Date: Wed, 17 Dec 1997 11:29:36 +1030 From: Mike Smith <mike@smith.net.au> To: dg@root.com Cc: cvs-committers@freebsd.org, cvs-all@freebsd.org, cvs-sys@freebsd.org Subject: Re: cvs commit: src/sys/kern kern_exec.c Message-ID: <199712170059.LAA00763@word.smith.net.au> In-Reply-To: Your message of "Tue, 16 Dec 1997 08:22:17 -0800." <199712161622.IAA08136@implode.root.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Fix bug where a struct buf was free()'d back to the system malloc pool. > > Quite amazing that the system runs at all with this bug. Also present in > > 2.2.5. The bug appears to have come in with changes in rev 1.53. > > > > PR: might fix PR#5313 > > Submitted by: bde > > > > Revision Changes Path > > 1.70 +3 -4 src/sys/kern/kern_exec.c > > This log message is somewhat wrong. It's not the struct buf that was > being free()'d, but rather the buffer mapping/target of the struct buf (the > filesystem data). A serious bug nonetheless, and I can hardly imagine what > this might do to the system. Just reading things through; did you actually have any symptomatic evidence that indicated that this was occurring on a regular basis? I'd have expected to see a lot of people complaining about the "panic: multiple frees" in free() if it was, as the free rate would be outstripping the allocation rate for M_TEMP. It looks as though you need some moderately obscure failure cases for this to pop up; bread() not allocating bp, or the interpreter search failing; ie. a case where brelse() is called on bp but imgp->img_header is not set to NULL before arriving at exec_fail_dealloc. mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712170059.LAA00763>