git: 03d104888cae - main - arm64: initialize pcb in the TBI/PAC/etc. fault case

From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Fri, 01 Sep 2023 02:10:54 UTC
The branch main has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=03d104888caea595960605a9ff010da7f39133dc

commit 03d104888caea595960605a9ff010da7f39133dc
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2023-09-01 02:10:38 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2023-09-01 02:10:38 +0000

    arm64: initialize pcb in the TBI/PAC/etc. fault case
    
    After 2c10be9e06d, we may jump to the bad_far label without `pcb` being
    set, resulting in a follow-up fault as we may dereference it immediately
    after the jump if td_intr_nesting_level == 0.  In this branch, it should
    be safe to dereference `td` as we're not handling the special case
    mentioned below of accessing it during promotion/demotion.
    
    This seems to fix a null ptr deref I hit during my most recent pkgbase
    build attempt on the Windows DevKit, though that was admittedly
    encountered while we were on the way to a panic from an apparent
    use-after-free in ZFS bits.
    
    Reviewed by:    andrew, markj
    Fixes:  2c10be9e06d ("arm64: Handle translation faults for thread [..]")
    Differential Revision:  https://reviews.freebsd.org/D41677
---
 sys/arm64/arm64/trap.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sys/arm64/arm64/trap.c b/sys/arm64/arm64/trap.c
index 15f1f5e86a08..d1a48a2fd9f4 100644
--- a/sys/arm64/arm64/trap.c
+++ b/sys/arm64/arm64/trap.c
@@ -277,6 +277,7 @@ data_abort(struct thread *td, struct trapframe *frame, uint64_t esr,
 	} else if (!ADDR_IS_CANONICAL(far)) {
 		/* We received a TBI/PAC/etc. fault from the kernel */
 		error = KERN_INVALID_ADDRESS;
+		pcb = td->td_pcb;
 		goto bad_far;
 	} else if (ADDR_IS_KERNEL(far)) {
 		/*