diff options
| author | Pawel Jakub Dawidek <pjd@FreeBSD.org> | 2005-12-28 01:53:13 +0000 |
|---|---|---|
| committer | Pawel Jakub Dawidek <pjd@FreeBSD.org> | 2005-12-28 01:53:13 +0000 |
| commit | 619f284195fdc856a4dfae7cc0cdeedd19a9e980 (patch) | |
| tree | e63254f2504d3f0195d7bf50a02a78244ac2d94a /sys/kern/kern_malloc.c | |
| parent | 333051eeb3aab27ae3990ec2abe33f4f0d7f832d (diff) | |
| download | src-619f284195fdc856a4dfae7cc0cdeedd19a9e980.tar.gz src-619f284195fdc856a4dfae7cc0cdeedd19a9e980.zip | |
In realloc(9), determine size of the original block based on
UMA_SLAB_MALLOC flag.
In some circumstances (I observed it when I was doing a lot of reallocs)
UMA_SLAB_MALLOC can be set even if us_keg != NULL.
If this is the case we have wonderful, silent data corruption, because less
data is copied to the newly allocated region than should be.
I'm not sure when this bug was introduced, it could be there undetected
for years now, as we don't have a lot of realloc(9) consumers and it was
hard to reproduce it...
...but what I know for sure, is that I don't want to know who introduce
the bug:) It took me two/three days to track it down (of course most of
the time I was looking for the bug in my own code).
Notes
Notes:
svn path=/head/; revision=153769
Diffstat (limited to 'sys/kern/kern_malloc.c')
| -rw-r--r-- | sys/kern/kern_malloc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/kern/kern_malloc.c b/sys/kern/kern_malloc.c index 4b707aa171a7..4864277dd7d7 100644 --- a/sys/kern/kern_malloc.c +++ b/sys/kern/kern_malloc.c @@ -437,7 +437,7 @@ if (mtp == M_SUBPROC) { ("realloc: address %p out of range", (void *)addr)); /* Get the size of the original block */ - if (slab->us_keg) + if (!(slab->us_flags & UMA_SLAB_MALLOC)) alloc = slab->us_keg->uk_size; else alloc = slab->us_size; |