[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gnumach: bug in dev_pager.c
|
From: |
Joan Lledó |
|
Subject: |
gnumach: bug in dev_pager.c |
|
Date: |
Sat, 6 Aug 2022 12:44:38 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 |
Hi,
I think there's a bug in dev_pager.c, at methods dev_pager_hash_delete()
and dev_device_hash_delete(), lines 238 and 316:
https://git.savannah.gnu.org/cgit/hurd/gnumach.git/tree/device/dev_pager.c#n238
https://git.savannah.gnu.org/cgit/hurd/gnumach.git/tree/device/dev_pager.c#n316
It's calling kmem_cache_free() when entry is true, assuming that
entry==true means entry found and entry==false means entry not found.
But empty will always be true because queues are initialized as:
(q)->next = (q)->prev = q
AIUI, when an entry is not found, then then entry will point to the head
of the queue (bucket == &entry->links). And it will call
kmem_cache_free() to try to remove the head from the cache, when it's
not in the cache. I'm surprised this is not crashing somehow. I tried to
make dev_pager_hash_delete() get called with a non-existent entry but I
don't know how to cause that situation.
It seems to me that the correct condition at lines 238 and 316 should be:
if (!queue_end(bucket, &entry->links))
Am I missing something?
- gnumach: bug in dev_pager.c,
Joan Lledó <=