From nobody Fri Mar 27 00:30:55 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fhhQ82Xrgz6WQVw for ; Fri, 27 Mar 2026 00:30:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fhhQ80LJzz3r7C for ; Fri, 27 Mar 2026 00:30:56 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774571456; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KjT191J4zNxElY8wWSEZ4k1wH5GlAnoYS6NqV5uNmDE=; b=qdbTE9Aub8e0egoCaksKECBk20y2B6YutHi0z1GnAdwEv4FQuHHzMcVBHqnANQW+aUA6SH gPR6yqFgWgkJzIYsUsuXLgOcjDsi8Rno93v0pIvXFZDWgmQjKjabKrModTdtubaMaAjIC/ 2iJi7GsPKBr292DOaJjEwwKca5YORSHjJRDe1+vwjwezr9c4j/PkqO0bByXJy8fwo5y6Zs DEaNH/azpZ+HZe/fSlWpbF/YZLPPmdNtBBIMNG5iv0Cy4mkKr0bDVuj/+H3GVlER9IrvRG 3pO/ZRPHjiIYs4Cg5I2j2nrF0Sc4lU6sNhbaNSoNdQ7YG/GTxgW/sPHOBMZSKA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774571456; a=rsa-sha256; cv=none; b=xLiGi6WNgNNzPgdnypwUYMnL68KUApYTrOIk9a2qzTRi52hfzvbH4eJY/dsQKBQxSyfbR9 FbcK/byB9k7WCaSL52HKEoopMj+OusMdUiM39VPGjPzpTFjHm5V79hye0GYvrKuFc+2kY/ lcnW+mROb1wNZlA85jmyeTpnAP06zT5RYsF+5B9HG5tI97RdgCdig4NCYxoO6T8zuE3kIz SQRiOGfN4o7zeSGMJgWpuCVLvIB06oD7XlEG4L/hUxhZvoM6Lrb2aHQInmG7r/un83OeKD hQWaydmlEh5fVNX2UHMpzEDHckJ/o4Z5ZGuszIJsSkRk2Ahm3taNAJuWWFWo+Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774571456; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=KjT191J4zNxElY8wWSEZ4k1wH5GlAnoYS6NqV5uNmDE=; b=LbhoDcPZcKxmHx89HoqjP4ELzSCoU+zf3LuCRmrqm5kjWYG8hh4HsygO3c7NDaURNz7++s cadYg38C9WdWFdSrKXGy3gW8Co+WUObzbdalsrL3jikW7D4clQiBk0Uf/ptxrslp/neVOY M4aDE+jtU6GB6EC5Tv0ebxi0kAO4tfWbfkqOlTYnEeCotPx2zx6xsb4lW7SY/Kug/p6Qdc 9UL0fFgACI0bCmvmHjuyLj2avxH0Gy/mb8id/0c+XQkwdSV2BMOohwSzsLtru/rfie8QoP GmKGdaULX8uo6DdjUVQrHdRQoZxmK7LpnDxz/AItmKME8Txzm1M3oJJaXGNYYQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fhhQ771mLzxG for ; Fri, 27 Mar 2026 00:30:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 449b9 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Fri, 27 Mar 2026 00:30:55 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mark Johnston Subject: git: f404109e90ee - main - vm_fault: Avoid creating clean, writeable superpage mappings List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f404109e90eee7f67ddaae3f52286d524a190fa0 Auto-Submitted: auto-generated Date: Fri, 27 Mar 2026 00:30:55 +0000 Message-Id: <69c5cfbf.449b9.81b74b3@gitrepo.freebsd.org> The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f404109e90eee7f67ddaae3f52286d524a190fa0 commit f404109e90eee7f67ddaae3f52286d524a190fa0 Author: Mark Johnston AuthorDate: 2026-03-27 00:25:31 +0000 Commit: Mark Johnston CommitDate: 2026-03-27 00:25:31 +0000 vm_fault: Avoid creating clean, writeable superpage mappings The pmap layer requires writeable superpage mappings to be dirty. Otherwise, during demotion, we may miss a hw update of the PDE which sets the dirty bit. When creating a managed superpage mapping without promotion, i.e., with pmap_enter(psind == 1), we must therefore ensure that a writeable mapping is created with the dirty bit pre-set. To that end, vm_fault_soft_fast(), when handling a map entry with write permissions, checks whether all constituent pages are dirty, and if so, converts the fault to a write fault, so that pmap_enter() does the right thing. If one or more pages is not dirty, we simply create a 4K mapping. vm_fault_populate(), which may also create superpage mappings, did not do this, and thus could create mappings which violate the invariant described above. Modify it to instead check whether all constituent pages are already dirty, and if so, convert the fault to a write fault. Otherwise the mapping is downgraded to read-only. Reported by: ashafer Reviewed by: alc, kib MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D55536 --- sys/vm/vm_fault.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c index 88438320a17a..125311912c20 100644 --- a/sys/vm/vm_fault.c +++ b/sys/vm/vm_fault.c @@ -645,6 +645,8 @@ vm_fault_populate(struct faultstate *fs) pager_last = map_last; } for (pidx = pager_first; pidx <= pager_last; pidx += npages) { + bool writeable; + m = vm_page_lookup(fs->first_object, pidx); vaddr = fs->entry->start + IDX_TO_OFF(pidx) - fs->entry->offset; KASSERT(m != NULL && m->pindex == pidx, @@ -655,14 +657,28 @@ vm_fault_populate(struct faultstate *fs) !pmap_ps_enabled(fs->map->pmap))) psind--; + writeable = (fs->prot & VM_PROT_WRITE) != 0; npages = atop(pagesizes[psind]); for (i = 0; i < npages; i++) { vm_fault_populate_check_page(&m[i]); vm_fault_dirty(fs, &m[i]); + + /* + * If this is a writeable superpage mapping, all + * constituent pages and the new mapping should be + * dirty, otherwise the mapping should be read-only. + */ + if (writeable && psind > 0 && + (m[i].oflags & VPO_UNMANAGED) == 0 && + m[i].dirty != VM_PAGE_BITS_ALL) + writeable = false; } + if (psind > 0 && writeable) + fs->fault_type |= VM_PROT_WRITE; VM_OBJECT_WUNLOCK(fs->first_object); - rv = pmap_enter(fs->map->pmap, vaddr, m, fs->prot, fs->fault_type | - (fs->wired ? PMAP_ENTER_WIRED : 0), psind); + rv = pmap_enter(fs->map->pmap, vaddr, m, + fs->prot & ~(writeable ? 0 : VM_PROT_WRITE), + fs->fault_type | (fs->wired ? PMAP_ENTER_WIRED : 0), psind); /* * pmap_enter() may fail for a superpage mapping if additional