NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/58552: panic via genfs_getpages - ufs_bmaparray
On Fri, Aug 30, 2024 at 01:09:02AM +0000, Taylor R Campbell wrote:
> > Date: Thu, 29 Aug 2024 11:25:59 +0200
> > From: "J. Hannken-Illjes" <hannken%mailbox.org@localhost>
> >
> > All these entrys are valid "struct vm_page *" pointers so it looks like
> > this page allocated to the "bufpl" got overwritten with 512 pointers
> > to vm pages.
> >
> > Which operation creates an array of at least 512 "struct vm_page"
> > pointers and therefore is a candidate for trashing?
>
> genfs_getpages potentially does this, say for fsync or msync of a 2MB
> range:
>
> 308 const int pgs_size = sizeof(struct vm_page *) *
> 309 ((endoffset - startoffset) >> PAGE_SHIFT);
> 310 struct vm_page **pgs, *pgs_onstack[UBC_MAX_PAGES];
> 311
> 312 if (pgs_size > sizeof(pgs_onstack)) {
> 313 pgs = kmem_zalloc(pgs_size, async ? KM_NOSLEEP : KM_SLEEP);
>
> https://nxr.netbsd.org/xref/src/sys/miscfs/genfs/genfs_io.c?r=1.104#308
Where is the path from fsync/msync to VOP_GETPAGES? Looks like both end up
in VOP_PUTPAGES where requests seem bound to MAXPHYS.
--
J. Hannken-Illjes
Home |
Main Index |
Thread Index |
Old Index