MFC r280957

  Fix integer truncation bug in malloc(9)

  A couple of internal functions used by malloc(9) and uma truncated
  a size_t down to an int.  This could cause any number of issues
  (e.g. indefinite sleeps, memory corruption) if any kernel
  subsystem tried to allocate 2GB or more through malloc.  zfs would
  attempt such an allocation when run on a system with 2TB or more
  of RAM.

1 files changed, 3 insertions, 2 deletions

diff --git a/sys/i386/i386/pmap.c b/sys/i386/i386/pmap.c
index 540eb65..299ee77 100644
--- a/sys/i386/i386/pmap.c
+++ b/sys/i386/i386/pmap.c
@@ -352,7 +352,8 @@ static pt_entry_t *pmap_pte_quick(pmap_t pmap, vm_offset_t va);
 static void pmap_pte_release(pt_entry_t *pte);
 static int pmap_unuse_pt(pmap_t, vm_offset_t, struct spglist *);
 #if defined(PAE) || defined(PAE_TABLES)
-static void *pmap_pdpt_allocf(uma_zone_t zone, int bytes, u_int8_t *flags, int wait);
+static void *pmap_pdpt_allocf(uma_zone_t zone, vm_size_t bytes, uint8_t *flags,
+    int wait);
 #endif
 static void pmap_set_pg(void);
 
@@ -670,7 +671,7 @@ pmap_page_init(vm_page_t m)
 
 #if defined(PAE) || defined(PAE_TABLES)
 static void *
-pmap_pdpt_allocf(uma_zone_t zone, int bytes, u_int8_t *flags, int wait)
+pmap_pdpt_allocf(uma_zone_t zone, vm_size_t bytes, uint8_t *flags, int wait)
 {
 
 	/* Inform UMA that this allocator uses kernel_map/object. */