From nobody Mon Feb 27 13:28:17 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PQLst03pDz3v6n9;
	Mon, 27 Feb 2023 13:28:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PQLss6ggQz4QdL;
	Mon, 27 Feb 2023 13:28:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1677504497;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=0pK/MktQvdozYyKrjZZOWA17Whzr7PcrMRqyXd3Id6Q=;
	b=CS7fhlXi2z4E9sXQWzFCdP/ik6NOcwb+3wDD8/cc3dsq7uc+mPu/Q6NsTOzxXZa5Fo4Own
	RXHZQKmQOtmzY0zWy24lVe2DU6D5gEQYQrD+XXInJX82gSAhJVZGdQufRs5l1YlExS5BFO
	NM9mGxE3DbyTJuHiy1ToaRcA5QmPFzld/KKYmhexcGAYR4l4c0L3texmq/W12YUbNUD4ay
	Do/ZUkTk5Z1nJ26jMgnTjWy4MKyz3pNkY/ObytNTrLapDEgemV2IWOfMxiOuBlAgaNb1tg
	kMJrdAtHXInacwgQ5uV4gJz3hmZnmWYz1Mbn1kEVoP4VM/EYv7hpduUwAEw8eQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1677504497;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=0pK/MktQvdozYyKrjZZOWA17Whzr7PcrMRqyXd3Id6Q=;
	b=Sqix+2YZuTCbYXfTHCDMmenH0neG+tdEOGBXAqR1eVXd2ZvRyzX3behxeNob/vcpR/HQzF
	bQhL7/jpYUW14NzHYcx38DMb2KdYvi7meBmQlelpAe5UbJXfkudcmON5bN37Et6yux8N4I
	pNkC78AcUXxCAwlye8VXjpoAXCEiQQLxIBX6A5VPtj8wPpAzEClwZGE2LPDcTWmS9Ah/TA
	FrA+xw2kFZAexZRMOedj91yX2FgGZRdF9Z3r9kqaDrGOG9CvXle0YWej6Bq6UQARMRaSzj
	kCfD18/WlfSUxpAfzKnVFdkuO6Jf6MlgHyYoQDD71vn8X8X6Ph1PEFgUiOaRIg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677504497; a=rsa-sha256; cv=none;
	b=MkyZysfpBTepl8oxCFWKGmy6MBoZg97wdjY2c84zT+eV2taq909lVC2raPzr22UrbVesj3
	qsuMYJ+UqQrg+exSpF1pebUR1V6eiJNnY3EKyUgIlngIrtyWCY8tVM5d1sbuRTAebRRUed
	CDW8gZSGdKrqAti+qnRspj2csTvMqCBVBaDektJ7lqFp9BrwkwcgxIOfE8leab2hbH57oe
	Zhxiuh0Y7vD2lxzQtNDvN6bDIjw5dwRnW9wt9WrExgFYgoosNTMktuSEYQxeUtblk59vzA
	Ds2XOYm4rlhtZvWQN5UD3C+OyyG0oFnfe0NoP+LEmGO8MvZb+NfddWuiebcLVQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PQLss5RsTzSM8;
	Mon, 27 Feb 2023 13:28:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31RDSHGt056228;
	Mon, 27 Feb 2023 13:28:17 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31RDSHfd056227;
	Mon, 27 Feb 2023 13:28:17 GMT
	(envelope-from git)
Date: Mon, 27 Feb 2023 13:28:17 GMT
Message-Id: <202302271328.31RDSHfd056227@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 2f57ef2d3b8f - stable/13 - vm_fault: Fix a race in vm_fault_soft_fast()
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 2f57ef2d3b8f776a28e195cd780a3bb4924570be
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=2f57ef2d3b8f776a28e195cd780a3bb4924570be

commit 2f57ef2d3b8f776a28e195cd780a3bb4924570be
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-02-13 21:24:40 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-02-27 13:22:33 +0000

    vm_fault: Fix a race in vm_fault_soft_fast()
    
    When vm_fault_soft_fast() creates a mapping, it release the VM map lock
    before unbusying the top-level object.  Without the map lock, however,
    nothing prevents the VM object from being deallocated while still busy.
    
    Fix the problem by unbusying the object before releasing the VM map
    lock.  If vm_fault_soft_fast() fails to create a mapping, the VM map
    lock is not released, so those cases don't need to change.
    
    Reported by:    syzkaller
    Reviewed by:    kib (previous version)
    Sponsored by:   The FreeBSD Foundation
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D38527
    
    (cherry picked from commit d0991948182a1a149ee84f1b9c4d3e30450c8f0b)
---
 sys/vm/vm_fault.c | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index 605cf1203554..4872990c33ec 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -322,20 +322,16 @@ vm_fault_soft_fast(struct faultstate *fs)
 #endif
 	int psind;
 	vm_offset_t vaddr;
-	enum fault_status res;
 
 	MPASS(fs->vp == NULL);
 
-	res = FAULT_SUCCESS;
 	vaddr = fs->vaddr;
 	vm_object_busy(fs->first_object);
 	m = vm_page_lookup(fs->first_object, fs->first_pindex);
 	/* A busy page can be mapped for read|execute access. */
 	if (m == NULL || ((fs->prot & VM_PROT_WRITE) != 0 &&
-	    vm_page_busied(m)) || !vm_page_all_valid(m)) {
-		res = FAULT_FAILURE;
-		goto out;
-	}
+	    vm_page_busied(m)) || !vm_page_all_valid(m))
+		goto fail;
 	m_map = m;
 	psind = 0;
 #if VM_NRESERVLEVEL > 0
@@ -370,10 +366,8 @@ vm_fault_soft_fast(struct faultstate *fs)
 #endif
 	if (pmap_enter(fs->map->pmap, vaddr, m_map, fs->prot, fs->fault_type |
 	    PMAP_ENTER_NOSLEEP | (fs->wired ? PMAP_ENTER_WIRED : 0), psind) !=
-	    KERN_SUCCESS) {
-		res = FAULT_FAILURE;
-		goto out;
-	}
+	    KERN_SUCCESS)
+		goto fail;
 	if (fs->m_hold != NULL) {
 		(*fs->m_hold) = m;
 		vm_page_wire(m);
@@ -382,12 +376,13 @@ vm_fault_soft_fast(struct faultstate *fs)
 		vm_fault_prefault(fs, vaddr, PFBAK, PFFOR, true);
 	VM_OBJECT_RUNLOCK(fs->first_object);
 	vm_fault_dirty(fs, m);
+	vm_object_unbusy(fs->first_object);
 	vm_map_lookup_done(fs->map, fs->entry);
 	curthread->td_ru.ru_minflt++;
-
-out:
+	return (FAULT_SUCCESS);
+fail:
 	vm_object_unbusy(fs->first_object);
-	return (res);
+	return (FAULT_FAILURE);
 }
 
 static void