Re: kern/56900: panic in uvm_map_findspace

[Frank Kardel <kardel%netbsd.org@localhost>]

The following reply was made to PR kern/56900; it has been noted by GNATS.

From: Frank Kardel <kardel%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/56900: panic in uvm_map_findspace
Date: Thu, 24 Nov 2022 16:07:23 +0100

 No more crashes observed here also.
 
 Thanks for that fix.
 
 Frank
 
 
 On 11/22/22 15:45, Taylor R Campbell wrote:
 > The following reply was made to PR kern/56900; it has been noted by GNATS.
 >
 > From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
 > To: gnats-bugs%NetBSD.org@localhost
 > Cc: wiz%NetBSD.org@localhost
 > Subject: Re: kern/56900: panic in uvm_map_findspace
 > Date: Tue, 22 Nov 2022 14:42:03 +0000
 >
 >   This is a multi-part message in MIME format.
 >   --=_rFLsIlDMAmZS54PhaM3eE2ii5a8qA3Zz
 >   
 >   Can you please try the attached patch?
 >   
 >   --=_rFLsIlDMAmZS54PhaM3eE2ii5a8qA3Zz
 >   Content-Type: text/plain; charset="ISO-8859-1"; name="pr56900"
 >   Content-Transfer-Encoding: quoted-printable
 >   Content-Disposition: attachment; filename="pr56900.patch"
 >   
 >   From dc4aef9f87a74edd401ebb85419cb0b217591108 Mon Sep 17 00:00:00 2001
 >   From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
 >   Date: Tue, 22 Nov 2022 14:40:55 +0000
 >   Subject: [PATCH] mmap(2): Avoid arithmetic overflow in search for free spac=
 >   e.
 >   
 >   PR kern/56900
 >   
 >   Reported-by: syzbot+3833ae1d38037a263d05%syzkaller.appspotmail.com@localhost
 >   https://syzkaller.appspot.com/bug?id=3De542bcf59b2564cca1cb38c12f076fb08dca=
 >   c37e
 >   ---
 >    sys/uvm/uvm_map.c | 15 ++++++++++++++-
 >    1 file changed, 14 insertions(+), 1 deletion(-)
 >   
 >   diff --git a/sys/uvm/uvm_map.c b/sys/uvm/uvm_map.c
 >   index 46b829b478a6..30b5d73dc6f6 100644
 >   --- a/sys/uvm/uvm_map.c
 >   +++ b/sys/uvm/uvm_map.c
 >   @@ -1994,7 +1994,20 @@ uvm_map_findspace(struct vm_map *map, vaddr_t hint, =
 >   vsize_t length,
 >    	/* Try to find the space in the red-black tree */
 >   =20
 >    	/* Check slot before any entry */
 >   -	hint =3D topdown ? entry->next->start - length : entry->end;
 >   +	if (topdown) {
 >   +		KASSERTMSG(entry->next->start >=3D vm_map_min(map),
 >   +		    "map=3D%p entry=3D%p entry->next=3D%p"
 >   +		    " entry->next->start=3D0x%"PRIxVADDR" min=3D0x%"PRIxVADDR,
 >   +		    map, entry, entry->next,
 >   +		    entry->next->start, vm_map_min(map));
 >   +		if (length > entry->next->start - vm_map_min(map))
 >   +			hint =3D vm_map_min(map); /* XXX goto wraparound? */
 >   +		else
 >   +			hint =3D entry->next->start - length;
 >   +		KASSERT(hint >=3D vm_map_min(map));
 >   +	} else {
 >   +		hint =3D entry->end;
 >   +	}
 >    	INVARIANTS();
 >    	avail =3D uvm_map_space_avail(&hint, length, uoffset, align, flags,
 >    	    topdown, entry);
 >   
 >   --=_rFLsIlDMAmZS54PhaM3eE2ii5a8qA3Zz--
 >