svn commit: r331247 - head/sys/vm

[Konstantin Belousov]

Author: kib
Date: Tue Mar 20 16:17:55 2018
New Revision: 331247
URL: https://svnweb.freebsd.org/changeset/base/331247

Log:
  Check for wrap-around in vm_phys_alloc_seg_contig().
  
  It is possible to provide insane values for size in contigmalloc(9)
  request, which usually not reaches the phys allocator due to failing
  KVA allocation.  But with the forthcoming 4/4 i386, where 32bit
  architecture has almost 4G KVA, contigmalloc(1G) is not unreasonable
  outright and KVA might be available sometimes.
  
  Then, the calculation of pa_end could wrap around, depending on the
  physical address, and the checks in vm_phys_alloc_seg_contig() would
  pass while the iteration in the loop after the 'done' label goes out
  of the vm_page_array bounds.
  
  Fix it by detecting the wrap.
  
  Reported and tested by:	pho
  Reviewed by:	alc, markj
  Sponsored by:	The FreeBSD Foundation
  MFC after:	1 week
  Differential revision:	https://reviews.freebsd.org/D14767

Modified:
  head/sys/vm/vm_phys.c

Modified: head/sys/vm/vm_phys.c
==============================================================================
--- head/sys/vm/vm_phys.c	Tue Mar 20 15:57:52 2018	(r331246)
+++ head/sys/vm/vm_phys.c	Tue Mar 20 16:17:55 2018	(r331247)
@@ -1189,6 +1189,8 @@ vm_phys_alloc_seg_contig(struct vm_phys_seg *seg, u_lo
 					 */
 					pa = VM_PAGE_TO_PHYS(m_ret);
 					pa_end = pa + size;
+					if (pa_end < pa)
+						continue;
 					for (;;) {
 						pa += 1 << (PAGE_SHIFT +
 						    VM_NFREEORDER - 1);