git: 517c5854588e - main - vm_phys: Make sure that vm_phys_enq_chunk() stays in bounds
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 14 Jun 2024 19:55:28 UTC
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=517c5854588eaa7c2248d97cd750b8b8bad9d69f commit 517c5854588eaa7c2248d97cd750b8b8bad9d69f Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2024-06-14 14:45:02 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-06-14 19:55:02 +0000 vm_phys: Make sure that vm_phys_enq_chunk() stays in bounds vm_phys_enq_chunk() inserts a run of pages into the buddy queues. When lazy initialization is enabled, only the first page of each run is initialized; vm_phys_enq_chunk() thus initializes the page following the just-inserted run. This fails to account for the possibility that the page following the run doesn't belong to the segment. Handle that in vm_phys_enq_chunk(). Reported by: KASAN Reported by: syzbot+1097ef4cee8dfb240e31@syzkaller.appspotmail.com Fixes: b16b4c22d2d1 ("vm_page: Implement lazy page initialization") --- sys/vm/vm_phys.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/sys/vm/vm_phys.c b/sys/vm/vm_phys.c index 53e58283eb9f..59ab7d13c55d 100644 --- a/sys/vm/vm_phys.c +++ b/sys/vm/vm_phys.c @@ -711,12 +711,16 @@ vm_phys_enq_chunk(struct vm_freelist *fl, vm_page_t m, int order, int tail) #ifdef VM_FREEPOOL_LAZYINIT if (__predict_false(m->pool == VM_FREEPOOL_LAZYINIT)) { vm_page_t m_next; + vm_paddr_t pa; int npages; npages = 1 << order; m_next = m + npages; - vm_page_init_page(m_next, m->phys_addr + ptoa(npages), m->segind, - VM_FREEPOOL_LAZYINIT); + pa = m->phys_addr + ptoa(npages); + if (pa < vm_phys_segs[m->segind].end) { + vm_page_init_page(m_next, pa, m->segind, + VM_FREEPOOL_LAZYINIT); + } } #endif }