DF-0546
OOB read of lut[] in netmap_mem_ofstophys: page-padding offset maps garbage physical page into userspace
Summary
netmap_mem_ofstophys(:165-195): validates offset<memtotal(:177) then indexes lut[offset/_objsize](:180). memtotal=numclusters*_clustsize(:622), _clustsize rounded UP to PAGE_SIZE(:531-533). memtotal can exceed objtotal*_objsize when clustentries*_objsize not page multiple. Offset in padding tail [objtotal*_objsize,memtotal) -> index>=objtotal -> OOB read past lut array(allocated objtotal entries :565). Bogus 8 bytes interpreted as paddr -> vm_page_getfake -> mapped RW into faulting process. User-influenced via mmap /dev/netmap fault on padding offset. Default pools pack cleanly but dev.netmap.*_size sysctl_RW + VALE private allocators can trigger. Kernel heap info leak + potential arbitrary physical page R/W. Fix: bound idx<objtotal.