Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Apr 2022 21:58:18 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 262894] Kernel Panic (page fault) with 13.1-BETA2 in g_eli & httpd
Message-ID:  <bug-262894-227-X6Xmo5Qkak@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-262894-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-262894-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262894

--- Comment #30 from Alexander Motin <mav@FreeBSD.org> ---
(In reply to Mark Johnston from comment #28)
While it seems like a good catch on a first look, I doubt it is exploitable=
.=20
The code uses unmapped I/O only if all boundaries within the ABD except the
first and the last are page aligned.  The case of "addr & PAGE_MASK is 2048=
 and
len is 4096" can fit into this only if it is the only chunk in ABD, but the=
n it
should be a linear buffer, not requiring unmapped I/O.  Fitting case of add=
r &
PAGE_MASK is 2048 and len is 6144 should work fine, producing two pages.

Plus TrueNAS for many years uses ashift=3D12, which means all offsets in RA=
IDZ
and gang blocks should be multiple of 4K and so page-aligned on x86.

But still, just in case, what would you say about this patch:

diff --git a/module/os/freebsd/zfs/vdev_geom.c
b/module/os/freebsd/zfs/vdev_geom.c
index 2ef4811a8..5447eb922 100644
--- a/module/os/freebsd/zfs/vdev_geom.c
+++ b/module/os/freebsd/zfs/vdev_geom.c
@@ -1132,8 +1132,12 @@ vdev_geom_fill_unmap_cb(void *buf, size_t len, void
*priv)
        vm_offset_t addr =3D (vm_offset_t)buf;
        vm_offset_t end =3D addr + len;

-       if (bp->bio_ma_n =3D=3D 0)
+       if (bp->bio_ma_n =3D=3D 0) {
                bp->bio_ma_offset =3D addr & PAGE_MASK;
+               addr &=3D ~PAGE_MASK;
+       } else {
+               ASSERT0(P2PHASE(addr, PAGE_SIZE));
+       }
        do {
                bp->bio_ma[bp->bio_ma_n++] =3D
                    PHYS_TO_VM_PAGE(pmap_kextract(addr));

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-262894-227-X6Xmo5Qkak>