Date: Fri, 28 Sep 2018 14:11:38 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r338999 - head/sys/vm Message-ID: <201809281411.w8SEBcS2078040@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Fri Sep 28 14:11:38 2018 New Revision: 338999 URL: https://svnweb.freebsd.org/changeset/base/338999 Log: Correct vm_fault_copy_entry() handling of backing file truncation after the file mapping was wired. if a wired map entry is backed by vnode and the file is truncated, corresponding pages are invalidated. vm_fault_copy_entry() should be aware of it and allow for invalid pages past end of file. Also, such pages should be not mapped into userspace. If userspace accesses the truncated part of the mapping later, it gets a signal, there is no way kernel can prevent the page fault. Reported by: andrew using syzkaller Reviewed by: alc Sponsored by: The FreeBSD Foundation Approved by: re (gjb) MFC after: 1 week Differential revision: https://reviews.freebsd.org/D17323 Modified: head/sys/vm/vm_fault.c Modified: head/sys/vm/vm_fault.c ============================================================================== --- head/sys/vm/vm_fault.c Fri Sep 28 14:11:01 2018 (r338998) +++ head/sys/vm/vm_fault.c Fri Sep 28 14:11:38 2018 (r338999) @@ -1739,6 +1739,13 @@ again: dst_m = src_m; if (vm_page_sleep_if_busy(dst_m, "fltupg")) goto again; + if (dst_m->pindex >= dst_object->size) + /* + * We are upgrading. Index can occur + * out of bounds if the object type is + * vnode and the file was truncated. + */ + break; vm_page_xbusy(dst_m); KASSERT(dst_m->valid == VM_PAGE_BITS_ALL, ("invalid dst page %p", dst_m));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201809281411.w8SEBcS2078040>