svn commit: r313113 - head/sys/dev/nvme
Warner Losh
imp at FreeBSD.org
Thu Feb 2 23:04:07 UTC 2017
Author: imp
Date: Thu Feb 2 23:04:06 2017
New Revision: 313113
URL: https://svnweb.freebsd.org/changeset/base/313113
Log:
Ensure that the passthrough request will fit in MAXPHYS bytes after it
has been rounded to full pages. This avoids a panic in
vm_fault_quick_hold_pages due to this off-by-one error passing one
page too many into vmapbuf.
Modified:
head/sys/dev/nvme/nvme_ctrlr.c
Modified: head/sys/dev/nvme/nvme_ctrlr.c
==============================================================================
--- head/sys/dev/nvme/nvme_ctrlr.c Thu Feb 2 23:04:01 2017 (r313112)
+++ head/sys/dev/nvme/nvme_ctrlr.c Thu Feb 2 23:04:06 2017 (r313113)
@@ -874,8 +874,20 @@ nvme_ctrlr_passthrough_cmd(struct nvme_c
struct mtx *mtx;
struct buf *buf = NULL;
int ret = 0;
+ vm_offset_t addr, end;
if (pt->len > 0) {
+ /*
+ * vmapbuf calls vm_fault_quick_hold_pages which only maps full
+ * pages. Ensure this request has fewer than MAXPHYS bytes when
+ * extended to full pages.
+ */
+ addr = (vm_offset_t)pt->buf;
+ end = round_page(addr + pt->len);
+ addr = trunc_page(addr);
+ if (end - addr > MAXPHYS)
+ return EIO;
+
if (pt->len > ctrlr->max_xfer_size) {
nvme_printf(ctrlr, "pt->len (%d) "
"exceeds max_xfer_size (%d)\n", pt->len,
More information about the svn-src-head
mailing list