Correct vm_fault_copy_entry() handling of backing file truncation

after the file mapping was wired. if a wired map entry is backed by vnode and the file is truncated, corresponding pages are invalidated. vm_fault_copy_entry() should be aware of it and allow for invalid pages past end of file. Also, such pages should be not mapped into userspace. If userspace accesses the truncated part of the mapping later, it gets a signal, there is no way kernel can prevent the page fault. Reported by: andrew using syzkaller Reviewed by: alc Sponsored by: The FreeBSD Foundation Approved by: re (gjb) MFC after: 1 week Differential revision: https://reviews.freebsd.org/D17323
svn path=/head/; revision=338999
2018-09-28 14:11:38 +00:00 · 2018-09-28 14:11:38 +00:00 · c62637d679 · 2020-12-20 02:59:44 +00:00
commit c62637d679
parent 9f25ab83f9
1 changed files with 7 additions and 0 deletions
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@ -1739,6 +1739,13 @@ vm_fault_copy_entry(vm_map_t dst_map, vm_map_t src_map,
 			dst_m = src_m;
 			if (vm_page_sleep_if_busy(dst_m, "fltupg"))
 				goto again;
+			if (dst_m->pindex >= dst_object->size)
+				/*
+				 * We are upgrading.  Index can occur
+				 * out of bounds if the object type is
+				 * vnode and the file was truncated.
+				 */
+				break;
 			vm_page_xbusy(dst_m);
 			KASSERT(dst_m->valid == VM_PAGE_BITS_ALL,
 			    ("invalid dst page %p", dst_m));