From owner-dev-commits-src-all@freebsd.org  Thu Feb 25 20:28:57 2021
Return-Path: <owner-dev-commits-src-all@freebsd.org>
Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B376156F093;
 Thu, 25 Feb 2021 20:28:57 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4Dmks54kMwz3Ly4;
 Thu, 25 Feb 2021 20:28:57 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 950E71DED7;
 Thu, 25 Feb 2021 20:28:57 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 11PKSveG040952;
 Thu, 25 Feb 2021 20:28:57 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 11PKSvQL040951;
 Thu, 25 Feb 2021 20:28:57 GMT (envelope-from git)
Date: Thu, 25 Feb 2021 20:28:57 GMT
Message-Id: <202102252028.11PKSvQL040951@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
From: Ryan Libby <rlibby@FreeBSD.org>
Subject: git: d7671ad8d6eb - main - Close races in vm object chain traversal
 for unlock
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rlibby
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: d7671ad8d6ebe205933628466dc0a52d32eea2e8
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the src repository
 <dev-commits-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-all/>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Help: <mailto:dev-commits-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 20:28:57 -0000

The branch main has been updated by rlibby:

URL: https://cgit.FreeBSD.org/src/commit/?id=d7671ad8d6ebe205933628466dc0a52d32eea2e8

commit d7671ad8d6ebe205933628466dc0a52d32eea2e8
Author:     Ryan Libby <rlibby@FreeBSD.org>
AuthorDate: 2021-02-25 20:11:19 +0000
Commit:     Ryan Libby <rlibby@FreeBSD.org>
CommitDate: 2021-02-25 20:11:19 +0000

    Close races in vm object chain traversal for unlock
    
    We were unlocking the vm object before reading the backing_object field.
    In the meantime, the object could be freed and reused.  This could cause
    us to go off the rails in the object chain traversal, failing to unlock
    the rest of the objects in the original chain and corrupting the lock
    state of the victim chain.
    
    Reviewed by:    bdrewery, kib, markj, vangyzen
    MFC after:      3 days
    Sponsored by:   Dell EMC Isilon
    Differential Revision:  https://reviews.freebsd.org/D28926
---
 sys/fs/procfs/procfs_map.c | 5 +++--
 sys/kern/kern_proc.c       | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/sys/fs/procfs/procfs_map.c b/sys/fs/procfs/procfs_map.c
index a9893e5e10f0..e4969d795dcc 100644
--- a/sys/fs/procfs/procfs_map.c
+++ b/sys/fs/procfs/procfs_map.c
@@ -84,7 +84,7 @@ procfs_doprocmap(PFS_FILL_ARGS)
 	struct vnode *vp;
 	char *fullpath, *freepath, *type;
 	struct ucred *cred;
-	vm_object_t obj, tobj, lobj;
+	vm_object_t lobj, nobj, obj, tobj;
 	int error, privateresident, ref_count, resident, shadow_count, flags;
 	vm_offset_t e_start, e_end;
 	vm_eflags_t e_eflags;
@@ -144,7 +144,8 @@ procfs_doprocmap(PFS_FILL_ARGS)
 		}
 		if (obj != NULL)
 			kern_proc_vmmap_resident(map, entry, &resident, &super);
-		for (tobj = obj; tobj != NULL; tobj = tobj->backing_object) {
+		for (tobj = obj; tobj != NULL; tobj = nobj) {
+			nobj = tobj->backing_object;
 			if (tobj != obj && tobj != lobj)
 				VM_OBJECT_RUNLOCK(tobj);
 		}
diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c
index f8fed2573712..817cb9766bbf 100644
--- a/sys/kern/kern_proc.c
+++ b/sys/kern/kern_proc.c
@@ -2505,7 +2505,7 @@ kern_proc_vmmap_out(struct proc *p, struct sbuf *sb, ssize_t maxlen, int flags)
 	vm_map_entry_t entry, tmp_entry;
 	struct vattr va;
 	vm_map_t map;
-	vm_object_t obj, tobj, lobj;
+	vm_object_t lobj, nobj, obj, tobj;
 	char *fullpath, *freepath;
 	struct kinfo_vmentry *kve;
 	struct ucred *cred;
@@ -2551,8 +2551,8 @@ kern_proc_vmmap_out(struct proc *p, struct sbuf *sb, ssize_t maxlen, int flags)
 			    &kve->kve_resident, &super);
 			if (super)
 				kve->kve_flags |= KVME_FLAG_SUPER;
-			for (tobj = obj; tobj != NULL;
-			    tobj = tobj->backing_object) {
+			for (tobj = obj; tobj != NULL; tobj = nobj) {
+				nobj = tobj->backing_object;
 				if (tobj != obj && tobj != lobj)
 					VM_OBJECT_RUNLOCK(tobj);
 			}