cvs commit: src/sys/dev/md md.c

Bruce Evans bde at zeta.org.au
Wed May 19 00:15:50 PDT 2004


On Tue, 18 May 2004, Ruslan Ermilov wrote:

> On Tue, May 18, 2004 at 12:30:05AM -0700, Pawel Jakub Dawidek wrote:
> > pjd         2004/05/18 00:30:05 PDT
> >
> >   FreeBSD src repository
> >
> >   Modified files:
> >     sys/dev/md           md.c
> >   Log:
> >   Fix panic which occurs when given sector size for memory-backed device
> >   is less than DEV_BSIZE (512) bytes.
> >
> >   Reported by:    Mike Bristow <mike at urgle.com>
> >   Approved by:    phk
> >
> >   Revision  Changes    Path
> >   1.123     +1 -2      src/sys/dev/md/md.c
> >
> Nice catch!

This introduces a bug that the old version was (not very well) written
to avoid: overflow at UINT_MAX bytes (typically 4GB).  Previously, md
only overflowed at UINT_MAX sectors (typically 2TB).  Overflow probably
can't happen here yet because most machines can't hold 4GB and others
shouldn't waste 4GB for malloc()able memory.  Overfow at 2TB can easily
happen for the vnode case.

Here are some of md's unchecked overflows:

New bug:

% 	sc->nsect = (mdio->md_size * DEV_BSIZE) / sc->secsize;

This is easy to fix using btodb(), except when DEV_BSIZE > sc->secsize.
Using DEV_BSIZE instead of dbtodb() or btodb() when the latter works is
a style bug even when it works.

vnode case:

% 	/*
% 	 * If the size is specified, override the file attributes.
% 	 */
% 	if (mdio->md_size)
% 		sc->nsect = mdio->md_size;
% 	else
% 		sc->nsect = vattr.va_size / sc->secsize; /* XXX: round up ? */

The assignment overflows when vattr.va_size is large.  The fix is not so
easy.  There are lots of u_int's in md's ABI and implementation.

Bruce


More information about the cvs-src mailing list