From e795a04083119a5e0229a676c81f92c828ec747b Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Sat, 18 Apr 2020 03:07:18 +0000
Subject: [PATCH] The pa argument for sendfile_iodone() is not necessary a
 slice of sfio->pa.

It is true for zfs, but it is not for e.g. vnode or buffer pagers.
When fixing bogus pages, fix them in both places.  Rely on the fact
that pa[0] must have been invalid so it cannot be bogus.

Reported and tested by:	pho
Sponsored by:	The FreeBSD Foundation
MFC after:	2 weeks
---
 sys/kern/kern_sendfile.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_sendfile.c b/sys/kern/kern_sendfile.c
index 0ba784ee07d1..e1715fd55afd 100644
--- a/sys/kern/kern_sendfile.c
+++ b/sys/kern/kern_sendfile.c
@@ -295,10 +295,12 @@ sendfile_iodone(void *arg, vm_page_t *pa, int count, int error)
 		 * unbusied the swapped-in pages, they can become
 		 * invalid under us.
 		 */
+		MPASS(count == 0 || pa[0] != bogus_page);
 		for (i = 0; i < count; i++) {
 			if (pa[i] == bogus_page) {
-				pa[i] = vm_page_relookup(sfio->obj,
-				    sfio->pindex0 + i + (pa - sfio->pa));
+				sfio->pa[(pa[0]->pindex - sfio->pindex0) + i] =
+				    pa[i] = vm_page_relookup(sfio->obj,
+				    pa[0]->pindex + i);
 				KASSERT(pa[i] != NULL,
 				    ("%s: page %p[%d] disappeared",
 				    __func__, pa, i));