A possible unbounded loop in moea_sync_icache: why sys/vm/mlock_test:mlock__copy_on_write_vnode fails?
Mark Millard
marklmi at yahoo.com
Thu Jan 9 06:03:27 UTC 2020
In the statement:
lim = round_page(va);
later below in moea_sync_icache, it uses:
#define round_page(x) (((x) + PAGE_MASK) & ~PAGE_MASK)
So, for PAGE_MASK==(4096u-1u) the statement translates
to, in essence (the u's are conceptual here):
lim = ((va)+4095u) & ~4095u;
That means that if va%4096u==0 then teh result
is lim==va .
In turn, that means that:
len = MIN(lim - va, sz);
results in len==0.
That in turn means that:
sz -= len;
does not change sz.
Overall result: the loop tesing sz>0 does not
terminate.
I expect that is why the kyua test:
sys/vm/mlock_test:mlock__copy_on_write_vnode :
is failing.
The code in question:
static void
moea_sync_icache(mmu_t mmu, pmap_t pm, vm_offset_t va, vm_size_t sz)
{
struct pvo_entry *pvo;
vm_offset_t lim;
vm_paddr_t pa;
vm_size_t len;
PMAP_LOCK(pm);
while (sz > 0) {
lim = round_page(va);
len = MIN(lim - va, sz);
pvo = moea_pvo_find_va(pm, va & ~ADDR_POFF, NULL);
if (pvo != NULL) {
pa = (pvo->pvo_pte.pte.pte_lo & PTE_RPGN) |
(va & ADDR_POFF);
moea_syncicache(pa, len);
}
va += len;
sz -= len;
}
PMAP_UNLOCK(pm);
}
===
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)
More information about the freebsd-ppc
mailing list