From owner-cvs-src@FreeBSD.ORG Wed May 19 00:15:50 2004 Return-Path: Delivered-To: cvs-src@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 666E916A4CE; Wed, 19 May 2004 00:15:50 -0700 (PDT) Received: from mailout1.pacific.net.au (mailout1.pacific.net.au [61.8.0.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9745143D2F; Wed, 19 May 2004 00:15:49 -0700 (PDT) (envelope-from bde@zeta.org.au) Received: from mailproxy2.pacific.net.au (mailproxy2.pacific.net.au [61.8.0.87])i4J7Fm4u022168; Wed, 19 May 2004 17:15:48 +1000 Received: from gamplex.bde.org (katana.zip.com.au [61.8.7.246]) i4J7FjLS019952; Wed, 19 May 2004 17:15:46 +1000 Date: Wed, 19 May 2004 17:15:47 +1000 (EST) From: Bruce Evans X-X-Sender: bde@gamplex.bde.org To: Ruslan Ermilov In-Reply-To: <20040518103846.GB70919@ip.net.ua> Message-ID: <20040519165754.Q13836@gamplex.bde.org> References: <200405180730.i4I7U5CZ018341@repoman.freebsd.org> <20040518103846.GB70919@ip.net.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: cvs-src@FreeBSD.org cc: src-committers@FreeBSD.org cc: Pawel Jakub Dawidek cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src/sys/dev/md md.c X-BeenThere: cvs-src@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: CVS commit messages for the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2004 07:15:50 -0000 On Tue, 18 May 2004, Ruslan Ermilov wrote: > On Tue, May 18, 2004 at 12:30:05AM -0700, Pawel Jakub Dawidek wrote: > > pjd 2004/05/18 00:30:05 PDT > > > > FreeBSD src repository > > > > Modified files: > > sys/dev/md md.c > > Log: > > Fix panic which occurs when given sector size for memory-backed device > > is less than DEV_BSIZE (512) bytes. > > > > Reported by: Mike Bristow > > Approved by: phk > > > > Revision Changes Path > > 1.123 +1 -2 src/sys/dev/md/md.c > > > Nice catch! This introduces a bug that the old version was (not very well) written to avoid: overflow at UINT_MAX bytes (typically 4GB). Previously, md only overflowed at UINT_MAX sectors (typically 2TB). Overflow probably can't happen here yet because most machines can't hold 4GB and others shouldn't waste 4GB for malloc()able memory. Overfow at 2TB can easily happen for the vnode case. Here are some of md's unchecked overflows: New bug: % sc->nsect = (mdio->md_size * DEV_BSIZE) / sc->secsize; This is easy to fix using btodb(), except when DEV_BSIZE > sc->secsize. Using DEV_BSIZE instead of dbtodb() or btodb() when the latter works is a style bug even when it works. vnode case: % /* % * If the size is specified, override the file attributes. % */ % if (mdio->md_size) % sc->nsect = mdio->md_size; % else % sc->nsect = vattr.va_size / sc->secsize; /* XXX: round up ? */ The assignment overflows when vattr.va_size is large. The fix is not so easy. There are lots of u_int's in md's ABI and implementation. Bruce