Re: kern/58552: panic via genfs_getpages - ufs_bmaparray

[gnats-admin%netbsd.org@localhost]

The following reply was made to PR kern/58552; it has been noted by GNATS.

From: "J. Hannken-Illjes" <hannken%mailbox.org@localhost>
To: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Cc: "S.P.Zeidler" <spz%NetBSD.org@localhost>, gnats-bugs%NetBSD.org@localhost,
	netbsd-bugs%NetBSD.org@localhost
Subject: Re: kern/58552: panic via genfs_getpages - ufs_bmaparray
Date: Fri, 30 Aug 2024 16:48:58 +0200

 On Fri, Aug 30, 2024 at 01:09:02AM +0000, Taylor R Campbell wrote:
 > > Date: Thu, 29 Aug 2024 11:25:59 +0200
 > > From: "J. Hannken-Illjes" <hannken%mailbox.org@localhost>
 > > 
 > > All these entrys are valid "struct vm_page *" pointers so it looks like
 > > this page allocated to the "bufpl" got overwritten with 512 pointers
 > > to vm pages.
 > > 
 > > Which operation creates an array of at least 512 "struct vm_page"
 > > pointers and therefore is a candidate for trashing?
 > 
 > genfs_getpages potentially does this, say for fsync or msync of a 2MB
 > range:
 > 
 >     308 	const int pgs_size = sizeof(struct vm_page *) *
 >     309 	    ((endoffset - startoffset) >> PAGE_SHIFT);
 >     310 	struct vm_page **pgs, *pgs_onstack[UBC_MAX_PAGES];
 >     311 
 >     312 	if (pgs_size > sizeof(pgs_onstack)) {
 >     313 		pgs = kmem_zalloc(pgs_size, async ? KM_NOSLEEP : KM_SLEEP);
 > 
 > https://nxr.netbsd.org/xref/src/sys/miscfs/genfs/genfs_io.c?r=1.104#308
 
 Where is the path from fsync/msync to VOP_GETPAGES?  Looks like both end up
 in VOP_PUTPAGES where requests seem bound to MAXPHYS.
 
 -- 
 J. Hannken-Illjes