Fri Aug 4 13:15:25 2023 UTC ()
Pull up following revision(s) (requested by riastradh in ticket #1880):

	sys/uvm/uvm_map.c: revision 1.403 (patch)

mmap(2): Avoid arithmetic overflow in search for free space.

PR kern/56900


(martin)
diff -r1.351.2.5 -r1.351.2.6 src/sys/uvm/uvm_map.c
cvs diff -r1.351.2.5 -r1.351.2.6 src/sys/uvm/uvm_map.c (expand / switch to unified diff)

--- src/sys/uvm/uvm_map.c 2023/04/01 16:05:00 1.351.2.5
+++ src/sys/uvm/uvm_map.c 2023/08/04 13:15:25 1.351.2.6
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: uvm_map.c,v 1.351.2.5 2023/04/01 16:05:00 martin Exp $ */ 1/* $NetBSD: uvm_map.c,v 1.351.2.6 2023/08/04 13:15:25 martin Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1997 Charles D. Cranor and Washington University. 4 * Copyright (c) 1997 Charles D. Cranor and Washington University.
5 * Copyright (c) 1991, 1993, The Regents of the University of California. 5 * Copyright (c) 1991, 1993, The Regents of the University of California.
6 * 6 *
7 * All rights reserved. 7 * All rights reserved.
8 * 8 *
9 * This code is derived from software contributed to Berkeley by 9 * This code is derived from software contributed to Berkeley by
10 * The Mach Operating System project at Carnegie-Mellon University. 10 * The Mach Operating System project at Carnegie-Mellon University.
11 * 11 *
12 * Redistribution and use in source and binary forms, with or without 12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions 13 * modification, are permitted provided that the following conditions
14 * are met: 14 * are met:
@@ -56,27 +56,27 @@ @@ -56,27 +56,27 @@
56 * School of Computer Science 56 * School of Computer Science
57 * Carnegie Mellon University 57 * Carnegie Mellon University
58 * Pittsburgh PA 15213-3890 58 * Pittsburgh PA 15213-3890
59 * 59 *
60 * any improvements or extensions that they make and grant Carnegie the 60 * any improvements or extensions that they make and grant Carnegie the
61 * rights to redistribute these changes. 61 * rights to redistribute these changes.
62 */ 62 */
63 63
64/* 64/*
65 * uvm_map.c: uvm map operations 65 * uvm_map.c: uvm map operations
66 */ 66 */
67 67
68#include <sys/cdefs.h> 68#include <sys/cdefs.h>
69__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.351.2.5 2023/04/01 16:05:00 martin Exp $"); 69__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.351.2.6 2023/08/04 13:15:25 martin Exp $");
70 70
71#include "opt_ddb.h" 71#include "opt_ddb.h"
72#include "opt_pax.h" 72#include "opt_pax.h"
73#include "opt_uvmhist.h" 73#include "opt_uvmhist.h"
74#include "opt_uvm.h" 74#include "opt_uvm.h"
75#include "opt_sysv.h" 75#include "opt_sysv.h"
76 76
77#include <sys/param.h> 77#include <sys/param.h>
78#include <sys/systm.h> 78#include <sys/systm.h>
79#include <sys/mman.h> 79#include <sys/mman.h>
80#include <sys/proc.h> 80#include <sys/proc.h>
81#include <sys/pool.h> 81#include <sys/pool.h>
82#include <sys/kernel.h> 82#include <sys/kernel.h>
@@ -2004,27 +2004,41 @@ uvm_map_findspace(struct vm_map *map, va @@ -2004,27 +2004,41 @@ uvm_map_findspace(struct vm_map *map, va
2004 goto nextgap; 2004 goto nextgap;
2005 } 2005 }
2006 } 2006 }
2007 } 2007 }
2008 2008
2009 /* 2009 /*
2010 * Note that all UVM_FLAGS_FIXED case is already handled. 2010 * Note that all UVM_FLAGS_FIXED case is already handled.
2011 */ 2011 */
2012 KDASSERT((flags & UVM_FLAG_FIXED) == 0); 2012 KDASSERT((flags & UVM_FLAG_FIXED) == 0);
2013 2013
2014 /* Try to find the space in the red-black tree */ 2014 /* Try to find the space in the red-black tree */
2015 2015
2016 /* Check slot before any entry */ 2016 /* Check slot before any entry */
2017 hint = topdown ? entry->next->start - length : entry->end; 2017 if (topdown) {
 2018 KASSERTMSG(entry->next->start >= vm_map_min(map),
 2019 "map=%p entry=%p entry->next=%p"
 2020 " entry->next->start=0x%"PRIxVADDR" min=0x%"PRIxVADDR,
 2021 map, entry, entry->next,
 2022 entry->next->start, vm_map_min(map));
 2023 if (length > entry->next->start - vm_map_min(map))
 2024 hint = vm_map_min(map); /* XXX goto wraparound? */
 2025 else
 2026 hint = entry->next->start - length;
 2027 KASSERT(hint >= vm_map_min(map));
 2028 } else {
 2029 hint = entry->end;
 2030 }
 2031
2018 switch (uvm_map_space_avail(&hint, length, uoffset, align, flags, 2032 switch (uvm_map_space_avail(&hint, length, uoffset, align, flags,
2019 topdown, entry)) { 2033 topdown, entry)) {
2020 case 1: 2034 case 1:
2021 goto found; 2035 goto found;
2022 case -1: 2036 case -1:
2023 goto wraparound; 2037 goto wraparound;
2024 } 2038 }
2025 2039
2026nextgap: 2040nextgap:
2027 KDASSERT((flags & UVM_FLAG_FIXED) == 0); 2041 KDASSERT((flags & UVM_FLAG_FIXED) == 0);
2028 /* If there is not enough space in the whole tree, we fail */ 2042 /* If there is not enough space in the whole tree, we fail */
2029 tmp = ROOT_ENTRY(map); 2043 tmp = ROOT_ENTRY(map);
2030 if (tmp == NULL || tmp->maxgap < length) 2044 if (tmp == NULL || tmp->maxgap < length)