Changeset 81d3612 in mainline

Timestamp:

2021-09-03T17:44:29Z (3 years ago)

Author:

Martin Decky <martin@…>

Branches:

master, serial, ticket/834-toolchain-update, topic/msim-upgrade, topic/simplify-dev-export

Children:

3c3657c

Parents:

400a16d

Message:

Fix memory corruption caused by merging zones

Originally, the frames in the gap between the two merged zones has not
been marked as unavailable. This caused allocation requests to
potentially land in this gap and thus to memory corruption. Now the
frames in the gap are properly marked.

Use a dedicated function zone_mark_available() to mark old
configuration frames after merging as available. Since the
configuration frames are either marked using zone_mark_unavailable()
(for the original zones created according to the physical memory map)
or the busy count of the configuration frames is explicitly extracted
during the merging, the use of zone_frame_free() caused underflow of
the busy counter.

Add a few useful assertions.

File:

• kernel/generic/src/mm/frame.c (modified) (7 diffs)

kernel/generic/src/mm/frame.c

@@ -370 +370 @@
 {
         assert(zone->flags & ZONE_AVAILABLE);
+        assert(zone->free_count >= count);
 
         /* Allocate frames from zone */
@@ -410 +411 @@
 
         frame_t *frame = zone_get_frame(zone, index);
-
         assert(frame->refcount > 0);
 
         if (!--frame->refcount) {
+                assert(zone->busy_count > 0);
+
                 bitmap_set(&zone->bitmap, index, 0);
 
@@ -432 +434 @@
 
         frame_t *frame = zone_get_frame(zone, index);
+        assert(frame->refcount <= 1);
+
         if (frame->refcount > 0)
                 return;
 
+        assert(zone->free_count > 0);
+
         frame->refcount = 1;
         bitmap_set_range(&zone->bitmap, index, 1);
@@ -440 +446 @@
         zone->free_count--;
         reserve_force_alloc(1);
+}
+
+/** Mark frame in zone available to allocation. */
+_NO_TRACE static void zone_mark_available(zone_t *zone, size_t index)
+{
+        assert(zone->flags & ZONE_AVAILABLE);
+
+        frame_t *frame = zone_get_frame(zone, index);
+        assert(frame->refcount == 1);
+
+        frame->refcount = 0;
+        bitmap_set_range(&zone->bitmap, index, 0);
+
+        zone->free_count++;
 }
 
@@ -465 +485 @@
         /* Difference between zone bases */
         pfn_t base_diff = zones.info[z2].base - zones.info[z1].base;
+        pfn_t gap = base_diff - zones.info[z1].count;
 
         zones.info[z1].count = base_diff + zones.info[z2].count;
@@ -492 +513 @@
                     zones.info[z2].frames[i];
         }
+
+        /*
+         * Mark the gap between the original zones as unavailable.
+         */
+
+        for (size_t i = 0; i < gap; i++) {
+                zone_mark_unavailable(&zones.info[z1], old_z1->count + i);
+        }
 }
 
@@ -518 +547 @@
 
         for (size_t i = 0; i < cframes; i++)
-                (void) zone_frame_free(&zones.info[znum],
+                zone_mark_available(&zones.info[znum],
                     pfn - zones.info[znum].base + i);
 }