kern/53208: Old phypage bucket array might be deallocated incorrectly during pages recoloring in uvm_page_recolor()

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/53208: Old phypage bucket array might be deallocated incorrectly during pages recoloring in uvm_page_recolor()
From: yaniv.abraham%yahoo.com@localhost
Date: Tue, 24 Apr 2018 15:30:00 +0000 (UTC)

>Number:         53208
>Category:       kern
>Synopsis:       Old phypage bucket array might be deallocated incorrectly during pages recoloring in uvm_page_recolor()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 24 15:30:00 +0000 2018
>Originator:     Yaniv Abraham-Rabinovitch
>Release:        7.0
>Organization:
>Environment:
Linux debian 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux
>Description:
In the file usr/src/sys/uvm/uvm_page.c (version 1.185) lines 1053-1054 function uvm_page_recolor:

1053:   if (oldbucketmemsize) {
1054:      kmem_free(oldbucketarray, recolored_pages_memsize);
1055:   }

I think the call the kmem_free should be passed with the old size of the bucket array `oldbucketarray' which is `oldbucketmemsize'. recolored_pages_memsize is actually the new bucket size after the recoloring as stated in the previous lines (line 1050):

1050:   recolored_pages_memsize = bucketmemsize;

>How-To-Repeat:
Source code.
>Fix:
Change
      kmem_free(oldbucketarray, recolored_pages_memsize);

to
      kmem_free(oldbucketarray, oldbucketmemsize);

Prev by Date: Re: kern/53066 (nearly reproducable softint panic on shutdown)
Next by Date: Re: kern/53207 (src/sys/net/npf/npf_nat.c:893: bad expression ?)
Previous by Thread: PR/53202 CVS commit: src/sys/kern
Next by Thread: Re: kern/53207 (src/sys/net/npf/npf_nat.c:893: bad expression ?)
Indexes:

Home | Main Index | Thread Index | Old Index