Project

General

Profile

Bug #8622

panic in PTE_set_all()

Added by Hans Rosenfeld about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Category:
kernel
Start date:
2017-09-07
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

The code path in immu_map_dvmaseg() that deals with a situation when a DMA request needs more than IMMU_NDCK cookies passes a too high npages argument to dvma_map(), leading to a panic in PTE_set_all().

The problem is that npages is increased before the block dealing with this situation, but the old value is needed in that block. When the npages argument is one too large, the for loop over the cookies in PTE_set_all() loops all the way to the end, causing an access to dcookies[-1] later and the attempt to map an invalid address. npages needs to be at most the sum of all pages of all the cookies.

History

#1

Updated by Hans Rosenfeld about 2 years ago

Webrev: https://grumpf.hope-2000.org/illumos-8622-8623-8625/

The fix was tested on a system with IOMMU enabled. No other effects besides fixing that panic.

This change has been in illumos-joyent since around June.

#2

Updated by Electric Monk about 2 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit 2cedd8f0ecbd2b29bf0aac72bb8b7413b0326938

commit  2cedd8f0ecbd2b29bf0aac72bb8b7413b0326938
Author: Hans Rosenfeld <hans.rosenfeld@joyent.com>
Date:   2017-09-20T18:35:31.000Z

    8622 panic in PTE_set_all()
    8623 IMMU_CONTIG_PADDR is broken for cookies with more than one page
    8625 nvme causes bad free panic in IOMMU
    Reviewed by: Robert Mustacchi <rm@joyent.com>
    Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
    Approved by: Garrett D'Amore <garrett@damore.org>

Also available in: Atom PDF