Re: Brainy: bug in x86/cpu_ucode_intel.c

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: Re: Brainy: bug in x86/cpu_ucode_intel.c
From: Jean-Yves Migeon <jeanyves.migeon%free.fr@localhost>
Date: Sat, 3 Oct 2015 18:19:58 +0200

Le 03/10/2015 18:07, Maxime Villard a écrit :
[snip]
> Yes. But these "stolen" bytes are 8-byte-aligned, which is the
> guaranteed alignment for kmem_alloc(). So they don't create any
> inconsistency from a kmem POV.
> 
> However, KMEM_SIZE gives a look at ptr[-1] when freeing memory. If ptr
> is offset, ptr[-1] won't be a kmem_size structure, and the kernel will
> panic.
> 
> Since kmem allocations are 8-byte-aligned, that roundup2 will do +0 or
> +8. ISTR that pool_put() retrieves the pool item header by truncating
> the pointer given as argument, to then put the item into the free list.
> Since the offset is only 8 bytes here, it may not be visible.
> 
> Still, this is risky behavior.

I agree.

I was merely referring to uvm_km_alloc() in case someone needs a
specific alignement (like a page boundary for an alloc smaller than
PAGE_SIZE).

Regarding the code, I am almost sure that the roundup2() is a
requirement for microcode update for Intel x86 CPU. I suppose it
requires a 16-byte aligned address for the blob hence the call to
roundup2().

-- 
Jean-Yves Migeon

Follow-Ups:
- Re: Brainy: bug in x86/cpu_ucode_intel.c
  - From: Jean-Yves Migeon

References:
- Brainy: bug in x86/cpu_ucode_intel.c
  - From: Maxime Villard
- Re: Brainy: bug in x86/cpu_ucode_intel.c
  - From: Joerg Sonnenberger
- Re: Brainy: bug in x86/cpu_ucode_intel.c
  - From: Jean-Yves Migeon
- Re: Brainy: bug in x86/cpu_ucode_intel.c
  - From: Maxime Villard

Prev by Date: Re: Brainy: bug in x86/cpu_ucode_intel.c
Next by Date: Re: Brainy: bug in x86/cpu_ucode_intel.c
Previous by Thread: Re: Brainy: bug in x86/cpu_ucode_intel.c
Next by Thread: Re: Brainy: bug in x86/cpu_ucode_intel.c
Indexes:

Home | Main Index | Thread Index | Old Index