diff options
author | mav <mav@FreeBSD.org> | 2018-02-01 16:24:03 +0000 |
---|---|---|
committer | mav <mav@FreeBSD.org> | 2018-02-01 16:24:03 +0000 |
commit | 7c8dd9ade0f88da43db308b70619e2fb4680c7c7 (patch) | |
tree | 46afb0d5b2377f4f455b042b2c033b6f649ba83e | |
parent | f663e528459929e627c66d209d05d34ee35492a0 (diff) | |
download | FreeBSD-src-7c8dd9ade0f88da43db308b70619e2fb4680c7c7.zip FreeBSD-src-7c8dd9ade0f88da43db308b70619e2fb4680c7c7.tar.gz |
MFC r313113 (by imp):
Ensure that the passthrough request will fit in MAXPHYS bytes after it
has been rounded to full pages. This avoids a panic in
vm_fault_quick_hold_pages due to this off-by-one error passing one
page too many into vmapbuf.
-rw-r--r-- | sys/dev/nvme/nvme_ctrlr.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/sys/dev/nvme/nvme_ctrlr.c b/sys/dev/nvme/nvme_ctrlr.c index 11ab016..fd836f9 100644 --- a/sys/dev/nvme/nvme_ctrlr.c +++ b/sys/dev/nvme/nvme_ctrlr.c @@ -874,8 +874,20 @@ nvme_ctrlr_passthrough_cmd(struct nvme_controller *ctrlr, struct mtx *mtx; struct buf *buf = NULL; int ret = 0; + vm_offset_t addr, end; if (pt->len > 0) { + /* + * vmapbuf calls vm_fault_quick_hold_pages which only maps full + * pages. Ensure this request has fewer than MAXPHYS bytes when + * extended to full pages. + */ + addr = (vm_offset_t)pt->buf; + end = round_page(addr + pt->len); + addr = trunc_page(addr); + if (end - addr > MAXPHYS) + return EIO; + if (pt->len > ctrlr->max_xfer_size) { nvme_printf(ctrlr, "pt->len (%d) " "exceeds max_xfer_size (%d)\n", pt->len, |