Author: kib Date: Tue Mar 20 16:17:55 2018 New Revision: 331247 URL: https://svnweb.freebsd.org/changeset/base/331247
Log: Check for wrap-around in vm_phys_alloc_seg_contig(). It is possible to provide insane values for size in contigmalloc(9) request, which usually not reaches the phys allocator due to failing KVA allocation. But with the forthcoming 4/4 i386, where 32bit architecture has almost 4G KVA, contigmalloc(1G) is not unreasonable outright and KVA might be available sometimes. Then, the calculation of pa_end could wrap around, depending on the physical address, and the checks in vm_phys_alloc_seg_contig() would pass while the iteration in the loop after the 'done' label goes out of the vm_page_array bounds. Fix it by detecting the wrap. Reported and tested by: pho Reviewed by: alc, markj Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D14767 Modified: head/sys/vm/vm_phys.c Modified: head/sys/vm/vm_phys.c ============================================================================== --- head/sys/vm/vm_phys.c Tue Mar 20 15:57:52 2018 (r331246) +++ head/sys/vm/vm_phys.c Tue Mar 20 16:17:55 2018 (r331247) @@ -1189,6 +1189,8 @@ vm_phys_alloc_seg_contig(struct vm_phys_seg *seg, u_lo */ pa = VM_PAGE_TO_PHYS(m_ret); pa_end = pa + size; + if (pa_end < pa) + continue; for (;;) { pa += 1 << (PAGE_SHIFT + VM_NFREEORDER - 1); _______________________________________________ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
