From nobody Mon Feb 13 21:22:05 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PFy321KhTz3q6Wy; Mon, 13 Feb 2023 21:22:06 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PFy320tHyz4Xpj; Mon, 13 Feb 2023 21:22:06 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1676323326; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GwjKY5CuSRy6PvzdKGYtQtWtoyjyruAQsmivA/Ia+RE=; b=o3NQmcbBnmxv3OsZLsu9d2wbsbqwOS+gTKO871Mzwi01i5o2As6iFrbkHzhLx4jIjQq/wy CLh7lLR238t7yz9MhSSFBrxqdkOoEaC92ajE6Z7vdmmpAmIccY1/7jIVyctcCRsnveSJCG V0o+FZ65BTGx5tmYhBAUOrqwf6wwNCLCfLVAM/BkrHq2+/H3GQpngNOBDnv/VkMSSuendO 4tYBeZgE5TbYDr3zSKnkNyHe6o9TcuUJlCNliI3b7/yW1+axRAlCJBPgVLCxnihCF6eRXb nPSLEZ8hW8nSj+Ns0IRKZmrukHs509rmpncxittEMaq9PBL3pDvYgQvZVyGBmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1676323326; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=GwjKY5CuSRy6PvzdKGYtQtWtoyjyruAQsmivA/Ia+RE=; b=rgetSzb0zd43bmd5IvagDZFzP4U2Ihp0feRdZRZsJ7JgG0ev+Sy97Sp7mZOBPrraoyFcLW VYEoT/ZQZu4aMP+kdLs9WsyXRbEDo1hTezCaJ2Lni7ExJcwS701JM1vzyhqQDOUPyOeVdp VnELsGVyxBgFA7JzWlPIAdbbw+dqGmX4mMx0JdlDMbq3s2KncYol4jqwtRj2m0FgIFMEC/ SEmLmck2Bb0/cezlyV8Dv6xpjafgMPYLQIsbewa1oMnIyOZQy3//Dsh1d9LsJsxCFfCMK3 GT2bAl26jIOO1yI6J5Szgi8VCud/Szb8OW/b+nWpPCqkqCzz2HK9tV8Y9SYwlw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1676323326; a=rsa-sha256; cv=none; b=vRjupx1ToyT//Ve1ViC3JQEl3GX/lWGQx2o5t+rNQqtQn6Cv0Z3dHooSozaEHHtlLgAF6t T5V1Kw6mIs9kNiNnTgaWuVuRPWwOdfNlJwSUSBUX9hrOfCpfbpw7tX2196/jR3sGydsrmi jXxeSEcr2p20m9eGurp0kGKzH90BjUcTvM3Taq298dKj0ot6G64tiod1M5rrP/cNKPHRAN rut94xzts/PKoFn74yyWx+RFh7ZGdH6o7FOhjbD3bfeIScJd04QdlhatITFifEMk0JgrsY 3BVoG0PP9dY0nhwy5Dgzzr3349XAYG1mv6ZKecQkPJmTZOA0OStGCorv+ZY5Mg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PFy3173TPzYgj; Mon, 13 Feb 2023 21:22:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31DLM5nq083272; Mon, 13 Feb 2023 21:22:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31DLM5qS083271; Mon, 13 Feb 2023 21:22:05 GMT (envelope-from git) Date: Mon, 13 Feb 2023 21:22:05 GMT Message-Id: <202302132122.31DLM5qS083271@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: John Baldwin Subject: git: 18bb97b76b26 - main - arm64 pmap: Fix a buffer overrun initializing per-superpage locks. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 18bb97b76b269f38407b5c48d53ceaf6447450f1 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=18bb97b76b269f38407b5c48d53ceaf6447450f1 commit 18bb97b76b269f38407b5c48d53ceaf6447450f1 Author: John Baldwin AuthorDate: 2023-02-13 21:19:03 +0000 Commit: John Baldwin CommitDate: 2023-02-13 21:19:03 +0000 arm64 pmap: Fix a buffer overrun initializing per-superpage locks. pmap_init_pv_table makes a first pass over the memory segments to compute the amount of address space needed to allocate per-superpage locks. It then makes a second pass over each segment allocating domain-local memory to back the pages for the locks belonging to each segment. This second pass rounds each segment's allocation up to a page size since the domain-local allocation has to be a multiple of pages. However, the first pass was only doing a single round of the total page counts up at the end not accounting for the padding present in each segment. To fix, apply the rounding in each segment in the first pass instead of just at the end. While here, tidy the second pass a bit by trimming some not-quite-right logic copied from amd64. In particular, compute pages directly at the start of the loop iteration to more closely match the first loop. Then, drop an always-false condition as 'end' was computed as 'start + pages' where 'start == highest + 1'. Thus, the actual condition being tested was 'if (highest >= highest + 1 + pages)'. Finally, remove 'highest' entirely by keep the result of the 'pvd' increment in the existing loop. Reported by: CHERI (overflow) Reviewed by: markj Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D38377 --- sys/arm64/arm64/pmap.c | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index 7e2a423025ec..357584e22875 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -1347,7 +1347,6 @@ pmap_init_pv_table(void) struct vm_phys_seg *seg, *next_seg; struct pmap_large_md_page *pvd; vm_size_t s; - long start, end, highest, pv_npg; int domain, i, j, pages; /* @@ -1360,14 +1359,13 @@ pmap_init_pv_table(void) /* * Calculate the size of the array. */ - pv_npg = 0; + s = 0; for (i = 0; i < vm_phys_nsegs; i++) { seg = &vm_phys_segs[i]; - pv_npg += pmap_l2_pindex(roundup2(seg->end, L2_SIZE)) - + pages = pmap_l2_pindex(roundup2(seg->end, L2_SIZE)) - pmap_l2_pindex(seg->start); + s += round_page(pages * sizeof(*pvd)); } - s = (vm_size_t)pv_npg * sizeof(struct pmap_large_md_page); - s = round_page(s); pv_table = (struct pmap_large_md_page *)kva_alloc(s); if (pv_table == NULL) panic("%s: kva_alloc failed\n", __func__); @@ -1376,23 +1374,14 @@ pmap_init_pv_table(void) * Iterate physical segments to allocate domain-local memory for PV * list headers. */ - highest = -1; - s = 0; + pvd = pv_table; for (i = 0; i < vm_phys_nsegs; i++) { seg = &vm_phys_segs[i]; - start = highest + 1; - end = start + pmap_l2_pindex(roundup2(seg->end, L2_SIZE)) - + pages = pmap_l2_pindex(roundup2(seg->end, L2_SIZE)) - pmap_l2_pindex(seg->start); domain = seg->domain; - if (highest >= end) - continue; - - pvd = &pv_table[start]; - - pages = end - start + 1; s = round_page(pages * sizeof(*pvd)); - highest = start + (s / sizeof(*pvd)) - 1; for (j = 0; j < s; j += PAGE_SIZE) { vm_page_t m = vm_page_alloc_noobj_domain(domain,