svn commit: r367145 - in stable/11/sys: cam dev/nvme kern sys ufs/ffs

Thu Oct 29 22:00:16 UTC 2020

Author: brooks
Date: Thu Oct 29 22:00:15 2020
New Revision: 367145
URL: https://svnweb.freebsd.org/changeset/base/367145

Log:
  MFC r366911:
  
  vmapbuf: don't smuggle address or length in buf
  
  Instead, add arguments to vmapbuf.  Since this argument is
  always a pointer use a type of void * and cast to vm_offset_t in
  vmapbuf.  (In CheriBSD we've altered vm_fault_quick_hold_pages to
  take a pointer and check its bounds.)
  
  In no other situtation does b_data contain a user pointer and vmapbuf
  replaces b_data with the actual mapping.
  
  Suggested by:	jhb
  Reviewed by:	imp, jhb
  Obtained from:	CheriBSD
  Sponsored by:	DARPA
  Differential Revision:	https://reviews.freebsd.org/D26784

Modified:
  stable/11/sys/cam/cam_periph.c
  stable/11/sys/dev/nvme/nvme_ctrlr.c
  stable/11/sys/kern/vfs_bio.c
  stable/11/sys/sys/buf.h
  stable/11/sys/ufs/ffs/ffs_rawread.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/cam/cam_periph.c
==============================================================================

--- stable/11/sys/cam/cam_periph.c	Thu Oct 29 18:43:37 2020	(r367144)
+++ stable/11/sys/cam/cam_periph.c	Thu Oct 29 22:00:15 2020	(r367145)
@@ -930,12 +930,6 @@ cam_periph_mapmem(union ccb *ccb, struct cam_periph_ma
 		 */
 		mapinfo->bp[i] = getpbuf(NULL);
 
-		/* put our pointer in the data slot */
-		mapinfo->bp[i]->b_data = *data_ptrs[i];
-
-		/* set the transfer length, we know it's < MAXPHYS */
-		mapinfo->bp[i]->b_bufsize = lengths[i];
-
 		/* set the direction */
 		mapinfo->bp[i]->b_iocmd = (dirs[i] == CAM_DIR_OUT) ?
 		    BIO_WRITE : BIO_READ;
@@ -948,7 +942,7 @@ cam_periph_mapmem(union ccb *ccb, struct cam_periph_ma
 		 * into a larger area of VM, or if userland races against
 		 * vmapbuf() after the useracc() check.
 		 */
-		if (vmapbuf(mapinfo->bp[i], 1) < 0) {
+		if (vmapbuf(mapinfo->bp[i], *data_ptrs[i], lengths[i], 1) < 0) {
 			relpbuf(mapinfo->bp[i], NULL);
 			goto fail;
 		}

Modified: stable/11/sys/dev/nvme/nvme_ctrlr.c
==============================================================================
--- stable/11/sys/dev/nvme/nvme_ctrlr.c	Thu Oct 29 18:43:37 2020	(r367144)
+++ stable/11/sys/dev/nvme/nvme_ctrlr.c	Thu Oct 29 22:00:15 2020	(r367145)
@@ -988,10 +988,8 @@ nvme_ctrlr_passthrough_cmd(struct nvme_controller *ctr
 			 */
 			PHOLD(curproc);
 			buf = getpbuf(NULL);
-			buf->b_data = pt->buf;
-			buf->b_bufsize = pt->len;
 			buf->b_iocmd = pt->is_read ? BIO_READ : BIO_WRITE;
-			if (vmapbuf(buf, 1) < 0) {
+			if (vmapbuf(buf, pt->buf, pt->len, 1) < 0) {
 				ret = EFAULT;
 				goto err;
 			}

Modified: stable/11/sys/kern/vfs_bio.c
==============================================================================
--- stable/11/sys/kern/vfs_bio.c	Thu Oct 29 18:43:37 2020	(r367144)
+++ stable/11/sys/kern/vfs_bio.c	Thu Oct 29 22:00:15 2020	(r367145)
@@ -4577,22 +4577,21 @@ vm_hold_free_pages(struct buf *bp, int newbsize)
  * This function only works with pager buffers.
  */
 int
-vmapbuf(struct buf *bp, int mapbuf)
+vmapbuf(struct buf *bp, void *uaddr, size_t len, int mapbuf)
 {
 	vm_prot_t prot;
 	int pidx;
 
-	if (bp->b_bufsize < 0)
-		return (-1);
 	prot = VM_PROT_READ;
 	if (bp->b_iocmd == BIO_READ)
 		prot |= VM_PROT_WRITE;	/* Less backwards than it looks */
 	if ((pidx = vm_fault_quick_hold_pages(&curproc->p_vmspace->vm_map,
-	    (vm_offset_t)bp->b_data, bp->b_bufsize, prot, bp->b_pages,
+	    (vm_offset_t)uaddr, len, prot, bp->b_pages,
 	    btoc(MAXPHYS))) < 0)
 		return (-1);
+	bp->b_bufsize = len;
 	bp->b_npages = pidx;
-	bp->b_offset = ((vm_offset_t)bp->b_data) & PAGE_MASK;
+	bp->b_offset = ((vm_offset_t)uaddr) & PAGE_MASK;
 	if (mapbuf || !unmapped_buf_allowed) {
 		pmap_qenter((vm_offset_t)bp->b_kvabase, bp->b_pages, pidx);
 		bp->b_data = bp->b_kvabase + bp->b_offset;

Modified: stable/11/sys/sys/buf.h
==============================================================================
--- stable/11/sys/sys/buf.h	Thu Oct 29 18:43:37 2020	(r367144)
+++ stable/11/sys/sys/buf.h	Thu Oct 29 22:00:15 2020	(r367145)
@@ -533,7 +533,7 @@ void	vfs_bio_set_flags(struct buf *bp, int ioflags);
 void	vfs_bio_set_valid(struct buf *, int base, int size);
 void	vfs_busy_pages(struct buf *, int clear_modify);
 void	vfs_unbusy_pages(struct buf *);
-int	vmapbuf(struct buf *, int);
+int	vmapbuf(struct buf *, void *, size_t, int);
 void	vunmapbuf(struct buf *);
 void	relpbuf(struct buf *, int *);
 void	brelvp(struct buf *);

Modified: stable/11/sys/ufs/ffs/ffs_rawread.c
==============================================================================
--- stable/11/sys/ufs/ffs/ffs_rawread.c	Thu Oct 29 18:43:37 2020	(r367144)
+++ stable/11/sys/ufs/ffs/ffs_rawread.c	Thu Oct 29 22:00:15 2020	(r367145)
@@ -216,7 +216,6 @@ ffs_rawread_readahead(struct vnode *vp,
 	bp->b_flags = 0;	/* XXX necessary ? */
 	bp->b_iocmd = BIO_READ;
 	bp->b_iodone = bdone;
-	bp->b_data = udata;
 	blockno = offset / bsize;
 	blockoff = (offset % bsize) / DEV_BSIZE;
 	if ((daddr_t) blockno != blockno) {
@@ -234,9 +233,8 @@ ffs_rawread_readahead(struct vnode *vp,
 		
 		if (bp->b_bcount + blockoff * DEV_BSIZE > bsize)
 			bp->b_bcount = bsize - blockoff * DEV_BSIZE;
-		bp->b_bufsize = bp->b_bcount;
 		
-		if (vmapbuf(bp, 1) < 0)
+		if (vmapbuf(bp, udata, bp->b_bcount, 1) < 0)
 			return EFAULT;
 		
 		maybe_yield();
@@ -253,9 +251,8 @@ ffs_rawread_readahead(struct vnode *vp,
 	
 	if (bp->b_bcount + blockoff * DEV_BSIZE > bsize * (1 + bforwards))
 		bp->b_bcount = bsize * (1 + bforwards) - blockoff * DEV_BSIZE;
-	bp->b_bufsize = bp->b_bcount;
 	
-	if (vmapbuf(bp, 1) < 0)
+	if (vmapbuf(bp, udata, bp->b_bcount, 1) < 0)
 		return EFAULT;
 	
 	BO_STRATEGY(&dp->v_bufobj, bp);
