Re: kern/56900: panic in uvm_map_findspace

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,Thomas Klausner <wiz%NetBSD.org@localhost>
Subject: Re: kern/56900: panic in uvm_map_findspace
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Tue, 22 Nov 2022 14:45:01 +0000 (UTC)

The following reply was made to PR kern/56900; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: wiz%NetBSD.org@localhost
Subject: Re: kern/56900: panic in uvm_map_findspace
Date: Tue, 22 Nov 2022 14:42:03 +0000

 This is a multi-part message in MIME format.
 --=_rFLsIlDMAmZS54PhaM3eE2ii5a8qA3Zz
 
 Can you please try the attached patch?
 
 --=_rFLsIlDMAmZS54PhaM3eE2ii5a8qA3Zz
 Content-Type: text/plain; charset="ISO-8859-1"; name="pr56900"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment; filename="pr56900.patch"
 
 From dc4aef9f87a74edd401ebb85419cb0b217591108 Mon Sep 17 00:00:00 2001
 From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
 Date: Tue, 22 Nov 2022 14:40:55 +0000
 Subject: [PATCH] mmap(2): Avoid arithmetic overflow in search for free spac=
 e.
 
 PR kern/56900
 
 Reported-by: syzbot+3833ae1d38037a263d05%syzkaller.appspotmail.com@localhost
 https://syzkaller.appspot.com/bug?id=3De542bcf59b2564cca1cb38c12f076fb08dca=
 c37e
 ---
  sys/uvm/uvm_map.c | 15 ++++++++++++++-
  1 file changed, 14 insertions(+), 1 deletion(-)
 
 diff --git a/sys/uvm/uvm_map.c b/sys/uvm/uvm_map.c
 index 46b829b478a6..30b5d73dc6f6 100644
 --- a/sys/uvm/uvm_map.c
 +++ b/sys/uvm/uvm_map.c
 @@ -1994,7 +1994,20 @@ uvm_map_findspace(struct vm_map *map, vaddr_t hint, =
 vsize_t length,
  	/* Try to find the space in the red-black tree */
 =20
  	/* Check slot before any entry */
 -	hint =3D topdown ? entry->next->start - length : entry->end;
 +	if (topdown) {
 +		KASSERTMSG(entry->next->start >=3D vm_map_min(map),
 +		    "map=3D%p entry=3D%p entry->next=3D%p"
 +		    " entry->next->start=3D0x%"PRIxVADDR" min=3D0x%"PRIxVADDR,
 +		    map, entry, entry->next,
 +		    entry->next->start, vm_map_min(map));
 +		if (length > entry->next->start - vm_map_min(map))
 +			hint =3D vm_map_min(map); /* XXX goto wraparound? */
 +		else
 +			hint =3D entry->next->start - length;
 +		KASSERT(hint >=3D vm_map_min(map));
 +	} else {
 +		hint =3D entry->end;
 +	}
  	INVARIANTS();
  	avail =3D uvm_map_space_avail(&hint, length, uoffset, align, flags,
  	    topdown, entry);
 
 --=_rFLsIlDMAmZS54PhaM3eE2ii5a8qA3Zz--

Prev by Date: Re: kern/56900: panic in uvm_map_findspace
Next by Date: install/57089: sysinst cannot connect to host
Previous by Thread: Re: kern/56900: panic in uvm_map_findspace
Next by Thread: Re: kern/56900: panic in uvm_map_findspace
Indexes:

Home | Main Index | Thread Index | Old Index