vm_phys: Make sure that vm_phys_enq_chunk() stays in bounds

vm_phys_enq_chunk() inserts a run of pages into the buddy queues. When lazy initialization is enabled, only the first page of each run is initialized; vm_phys_enq_chunk() thus initializes the page following the just-inserted run. This fails to account for the possibility that the page following the run doesn't belong to the segment. Handle that in vm_phys_enq_chunk(). Reported by: KASAN Reported by: syzbot+1097ef4cee8dfb240e31@syzkaller.appspotmail.com Fixes: b16b4c22d2 ("vm_page: Implement lazy page initialization")
2024-10-01 14:14:56 +00:00 · 2024-06-14 10:45:02 -04:00 · 2024-06-14 10:45:02 -04:00 · 517c585458
parent 80b4232924
commit 517c585458
1 changed files with 6 additions and 2 deletions
--- a/sys/vm/vm_phys.c
+++ b/sys/vm/vm_phys.c
@ -711,12 +711,16 @@ vm_phys_enq_chunk(struct vm_freelist *fl, vm_page_t m, int order, int tail)
 #ifdef VM_FREEPOOL_LAZYINIT
 	if (__predict_false(m->pool == VM_FREEPOOL_LAZYINIT)) {
 		vm_page_t m_next;
+		vm_paddr_t pa;
 		int npages;

 		npages = 1 << order;
 		m_next = m + npages;
-		vm_page_init_page(m_next, m->phys_addr + ptoa(npages), m->segind,
-		    VM_FREEPOOL_LAZYINIT);
+		pa = m->phys_addr + ptoa(npages);
+		if (pa < vm_phys_segs[m->segind].end) {
+			vm_page_init_page(m_next, pa, m->segind,
+			    VM_FREEPOOL_LAZYINIT);
+		}
 	}
 #endif
 }