Date: Tue, 9 Aug 2022 19:56:45 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 3ea8c7ad90f7 - stable/13 - vm_fault: Shoot down shared mappings in vm_fault_copy_entry() Message-ID: <202208091956.279JujfL020952@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=3ea8c7ad90f75129c52a2b64213c5578af23dc8d commit 3ea8c7ad90f75129c52a2b64213c5578af23dc8d Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2022-07-25 20:53:21 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-08-09 19:47:40 +0000 vm_fault: Shoot down shared mappings in vm_fault_copy_entry() As in vm_fault_cow(), it's possible, albeit rare, for multiple vm_maps to share a shadow object. When copying a page from a backing object into the shadow, all mappings of the source page must therefore be removed. Otherwise, future operations on the object tree may detect that the source page is fully shadowed and thus can be freed. Approved by: so Security: FreeBSD-SA-22:11.vm Reviewed by: alc, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35635 (cherry picked from commit 5c50e900ad779fccbf0a230bfb6a68a3e93ccf60) --- sys/vm/vm_fault.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c index a6c7a6092f40..32b09fc469d7 100644 --- a/sys/vm/vm_fault.c +++ b/sys/vm/vm_fault.c @@ -2094,6 +2094,13 @@ again: VM_OBJECT_WLOCK(dst_object); goto again; } + + /* + * See the comment in vm_fault_cow(). + */ + if (src_object == dst_object && + (object->flags & OBJ_ONEMAPPING) == 0) + pmap_remove_all(src_m); pmap_copy_page(src_m, dst_m); /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202208091956.279JujfL020952>