[Bug 262894] Kernel Panic (page fault) with 13.1-BETA2 in g_eli & httpd
Date: Mon, 18 Apr 2022 21:58:18 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262894
--- Comment #30 from Alexander Motin <mav@FreeBSD.org> ---
(In reply to Mark Johnston from comment #28)
While it seems like a good catch on a first look, I doubt it is exploitable.
The code uses unmapped I/O only if all boundaries within the ABD except the
first and the last are page aligned. The case of "addr & PAGE_MASK is 2048 and
len is 4096" can fit into this only if it is the only chunk in ABD, but then it
should be a linear buffer, not requiring unmapped I/O. Fitting case of addr &
PAGE_MASK is 2048 and len is 6144 should work fine, producing two pages.
Plus TrueNAS for many years uses ashift=12, which means all offsets in RAIDZ
and gang blocks should be multiple of 4K and so page-aligned on x86.
But still, just in case, what would you say about this patch:
diff --git a/module/os/freebsd/zfs/vdev_geom.c
b/module/os/freebsd/zfs/vdev_geom.c
index 2ef4811a8..5447eb922 100644
--- a/module/os/freebsd/zfs/vdev_geom.c
+++ b/module/os/freebsd/zfs/vdev_geom.c
@@ -1132,8 +1132,12 @@ vdev_geom_fill_unmap_cb(void *buf, size_t len, void
*priv)
vm_offset_t addr = (vm_offset_t)buf;
vm_offset_t end = addr + len;
- if (bp->bio_ma_n == 0)
+ if (bp->bio_ma_n == 0) {
bp->bio_ma_offset = addr & PAGE_MASK;
+ addr &= ~PAGE_MASK;
+ } else {
+ ASSERT0(P2PHASE(addr, PAGE_SIZE));
+ }
do {
bp->bio_ma[bp->bio_ma_n++] =
PHYS_TO_VM_PAGE(pmap_kextract(addr));
--
You are receiving this mail because:
You are the assignee for the bug.