Correct vm_fault_copy_entry() handling of backing file truncation
after the file mapping was wired. if a wired map entry is backed by vnode and the file is truncated, corresponding pages are invalidated. vm_fault_copy_entry() should be aware of it and allow for invalid pages past end of file. Also, such pages should be not mapped into userspace. If userspace accesses the truncated part of the mapping later, it gets a signal, there is no way kernel can prevent the page fault. Reported by: andrew using syzkaller Reviewed by: alc Sponsored by: The FreeBSD Foundation Approved by: re (gjb) MFC after: 1 week Differential revision: https://reviews.freebsd.org/D17323
This commit is contained in:
parent
9f25ab83f9
commit
c62637d679
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=338999
@ -1739,6 +1739,13 @@ vm_fault_copy_entry(vm_map_t dst_map, vm_map_t src_map,
|
||||
dst_m = src_m;
|
||||
if (vm_page_sleep_if_busy(dst_m, "fltupg"))
|
||||
goto again;
|
||||
if (dst_m->pindex >= dst_object->size)
|
||||
/*
|
||||
* We are upgrading. Index can occur
|
||||
* out of bounds if the object type is
|
||||
* vnode and the file was truncated.
|
||||
*/
|
||||
break;
|
||||
vm_page_xbusy(dst_m);
|
||||
KASSERT(dst_m->valid == VM_PAGE_BITS_ALL,
|
||||
("invalid dst page %p", dst_m));
|
||||
|
Loading…
Reference in New Issue
Block a user