From a17937bdd0bb157d1a4bd739cc7bac7767b7ecbf Mon Sep 17 00:00:00 2001 From: Konstantin Belousov Date: Tue, 29 Apr 2014 18:42:37 +0000 Subject: [PATCH] For the VM_PHYSSEG_DENSE case, checking the requested range to fall into the area backed by vm_page_array wrongly compared end with vm_page_array_size. It should be adjusted by first_page index to be correct. Also, the corner and incorrect case of the requested range extending after the end of the vm_page_array was incorrectly handled by allocating the segment. Fix the comparision for the end of range and return EINVAL if the end extends beyond vm_page_array. Discussed with: royger Sponsored by: The FreeBSD Foundation MFC after: 1 week --- sys/vm/vm_phys.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/sys/vm/vm_phys.c b/sys/vm/vm_phys.c index d8fe232c0c09..14960c885734 100644 --- a/sys/vm/vm_phys.c +++ b/sys/vm/vm_phys.c @@ -551,7 +551,9 @@ vm_phys_fictitious_reg_range(vm_paddr_t start, vm_paddr_t end, #ifdef VM_PHYSSEG_DENSE pi = atop(start); - if (pi >= first_page && atop(end) < vm_page_array_size) { + if (pi >= first_page && pi < vm_page_array_size + first_page) { + if (atop(end) >= vm_page_array_size + first_page) + return (EINVAL); fp = &vm_page_array[pi - first_page]; malloced = FALSE; } else