Correct an error in the allocation of the vm_page_dump array in

vm_page_startup().  Specifically, the dump_avail array should be used
instead of the phys_avail array to calculate the size of vm_page_dump.  For
example, the pages for the message buffer are allocated prior to
vm_page_startup() by subtracting them from the last entry in the phys_avail
array, but the first thing that vm_page_startup() does after creating the
vm_page_dump array is to set the bits corresponding to the message buffer
pages in that array.  However, these bits might not actually exist in the
array, because the size of the array is determined by the current value in
the last entry of the phys_avail array.  In general, the only reason why
this doesn't always result in an out-of-bounds array access is that the size
of the vm_page_dump array is rounded up to the next page boundary.  This
change eliminates that dependence on rounding (and luck).

MFC after:	6 weeks
This commit is contained in:
Alan Cox 2010-12-01 03:35:19 +00:00
parent 6d2f981e9b
commit 05cb58f669

View File

@ -282,7 +282,6 @@ vm_page_startup(vm_offset_t vaddr)
vm_paddr_t new_end;
int i;
vm_paddr_t pa;
int nblocks;
vm_paddr_t last_pa;
char *list;
@ -294,7 +293,6 @@ vm_page_startup(vm_offset_t vaddr)
biggestsize = 0;
biggestone = 0;
nblocks = 0;
vaddr = round_page(vaddr);
for (i = 0; phys_avail[i + 1]; i += 2) {
@ -316,7 +314,6 @@ vm_page_startup(vm_offset_t vaddr)
low_water = phys_avail[i];
if (phys_avail[i + 1] > high_water)
high_water = phys_avail[i + 1];
++nblocks;
}
#ifdef XEN
@ -372,7 +369,11 @@ vm_page_startup(vm_offset_t vaddr)
* minidump code. In theory, they are not needed on i386, but are
* included should the sf_buf code decide to use them.
*/
page_range = phys_avail[(nblocks - 1) * 2 + 1] / PAGE_SIZE;
last_pa = 0;
for (i = 0; dump_avail[i + 1] != 0; i += 2)
if (dump_avail[i + 1] > last_pa)
last_pa = dump_avail[i + 1];
page_range = last_pa / PAGE_SIZE;
vm_page_dump_size = round_page(roundup2(page_range, NBBY) / NBBY);
new_end -= vm_page_dump_size;
vm_page_dump = (void *)(uintptr_t)pmap_map(&vaddr, new_end,