In zone_alloc_bucket() max argument was calculated based on uz_count.
Then bucket_alloc() also selects bucket size based on uz_count. However, since zone lock is dropped, uz_count may reduce. In this case max may be greater than ub_entries and that would yield into writing beyond end of the allocation. Reported by: pho
This commit is contained in:
parent
0273f68fc0
commit
058f928a27
@ -2844,7 +2844,7 @@ zone_alloc_bucket(uma_zone_t zone, void *udata, int domain, int flags, int max)
|
|||||||
return (NULL);
|
return (NULL);
|
||||||
|
|
||||||
bucket->ub_cnt = zone->uz_import(zone->uz_arg, bucket->ub_bucket,
|
bucket->ub_cnt = zone->uz_import(zone->uz_arg, bucket->ub_bucket,
|
||||||
max, domain, flags);
|
MIN(max, bucket->ub_entries), domain, flags);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Initialize the memory if necessary.
|
* Initialize the memory if necessary.
|
||||||
|
Loading…
Reference in New Issue
Block a user