The buffer may have been freed if its data was added to the queue, but
later the buffer size was still read from the object. A spurious
acknowledge may have been sent, or one would have gone missing,
depending on what happened with the allocation after it was freed.
The call to _MakeSpace() may move the extent data from the indirect
array (kept in a heap allocation) to the direct one kept inside the
class. In that case the lastExtent pointer would become stale and
further use of it would've lead to suboptimal extents in the best case
to reading/writing at the wrong point in files and possibly corruption
of another allocation in the worst (both unlikely though).
To mitigate that we now re-initialize the pointer to the correct location
if we hit the cache limit.
Also made the use of the start variable more understandable. Instaed of
decrementing it (possibly wrapping) when an extent wasn't going to be
used and later adding the vector index again, just increment whenever
we actually move to the next extent.
For bad things to happen a few conditions needed to come together though:
1. There needed to be multiple vectors that could be combined with the
existing last extent.
2. There first needed to be more extents than the cache limit and that
number then had to decrease below the cache limit again.
3. The memory needed to stay intact after being freed up until after the
evaluation (or similar enough data had to be written to it).
At least the last one was guaranteed to not be true anymore since we
re-introduced overwritting freed memory with 0xdeadbeef in the slab,
therefore nastily hiding this. I'm not sure that the first condition is
ever met either (probably the vectors are combined beforehand so that
there never are multiple adjacent ones) at least for the normal use case
(the page writer writing back pages). I was at least unable to reproduce
an actual file corruption in my testing.
Just the out of bounds access to the stale pointer happened rather easily
though and is now at least fixed.
Further in the process the flat argument size is rounded up, but the
actual allocation was done with the unaligned size causing an access
beyond the allocation when later copying the flat arguments. It didn't
do any actual harm as the block sizes of our allocator(s) use elements
that have at least such an alignment.
The device is added to the root devices list when initializing, but was
not removed from there again when the root device was removed and freed,
causing the list to have a stale entry. Probably fixes#3305.
The list is populated once for the _fbsd_init_hardware iteration and, if
a device was found, again for _fbsd_init_drivers. The only thing I don't
understand is why it didn't just always crash, as there should have been
a stale list entry in any case when a supported device actually was found...
This is a very simple heap implementation that allocates memory so that
the end of each allocation always coincides with a page end and is
followed by a guard page which is marked non-present. Out of bounds
access (both read and write) therefore cause a crash (unhandled page
fault).
Note that this allocator is neither speed nor space efficient, indeed it
wastes huge amounts of pages and address space so it is quite easy to
hit limits. It is intended as a pure debug feature.
* Fixes#7986 - behavior of Print command fixed to be consistent
with other application, like StyledEdit. This change
display the print job settings dialog instead of "Printing
was cancelled" alert;
* Fixes#6998 - the path to storing windows settings changed from
~/config/settings/Terminal_windows to ~/c/s/Terminal/Windows;
This patch was created during GCI 2011 by doctorkohaku.
Thanks for the contribution!
This adds a pair of functions vm_prepare_kernel_area_debug_protection()
and vm_set_kernel_area_debug_protection() to set a kernel area up for
page wise protection and to actually protect individual pages
respectively.
It was already possible to read and write protect full areas via area
protection flags and not mapping any actual pages. For areas that
actually have mapped pages this doesn't work however as no fault, at
which the permissions could be checked, is generated on access.
These new functions use the debug helpers of the translation map to mark
individual pages as non-present without unmapping them. This allows them
to be "protected", i.e. causing a fault on read and write access. As they
aren't actually unmapped they can later be marked present again.
Note that these are debug helpers and have quite a few restrictions as
described in the comment above the function and is only useful for some
very specific and constrained use cases.
They can be used to mark pages as present/non-present without actually
unmapping them. Marking pages as non-present causes every access to
fault. We can use that for debugging as it allows us to "read protect"
individual kernel pages.
* rename encoder_isexternal to encoder_is_external
* add encoder_is_dp_bridge call for special DP cases
* add initial get_dp_link_clock, hard code a guess for now
* take external DP encoders into consideration when making
pixel clock adjustments
The change to this initial index for safemode was brought in with the
flat import of the package manager branch in 323b654 where presumably
more paths were used. With this value selecting either just safe mode
or disable user add-ons would lead to no input_server add-ons being
loaded at all, leading to a system without input.
Once again, the BObjectList removal behaviour leads to a null dereference. It's my fault of course, but there you have it. Comments have been included for future devs.
* instead of in /boot/home/config/settings/be, the compatibility
link has to live directly in the config folder, as otherwise
it doesn't help compatibility-wise at all ;-)
* Apply reworked version of the patch from "RQ" in #8156 that adds a "live in the deskbar" menu item.
* Also added a "Remove replicant" menu item for the replicant case.
Package management will move the directory from common/etc to
common/settings/etc. The kernel side change that sets up the etc symlink
in the rootfs was already commited, everything still installs into the
old dir however. This symlink makes things that depend on /etc work for
now and can be removed once the files aren't populated to the old place
anymore.
* The about-like screen saver info has bold styling of heading part
of the information string string. Localizing this string has
provoked partial styling and visual "corruption-looking" glitches.
Getting the object slab does a hash lookup which needs to be protected
by the cache lock. Otherwise the hash table may be resized or otherwise
modified while we do the lookup, leading to errors.
