MFC r313113 (by imp):

Ensure that the passthrough request will fit in MAXPHYS bytes after it has been rounded to full pages. This avoids a panic in vm_fault_quick_hold_pages due to this off-by-one error passing one page too many into vmapbuf.
author: mav <mav@FreeBSD.org> 2018-02-01 16:24:03 +0000
committer: mav <mav@FreeBSD.org> 2018-02-01 16:24:03 +0000
commit: 7c8dd9ade0f88da43db308b70619e2fb4680c7c7 (patch)
tree: 46afb0d5b2377f4f455b042b2c033b6f649ba83e
parent: f663e528459929e627c66d209d05d34ee35492a0 (diff)
download: FreeBSD-src-7c8dd9ade0f88da43db308b70619e2fb4680c7c7.zip
FreeBSD-src-7c8dd9ade0f88da43db308b70619e2fb4680c7c7.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/sys/dev/nvme/nvme_ctrlr.c b/sys/dev/nvme/nvme_ctrlr.c
index 11ab016..fd836f9 100644
--- a/sys/dev/nvme/nvme_ctrlr.c
+++ b/sys/dev/nvme/nvme_ctrlr.c
@@ -874,8 +874,20 @@ nvme_ctrlr_passthrough_cmd(struct nvme_controller *ctrlr,
 	struct mtx		*mtx;
 	struct buf		*buf = NULL;
 	int			ret = 0;
+	vm_offset_t		addr, end;
 
 	if (pt->len > 0) {
+		/*
+		 * vmapbuf calls vm_fault_quick_hold_pages which only maps full
+		 * pages. Ensure this request has fewer than MAXPHYS bytes when
+		 * extended to full pages.
+		 */
+		addr = (vm_offset_t)pt->buf;
+		end = round_page(addr + pt->len);
+		addr = trunc_page(addr);
+		if (end - addr > MAXPHYS)
+			return EIO;
+
 		if (pt->len > ctrlr->max_xfer_size) {
 			nvme_printf(ctrlr, "pt->len (%d) "
 			    "exceeds max_xfer_size (%d)\n", pt->len,
author	mav <mav@FreeBSD.org>	2018-02-01 16:24:03 +0000
committer	mav <mav@FreeBSD.org>	2018-02-01 16:24:03 +0000
commit	7c8dd9ade0f88da43db308b70619e2fb4680c7c7 (patch)
tree	46afb0d5b2377f4f455b042b2c033b6f649ba83e
parent	f663e528459929e627c66d209d05d34ee35492a0 (diff)
download	FreeBSD-src-7c8dd9ade0f88da43db308b70619e2fb4680c7c7.zip FreeBSD-src-7c8dd9ade0f88da43db308b70619e2fb4680c7c7.tar.gz