panic in PTE_set_all()
The code path in immu_map_dvmaseg() that deals with a situation when a DMA request needs more than IMMU_NDCK cookies passes a too high npages argument to dvma_map(), leading to a panic in PTE_set_all().
The problem is that npages is increased before the block dealing with this situation, but the old value is needed in that block. When the npages argument is one too large, the for loop over the cookies in PTE_set_all() loops all the way to the end, causing an access to dcookies[-1] later and the attempt to map an invalid address. npages needs to be at most the sum of all pages of all the cookies.
Updated by Hans Rosenfeld almost 3 years ago
The fix was tested on a system with IOMMU enabled. No other effects besides fixing that panic.
This change has been in illumos-joyent since around June.
Updated by Electric Monk almost 3 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
commit 2cedd8f0ecbd2b29bf0aac72bb8b7413b0326938 Author: Hans Rosenfeld <firstname.lastname@example.org> Date: 2017-09-20T18:35:31.000Z 8622 panic in PTE_set_all() 8623 IMMU_CONTIG_PADDR is broken for cookies with more than one page 8625 nvme causes bad free panic in IOMMU Reviewed by: Robert Mustacchi <email@example.com> Reviewed by: Jerry Jelinek <firstname.lastname@example.org> Approved by: Garrett D'Amore <email@example.com>