In zone_alloc_bucket() max argument was calculated based on uz_count.

Then bucket_alloc() also selects bucket size based on uz_count. However, since zone lock is dropped, uz_count may reduce. In this case max may be greater than ub_entries and that would yield into writing beyond end of the allocation. Reported by: pho
2019-01-31 17:52:48 +00:00 · 2019-01-31 17:52:48 +00:00 · 058f928a27
commit 058f928a27
parent 0273f68fc0
1 changed files with 1 additions and 1 deletions
--- a/sys/vm/uma_core.c
+++ b/sys/vm/uma_core.c
@ -2844,7 +2844,7 @@ zone_alloc_bucket(uma_zone_t zone, void *udata, int domain, int flags, int max)
 		return (NULL);

 	bucket->ub_cnt = zone->uz_import(zone->uz_arg, bucket->ub_bucket,
-	    max, domain, flags);
+	    MIN(max, bucket->ub_entries), domain, flags);

 	/*
 	 * Initialize the memory if necessary.