From owner-svn-src-stable@FreeBSD.ORG  Tue Dec 17 09:21:57 2013
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 256229F5;
 Tue, 17 Dec 2013 09:21:57 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id EA7501E5D;
 Tue, 17 Dec 2013 09:21:56 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rBH9LuRH089565;
 Tue, 17 Dec 2013 09:21:56 GMT (envelope-from kib@svn.freebsd.org)
Received: (from kib@localhost)
 by svn.freebsd.org (8.14.7/8.14.7/Submit) id rBH9LunD089563;
 Tue, 17 Dec 2013 09:21:56 GMT (envelope-from kib@svn.freebsd.org)
Message-Id: <201312170921.rBH9LunD089563@svn.freebsd.org>
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Tue, 17 Dec 2013 09:21:56 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r259499 - in stable/10/sys: kern vm
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Dec 2013 09:21:57 -0000

Author: kib
Date: Tue Dec 17 09:21:56 2013
New Revision: 259499
URL: http://svnweb.freebsd.org/changeset/base/259499

Log:
  MFC r258039:
  Avoid overflow for the page counts.
  
  MFC r258365:
  Revert back to use int for the page counts.
  Rearrange the checks to correctly handle overflowing address arithmetic.

Modified:
  stable/10/sys/kern/vfs_vnops.c
  stable/10/sys/vm/vm_fault.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/sys/kern/vfs_vnops.c
==============================================================================
--- stable/10/sys/kern/vfs_vnops.c	Tue Dec 17 07:59:00 2013	(r259498)
+++ stable/10/sys/kern/vfs_vnops.c	Tue Dec 17 09:21:56 2013	(r259499)
@@ -933,7 +933,7 @@ vn_io_fault(struct file *fp, struct uio 
 	void *rl_cookie;
 	struct mount *mp;
 	vm_page_t *prev_td_ma;
-	int cnt, error, save, saveheld, prev_td_ma_cnt;
+	int error, cnt, save, saveheld, prev_td_ma_cnt;
 	vm_offset_t addr, end;
 	vm_prot_t prot;
 	size_t len, resid;
@@ -1007,21 +1007,20 @@ vn_io_fault(struct file *fp, struct uio 
 			uio_clone->uio_iovcnt--;
 			continue;
 		}
-
-		addr = (vm_offset_t)uio_clone->uio_iov->iov_base;
+		if (len > io_hold_cnt * PAGE_SIZE)
+			len = io_hold_cnt * PAGE_SIZE;
+		addr = (uintptr_t)uio_clone->uio_iov->iov_base;
 		end = round_page(addr + len);
-		cnt = howmany(end - trunc_page(addr), PAGE_SIZE);
+		if (end < addr) {
+			error = EFAULT;
+			break;
+		}
+		cnt = atop(end - trunc_page(addr));
 		/*
 		 * A perfectly misaligned address and length could cause
 		 * both the start and the end of the chunk to use partial
 		 * page.  +2 accounts for such a situation.
 		 */
-		if (cnt > io_hold_cnt + 2) {
-			len = io_hold_cnt * PAGE_SIZE;
-			KASSERT(howmany(round_page(addr + len) -
-			    trunc_page(addr), PAGE_SIZE) <= io_hold_cnt + 2,
-			    ("cnt overflow"));
-		}
 		cnt = vm_fault_quick_hold_pages(&td->td_proc->p_vmspace->vm_map,
 		    addr, len, prot, ma, io_hold_cnt + 2);
 		if (cnt == -1) {

Modified: stable/10/sys/vm/vm_fault.c
==============================================================================
--- stable/10/sys/vm/vm_fault.c	Tue Dec 17 07:59:00 2013	(r259498)
+++ stable/10/sys/vm/vm_fault.c	Tue Dec 17 09:21:56 2013	(r259499)
@@ -1079,7 +1079,7 @@ vm_fault_quick_hold_pages(vm_map_t map, 
 
 	if (len == 0)
 		return (0);
-	end = round_page(addr + len);	
+	end = round_page(addr + len);
 	addr = trunc_page(addr);
 
 	/*
@@ -1088,9 +1088,9 @@ vm_fault_quick_hold_pages(vm_map_t map, 
 	if (addr < vm_map_min(map) || addr > end || end > vm_map_max(map))
 		return (-1);
 
-	count = howmany(end - addr, PAGE_SIZE);
-	if (count > max_count)
+	if (atop(end - addr) > max_count)
 		panic("vm_fault_quick_hold_pages: count > max_count");
+	count = atop(end - addr);
 
 	/*
 	 * Most likely, the physical pages are resident in the pmap, so it is