NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

port-arm/50563: pool allocator corruption due to __MUTEX_PRIVATE

>Number:         50563
>Category:       port-arm
>Synopsis:       pool allocator corruption due to __MUTEX_PRIVATE
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-arm-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Dec 15 14:30:00 +0000 2015
>Originator:     Frank Zerangue
>Release:        NetBSD-7.0-RELEASE
Darwin Franks-Mac-Pro-3.local 14.5.0 Darwin Kernel Version 14.5.0: Wed Jul 29 02:26:53 PDT 2015; root:xnu-2782.40.9~1/RELEASE_X86_64 x86_64

pool_allocator_nointr.pa_list is corrupted by mutex_init():

ARM_MMU_V6N defined

Problem occurs on a private port of the arm architecture but should be problematic on others as well where the size of struct kmutex is different when __MUTEX_PRIVATE is defined or not. 

In the latter stage of initarm(), pmap_bootstrap() is called which in turn calls pool_cache_bootstrap() with parameter palloc=NULL. Then pool_cache_bootstrap assigns palloc = &pool_allocator_nointr then calls pool_init(). Pool_init() will initialize the pool_allocator_nointr.pa_list taill queue head by calling TAILQ_INIT(). This is then followed by a call to mutex_init() to initialize pool_allocator_nointr.pa_lock. 

The problem is that subr_pool.c includes sys/pool.h with __MUTEX_PRIVATE not defined which yields a sizeof(pa.lock) == 4 but kern_mutex.c defines __MUTEX_PRIVATE and so sees the sizeof(pa_lock) == 12. So when mutex_init() is called and does a memset(&pa_lock,0,sizeof(pa_lock)) it clears the pa_list tail queue head that follows it in struct pool_allocator.


Home | Main Index | Thread Index | Old Index