From 9ba30bcb421b841fa970fd1206b8ec76e5bedf04 Mon Sep 17 00:00:00 2001 From: Zbigniew Bodek Date: Mon, 10 Aug 2015 17:16:49 +0000 Subject: [PATCH] Avoid sign extension of value passed to kva_alloc from uma_zone_reserve_kva Fixes "panic: vm_radix_reserve_kva: unable to reserve KVA" caused by sign extention of "pages * UMA_SLAB_SIZE" value passed to kva_alloc() which takes unsigned long argument. In the erroneus case that triggered this bug, the number of pages to allocate in uma_zone_reserve_kva() was 0x8ebe6, that gave the total number of bytes to allocate equal to 0x8ebe6000 (int). This was then sign extended in kva_alloc() to 0xffffffff8ebe6000 (unsigned long). Reviewed by: alc, kib Submitted by: Zbigniew Bodek Obtained from: Semihalf Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D3346 --- sys/vm/uma_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/vm/uma_core.c b/sys/vm/uma_core.c index 0437248157e..eb933684ffb 100644 --- a/sys/vm/uma_core.c +++ b/sys/vm/uma_core.c @@ -3126,7 +3126,7 @@ uma_zone_reserve_kva(uma_zone_t zone, int count) { uma_keg_t keg; vm_offset_t kva; - int pages; + u_int pages; keg = zone_first_keg(zone); if (keg == NULL) @@ -3141,7 +3141,7 @@ uma_zone_reserve_kva(uma_zone_t zone, int count) #else if (1) { #endif - kva = kva_alloc(pages * UMA_SLAB_SIZE); + kva = kva_alloc((vm_size_t)pages * UMA_SLAB_SIZE); if (kva == 0) return (0); } else