From gemini@geminix.org  Tue Jun  1 11:47:21 2004
Return-Path: <gemini@geminix.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5BBBA16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  1 Jun 2004 11:47:21 -0700 (PDT)
Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1273F43D46
	for <FreeBSD-gnats-submit@freebsd.org>; Tue,  1 Jun 2004 11:47:21 -0700 (PDT)
	(envelope-from gemini@geminix.org)
Received: from gemini by geminix.org with local (Exim 3.36 #1)
	id 1BVEI8-0009i8-00; Tue, 01 Jun 2004 20:47:16 +0200
Message-Id: <E1BVEI8-0009i8-00@geminix.org>
Date: Tue, 01 Jun 2004 20:47:16 +0200
From: Uwe Doering <gemini@geminix.org>
Reply-To: Uwe Doering <gemini@geminix.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Uwe Doering <gemini@geminix.org>
Subject: pmap_prefault_pageorder array initialization is broken
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         67460
>Category:       kern
>Synopsis:       pmap_prefault_pageorder array initialization is broken
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 01 11:50:22 PDT 2004
>Closed-Date:    Wed Jun 02 00:05:05 PDT 2004
>Last-Modified:  Wed Jun 02 00:05:05 PDT 2004
>Originator:     Uwe Doering
>Release:        FreeBSD 4.5-RELEASE i386
>Organization:
EscapeBox - Managed On-Demand UNIX Servers
>Environment:
System: FreeBSD geminix.org 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Thu May 27 11:49:01 GMT 2004 root@localhost:/STABLE_Enhanced_Edition i386

>Description:
There is a comma missing in the table initializing the
pmap_prefault_pageorder array.  This has two effects:

1. The resulting bogus contents of the array thwarts part of the
optimization effect pmap_prefault() is supposed to have.

2. The resulting array is only 7 elements long (auto-sized), while
pmap_prefault() expects it to be the intended 8 elements.  So this
function in fact accesses memory beyond the end of the array.
Fortunately though, if the data at this location is out of bounds it
will be ignored.

This bug dates back more than 6 years.  It has been introduced in
revision 1.178.  Please note that pmap.c for alpha is broken in the
same way.

>How-To-Repeat:
Look at what's actually in the array:

  gdb -k /kernel
  (kgdb) print (&pmap_prefault_pageorder)[0]
  (kgdb) print (&pmap_prefault_pageorder)[1]
    ...
  (kgdb) print (&pmap_prefault_pageorder)[7]

>Fix:
Please consider the following patch:

--- pmap.c.diff begins here ---
--- src/sys/i386/i386/pmap.c.orig	Sun Jan 13 12:30:58 2002
+++ src/sys/i386/i386/pmap.c	Tue Jun  1 19:20:46 2004
@@ -2464,7 +2464,7 @@
 static int pmap_prefault_pageorder[] = {
 	-PAGE_SIZE, PAGE_SIZE,
 	-2 * PAGE_SIZE, 2 * PAGE_SIZE,
-	-3 * PAGE_SIZE, 3 * PAGE_SIZE
+	-3 * PAGE_SIZE, 3 * PAGE_SIZE,
 	-4 * PAGE_SIZE, 4 * PAGE_SIZE
 };
 
--- pmap.c.diff ends here ---
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Wed Jun 2 00:04:41 PDT 2004 
State-Changed-Why:  
Committed, thanks! 

(This fix does not apply to -current) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=67460 
>Unformatted:
