From nobody Mon Feb 13 21:35:56 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PFyM02W8fz3qNv3;
	Mon, 13 Feb 2023 21:35:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PFyM01t3Sz4b3p;
	Mon, 13 Feb 2023 21:35:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1676324156;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=wUbbXmC4xYvxePReXGPAvhg41YVp6reMe1CQjsxC6JU=;
	b=dsMxAFdSfHsNk9ghYotEIi0R9qKR+0DAb2oxphQEEIFxOfciDBQN+6Z4oxAuZw5h8yOsU7
	Dnh7zR5KCesl76T/O7j+wBt9wyFNhpJo2p7dzajPSo7vg9Poknd5CoNykwCWoTS0lLIEXZ
	KoqVYUbIr5DjJdqrsbz89xOtrZko5g4EJq6dh1mwcTber1kr2HvWe17rF2tsfK9ox/01Za
	PorgatW90xqB8hEB7EiKRiymhMnZyCWFCj0+MbncEEGq4ICSJSCoqRrFXN97vjWiKo7Diq
	ECgOFqgbH9iXTJDIf3xcgWqEnu6DfFJSadRMP7wQClorb9ICNOxjRqhT8PLcJw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1676324156;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=wUbbXmC4xYvxePReXGPAvhg41YVp6reMe1CQjsxC6JU=;
	b=TQLdemTwlNVD8XtSjIDRF4g3p9+23a/3t1yTKwUcHzukKXPhYag/Jk7qO4DiPEm6shfepm
	XMNjV48Px3wqN1/HdIjMumRHjX3pbsnyyV7Drc6CK1H5MADkd5+h2qyjScQ/YAY8jemTFu
	LH+cawKIXd8YoEjH2RiIQMWqnwbcpiSMoEpwgkx/iUvWlBOUdDAPswS5wZXCyR72BaoBip
	7HAVSiuZ+Kt6AC6m3583jT5WQEsaHs8IaihbnBHJR0YAVZhJdHLnKqGQF+5UJIRyHx1Nwm
	wehZASFuoJXxd7T/z7fHnRg/MemUNO9z/LVF2WxArTZIKYW3LoQxi2a4VtBn4A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1676324156; a=rsa-sha256; cv=none;
	b=TTDQbEsQ6HQD4eTJBqqmndqrRf3Goup5kRwJq4vTbdB/QPGag6uviVPHOpcNJoyZDUwzQ7
	GAXHWXD3vdy8Rm3w9ThGlF/s71acLqSGa11y2T2SeZTes4R1jM8G8pZpl2nAn1xWukC0Np
	vV5bvrax9FuSh/EBuF2iMOdjBbIuWPQ97PK039RpTRczVnL4qRuRoUudzphUZaR9X1PwD9
	AZqFkuq8HbivMmmz0k8cPaKCFW3aCXzgYzTQ6a6SWxwu+Xebdvn8JjuLSOSdkI6LyJq87x
	CPRyAAjnIdSoy6N7S/k4z9xj6TlU3jhjg0NeVtzdIPQbBc42h8ZBopXeBfL+Nw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PFyM00zLrzYlD;
	Mon, 13 Feb 2023 21:35:56 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31DLZuDI099085;
	Mon, 13 Feb 2023 21:35:56 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31DLZuMh099084;
	Mon, 13 Feb 2023 21:35:56 GMT
	(envelope-from git)
Date: Mon, 13 Feb 2023 21:35:56 GMT
Message-Id: <202302132135.31DLZuMh099084@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: d0991948182a - main - vm_fault: Fix a race in vm_fault_soft_fast()
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: d0991948182a1a149ee84f1b9c4d3e30450c8f0b
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=d0991948182a1a149ee84f1b9c4d3e30450c8f0b

commit d0991948182a1a149ee84f1b9c4d3e30450c8f0b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-02-13 21:24:40 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-02-13 21:35:47 +0000

    vm_fault: Fix a race in vm_fault_soft_fast()
    
    When vm_fault_soft_fast() creates a mapping, it release the VM map lock
    before unbusying the top-level object.  Without the map lock, however,
    nothing prevents the VM object from being deallocated while still busy.
    
    Fix the problem by unbusying the object before releasing the VM map
    lock.  If vm_fault_soft_fast() fails to create a mapping, the VM map
    lock is not released, so those cases don't need to change.
    
    Reported by:    syzkaller
    Reviewed by:    kib (previous version)
    Sponsored by:   The FreeBSD Foundation
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D38527
---
 sys/vm/vm_fault.c | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index 959e67b88a38..87c15e972279 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -338,20 +338,16 @@ vm_fault_soft_fast(struct faultstate *fs)
 #endif
 	int psind;
 	vm_offset_t vaddr;
-	enum fault_status res;
 
 	MPASS(fs->vp == NULL);
 
-	res = FAULT_SUCCESS;
 	vaddr = fs->vaddr;
 	vm_object_busy(fs->first_object);
 	m = vm_page_lookup(fs->first_object, fs->first_pindex);
 	/* A busy page can be mapped for read|execute access. */
 	if (m == NULL || ((fs->prot & VM_PROT_WRITE) != 0 &&
-	    vm_page_busied(m)) || !vm_page_all_valid(m)) {
-		res = FAULT_FAILURE;
-		goto out;
-	}
+	    vm_page_busied(m)) || !vm_page_all_valid(m))
+		goto fail;
 	m_map = m;
 	psind = 0;
 #if VM_NRESERVLEVEL > 0
@@ -386,10 +382,8 @@ vm_fault_soft_fast(struct faultstate *fs)
 #endif
 	if (pmap_enter(fs->map->pmap, vaddr, m_map, fs->prot, fs->fault_type |
 	    PMAP_ENTER_NOSLEEP | (fs->wired ? PMAP_ENTER_WIRED : 0), psind) !=
-	    KERN_SUCCESS) {
-		res = FAULT_FAILURE;
-		goto out;
-	}
+	    KERN_SUCCESS)
+		goto fail;
 	if (fs->m_hold != NULL) {
 		(*fs->m_hold) = m;
 		vm_page_wire(m);
@@ -398,12 +392,13 @@ vm_fault_soft_fast(struct faultstate *fs)
 		vm_fault_prefault(fs, vaddr, PFBAK, PFFOR, true);
 	VM_OBJECT_RUNLOCK(fs->first_object);
 	vm_fault_dirty(fs, m);
+	vm_object_unbusy(fs->first_object);
 	vm_map_lookup_done(fs->map, fs->entry);
 	curthread->td_ru.ru_minflt++;
-
-out:
+	return (FAULT_SUCCESS);
+fail:
 	vm_object_unbusy(fs->first_object);
-	return (res);
+	return (FAULT_FAILURE);
 }
 
 static void