svn commit: r193490 - head/sys/kern
Brian Somers
brian at FreeBSD.org
Fri Jun 5 09:16:52 UTC 2009
Author: brian
Date: Fri Jun 5 09:16:52 2009
New Revision: 193490
URL: http://svn.freebsd.org/changeset/base/193490
Log:
If we're passed garbage in malloc_init(), panic() rather than expecting
a KASSERT to handle it. People are likely to turn off INVARIANTS RSN
and loading an old module can cause garbage-in here.
I saw the issue with an older nvidia driver (x11/nvidia-driver) loading
into a new kernel - a crash wasn't seen 'till sysctl_kern_malloc_stats().
I was lucky that mtp->ks_shortdesc was NULL and not something horrible.
While I'm here, KASSERT that malloc_uninit() isn't passed something that's
not in kmemstatistics.
MFC after: 3 weeks
Modified:
head/sys/kern/kern_malloc.c
Modified: head/sys/kern/kern_malloc.c
==============================================================================
--- head/sys/kern/kern_malloc.c Fri Jun 5 09:09:46 2009 (r193489)
+++ head/sys/kern/kern_malloc.c Fri Jun 5 09:16:52 2009 (r193490)
@@ -675,8 +675,8 @@ malloc_init(void *data)
KASSERT(cnt.v_page_count != 0, ("malloc_register before vm_init"));
mtp = data;
- KASSERT(mtp->ks_magic == M_MAGIC,
- ("malloc_init: bad malloc type magic"));
+ if (mtp->ks_magic != M_MAGIC)
+ panic("malloc_init: bad malloc type magic");
mtip = uma_zalloc(mt_zone, M_WAITOK | M_ZERO);
mtp->ks_handle = mtip;
@@ -709,9 +709,13 @@ malloc_uninit(void *data)
if (mtp != kmemstatistics) {
for (temp = kmemstatistics; temp != NULL;
temp = temp->ks_next) {
- if (temp->ks_next == mtp)
+ if (temp->ks_next == mtp) {
temp->ks_next = mtp->ks_next;
+ break;
+ }
}
+ KASSERT(temp,
+ ("malloc_uninit: type '%s' not found", mtp->ks_shortdesc));
} else
kmemstatistics = mtp->ks_next;
kmemcount--;
More information about the svn-src-head
mailing list