d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fget_unlocked() depends on the freed struct file f_count field being

Browse Source 
zero.  The file_zone if no-free, but r284861 added trashing of the
freed memory.  Most visible manifestation of the issue were 'memory
modified after free' panics for the file zone, triggered from
falloc_noinstall().

Add UMA_ZONE_ZINIT flag to turn off trashing.  Mjg noted that it makes
sense to not trash freed memory for any non-free zone, which will be
done later.

Reported and tested by:	pho
Discussed with:	mjg
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Konstantin Belousov 2015-08-19 11:53:32 +00:00
parent 04ae5bbe55
commit fe5ec54b50
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sys/kern/kern_descrip.c
View File

@ -3833,7 +3833,7 @@ filelistinit(void *dummy)
{
file_zone = uma_zcreate("Files", sizeof(struct file), NULL, NULL,
NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE | UMA_ZONE_ZINIT);
filedesc0_zone = uma_zcreate("filedesc0", sizeof(struct filedesc0),
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
mtx_init(&sigio_lock, "sigio lock", NULL, MTX_DEF);