From nobody Tue Aug 09 19:56:45 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2P3L1WNdz3j7Jy; Tue, 9 Aug 2022 19:56:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2P3L15Xxz3g52; Tue, 9 Aug 2022 19:56:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660075006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FGrgcJZUfSPjs7aWSVbXfRJs+f36/YlhNGGTI3357e0=; b=Zk8fvqiWoK+xwqn0tiNeWoJC7ltRfOHweZoks+yijl3SdsPBa3wHgatKtPGTMZDgLBMRj2 AXoFdshM469zm6dS+07R5X8H9sutrNIqzeNHd650xlhvJvhq8E6ahlFhqCvl4tYLo9mSUp gx8Ks6I+2lcx/yl1irGR+GYabNBtrr9c46VKlwNNdUfc7fhIigWttN7v8GmLZp96awGb13 SchVv5hV6CaOPlBznDPsJ41d6vXD2KVPoi4J+aHj6D0fiXQ0Pj1Y9Np5FCZRB3+VU4imCS 4yUIHDN4Ar7x5xZ7c9V0WRhp0dgLQVGGuhrqvEOXyQgpMtk5KpyDVAIlYf3EpQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4M2P3L0242zkFc; Tue, 9 Aug 2022 19:56:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 279JujO9020953; Tue, 9 Aug 2022 19:56:45 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 279JujfL020952; Tue, 9 Aug 2022 19:56:45 GMT (envelope-from git) Date: Tue, 9 Aug 2022 19:56:45 GMT Message-Id: <202208091956.279JujfL020952@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 3ea8c7ad90f7 - stable/13 - vm_fault: Shoot down shared mappings in vm_fault_copy_entry() List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 3ea8c7ad90f75129c52a2b64213c5578af23dc8d Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660075006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FGrgcJZUfSPjs7aWSVbXfRJs+f36/YlhNGGTI3357e0=; b=q98SP6OfibMWgjYB9h3LbbJS8mBpK7Z7cu1LOgMuxs/AXQwXD+0vWb1NPip/XIN4hTqhgJ aiDCXQZXutVvTN31tu7pVv2q07vH8w5lQW8J6q/NH0n6cv7Spgo5FSlxjFh4uHxR4vMKNq HPsc25sX2XuizGpF5DlhEJLWaz0WTqqgQ4UKWFpLQ71u9erF01ohe8/P4DnFP6K0Xbx80T Ud0yk/5K8hAJ31Z/NwJFm5Bl7W4wlEhKGcQtjN2B4RlGVGhx0m41RwgaLHY2SDhg/Sort4 VAOgoMkL9CaiolFebLlwiooobz9KZDD6mh3TYFnpKChYsKdUBH8CkDr7gwwf+A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660075006; a=rsa-sha256; cv=none; b=T0ilaR1q+ig4MQE0hvuLrxyqRBI3Fs8WiD701bEQumIE7dA8cXs52Yh4eRuWHU9r9iYqFO FEjDveptn/n/GRtVDGKQO0cSPIpm5dGvAPcSFdbUFuYT4whV2zw1DUZS1R9hkGdlEMkpGR yPczxAvtkFK62F6crl2iHbqV6mWAK0dxWfJuLb8zwvdveP1DGIuDxxSQBTZmshrwyVvI/j lZT3dAt5mx8Jq1NTaXmEazVcoTSwaIj5wCeBlpRtXqxQN4COipjZvEyCZIBB/XBF8jfmGt oNXb3vQBxZuR38gEdHZhkMQiomj/CsN+64kL8RWaZO1dxa7ZAbj4SuSCMiVv3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=3ea8c7ad90f75129c52a2b64213c5578af23dc8d commit 3ea8c7ad90f75129c52a2b64213c5578af23dc8d Author: Mark Johnston AuthorDate: 2022-07-25 20:53:21 +0000 Commit: Mark Johnston CommitDate: 2022-08-09 19:47:40 +0000 vm_fault: Shoot down shared mappings in vm_fault_copy_entry() As in vm_fault_cow(), it's possible, albeit rare, for multiple vm_maps to share a shadow object. When copying a page from a backing object into the shadow, all mappings of the source page must therefore be removed. Otherwise, future operations on the object tree may detect that the source page is fully shadowed and thus can be freed. Approved by: so Security: FreeBSD-SA-22:11.vm Reviewed by: alc, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35635 (cherry picked from commit 5c50e900ad779fccbf0a230bfb6a68a3e93ccf60) --- sys/vm/vm_fault.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c index a6c7a6092f40..32b09fc469d7 100644 --- a/sys/vm/vm_fault.c +++ b/sys/vm/vm_fault.c @@ -2094,6 +2094,13 @@ again: VM_OBJECT_WLOCK(dst_object); goto again; } + + /* + * See the comment in vm_fault_cow(). + */ + if (src_object == dst_object && + (object->flags & OBJ_ONEMAPPING) == 0) + pmap_remove_all(src_m); pmap_copy_page(src_m, dst_m); /*