necessary.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"
