Should page allocator zero the pages for UMA?

Sebastian Huber sebastian.huber at embedded-brains.de
Tue Nov 8 14:33:35 UTC 2016 

Hello,

we use the FreeBSD network, USB and SD/MMC card stacks for the real-time 
operating system RTEMS:

https://git.rtems.org/rtems-libbsd

I update currently from FreeBSD 9.3 to head. We use the UMA from FreeBSD 
with a custom page allocator:

https://git.rtems.org/rtems-libbsd/tree/rtemsbsd/rtems/rtems-kernel-page.c

The FreeBSD 9.3 based port worked well with uninitialized pages, e.g. 
random or previous content. However, after the update to head I had to 
zero initialize the pages. One issue was an incomplete

struct inpcb {
[...]
     struct    inpcbport *inp_phd;    /* (i/h) head of this list */
#define inp_zero_size offsetof(struct inpcb, inp_gencnt)
     inp_gen_t    inp_gencnt;    /* (c) generation count */
     struct llentry    *inp_lle;    /* cached L2 information */
     struct rwlock    inp_lock;
     rt_gen_t    inp_rt_cookie;    /* generation for route entry */
     union {                /* cached L3 information */
         struct route inpu_route;
         struct route_in6 inpu_route6;
     } inp_rtu;
#define inp_route inp_rtu.inpu_route
#define inp_route6 inp_rtu.inpu_route6
};

initialization. The initialization consists of two parts:

static int
udp_inpcb_init(void *mem, int size, int flags)
{
     struct inpcb *inp;

     inp = mem;
     INP_LOCK_INIT(inp, "inp", "udpinp");
     return (0);
}

/*
  * Allocate a PCB and associate it with the socket.
  * On success return with the PCB locked.
  */
int
in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
{
     struct inpcb *inp;
     int error;

#ifdef INVARIANTS
     if (pcbinfo == &V_tcbinfo) {
         INP_INFO_RLOCK_ASSERT(pcbinfo);
     } else {
         INP_INFO_WLOCK_ASSERT(pcbinfo);
     }
#endif

     error = 0;
     inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT);
     if (inp == NULL)
         return (ENOBUFS);
     bzero(inp, inp_zero_size);
     inp->inp_pcbinfo = pcbinfo;
     inp->inp_socket = so;
     inp->inp_cred = crhold(so->so_cred);
     inp->inp_inc.inc_fibnum = so->so_fibnum;
[...]

This lets at least inp_route uninitialized leading to a crash during 
destruction, e.g.

     if (inp->inp_route.ro_rt) {
         RTFREE(inp->inp_route.ro_rt);
         inp->inp_route.ro_rt = (struct rtentry *)NULL;
     }

uses uninitialized data.

Did something in the page allocator change between FreeBSD 9.3 and 
trunk, so that page are now zero initialized or is this a bug in 
udp_inpcb_init()?

-- 
Sebastian Huber, embedded brains GmbH

Address : Dornierstr. 4, D-82178 Puchheim, Germany
Phone   : +49 89 189 47 41-16
Fax     : +49 89 189 47 41-09
E-Mail  : sebastian.huber at embedded-brains.de
PGP     : Public key available on request.

Diese Nachricht ist keine geschäftliche Mitteilung im Sinne des EHUG.

More information about the freebsd-hackers mailing list