Bogus malloc in zfsboot.c?
Matt Reimer
mattjreimer at gmail.com
Thu Oct 29 23:12:01 UTC 2009
On Thu, Oct 29, 2009 at 12:07 PM, Matt Reimer <mattjreimer at gmail.com> wrote:
> I'm trying to debug why I suddenly can't boot an amd64 machine off a
> raidz2 pool, after using freebsd-update to go from -rc1 to rc2. I'm
> getting an error, "ZFS: out of temporary buffer space."
>
> Is zfsboot.c's malloc really correct in the way it sets up its heap?
>
> heap_next = (char *) dmadat + sizeof(*dmadat);
> heap_end = (char *) (640*1024);
>
> If I'm reading the code correctly, it assumes that dmadat is the last
> item in bss, and that it can use all the memory from the end of dmadat
> to 640KB.
>
> But dmadat is not the last item in bss, as zfsimpl.c gets included and
> it defines its own variables that end up in bss, with the result that
> malloc could overwrite ZFS variables.
>
> Am I reading this correctly?
Probably not; I missed this:
dmadat = (void *)(roundup2(__base + (int32_t)&_end, 0x10000) - __base);
Matt
More information about the freebsd-fs
mailing list