NetBSD Problem Report #53208

From www@NetBSD.org  Tue Apr 24 15:29:57 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 713747A14E
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 24 Apr 2018 15:29:57 +0000 (UTC)
Message-Id: <20180424152956.49E517A220@mollari.NetBSD.org>
Date: Tue, 24 Apr 2018 15:29:56 +0000 (UTC)
From: yaniv.abraham@yahoo.com
Reply-To: yaniv.abraham@yahoo.com
To: gnats-bugs@NetBSD.org
Subject: Old phypage bucket array might be deallocated incorrectly during pages recoloring in uvm_page_recolor()
X-Send-Pr-Version: www-1.0

>Number:         53208
>Category:       kern
>Synopsis:       Old phypage bucket array might be deallocated incorrectly during pages recoloring in uvm_page_recolor()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Apr 24 15:30:00 +0000 2018
>Closed-Date:    Thu May 10 09:56:38 +0000 2018
>Last-Modified:  Thu May 10 09:56:38 +0000 2018
>Originator:     Yaniv Abraham-Rabinovitch
>Release:        7.0
>Organization:
>Environment:
Linux debian 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux
>Description:
In the file usr/src/sys/uvm/uvm_page.c (version 1.185) lines 1053-1054 function uvm_page_recolor:

1053:   if (oldbucketmemsize) {
1054:      kmem_free(oldbucketarray, recolored_pages_memsize);
1055:   }

I think the call the kmem_free should be passed with the old size of the bucket array `oldbucketarray' which is `oldbucketmemsize'. recolored_pages_memsize is actually the new bucket size after the recoloring as stated in the previous lines (line 1050):

1050:   recolored_pages_memsize = bucketmemsize;

>How-To-Repeat:
Source code.
>Fix:
Change
      kmem_free(oldbucketarray, recolored_pages_memsize);

to
      kmem_free(oldbucketarray, oldbucketmemsize);

>Release-Note:

>Audit-Trail:
From: "Jonathan A. Kollasch" <jakllsch@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53208 CVS commit: src/sys/uvm
Date: Tue, 24 Apr 2018 16:35:54 +0000

 Module Name:	src
 Committed By:	jakllsch
 Date:		Tue Apr 24 16:35:53 UTC 2018

 Modified Files:
 	src/sys/uvm: uvm_page.c

 Log Message:
 In uvm_page_recolor(), kmem_free() old size rather than new size.

 From Yaniv Abraham-Rabinovitch in PR kern/53208.


 To generate a diff of this commit:
 cvs rdiff -u -r1.195 -r1.196 src/sys/uvm/uvm_page.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Thu, 10 May 2018 09:56:38 +0000
State-Changed-Why:
Thanks for the report!
mrg says this doesn't need to be pulled up because it's dead code for all the archs for which it might be relevant, so closing without pullups.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.