Date: Wed, 8 Jan 2020 22:03:21 -0800 From: Mark Millard <marklmi@yahoo.com> To: Justin Hibbits <chmeeedalf@gmail.com>, FreeBSD PowerPC ML <freebsd-ppc@freebsd.org> Cc: "bdragon@freebsd.org" <bdragon@FreeBSD.org> Subject: A possible unbounded loop in moea_sync_icache: why sys/vm/mlock_test:mlock__copy_on_write_vnode fails? Message-ID: <022334D3-B60E-440F-A514-8D8002B65CB4@yahoo.com> References: <022334D3-B60E-440F-A514-8D8002B65CB4.ref@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In the statement:
lim = round_page(va);
later below in moea_sync_icache, it uses:
#define round_page(x) (((x) + PAGE_MASK) & ~PAGE_MASK)
So, for PAGE_MASK==(4096u-1u) the statement translates
to, in essence (the u's are conceptual here):
lim = ((va)+4095u) & ~4095u;
That means that if va%4096u==0 then teh result
is lim==va .
In turn, that means that:
len = MIN(lim - va, sz);
results in len==0.
That in turn means that:
sz -= len;
does not change sz.
Overall result: the loop tesing sz>0 does not
terminate.
I expect that is why the kyua test:
sys/vm/mlock_test:mlock__copy_on_write_vnode :
is failing.
The code in question:
static void
moea_sync_icache(mmu_t mmu, pmap_t pm, vm_offset_t va, vm_size_t sz)
{
struct pvo_entry *pvo;
vm_offset_t lim;
vm_paddr_t pa;
vm_size_t len;
PMAP_LOCK(pm);
while (sz > 0) {
lim = round_page(va);
len = MIN(lim - va, sz);
pvo = moea_pvo_find_va(pm, va & ~ADDR_POFF, NULL);
if (pvo != NULL) {
pa = (pvo->pvo_pte.pte.pte_lo & PTE_RPGN) |
(va & ADDR_POFF);
moea_syncicache(pa, len);
}
va += len;
sz -= len;
}
PMAP_UNLOCK(pm);
}
===
Mark Millard
marklmi at yahoo.com
( dsl-only.net went
away in early 2018-Mar)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?022334D3-B60E-440F-A514-8D8002B65CB4>