From nobody Mon Feb 27 15:58:55 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PQQCg2cdrz3vHTb;
	Mon, 27 Feb 2023 15:58:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PQQCg21fJz3jJb;
	Mon, 27 Feb 2023 15:58:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1677513535;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UIS4OFVUDSy8ERSIRzICO9mmXc4Hknu/vG0sKZq1OvI=;
	b=uMevh7U23O3Ry6THiUKw79NATdkHMjraxI2akrmff6UZ4WbzxCNNkLHp7TUDJmMAFfNwoY
	aBMLJx5KPM34+mHRpBH/HN/FQm3aocuGovzAI4TcgTrCb8Q9UI0AdJ6JbcxLwICEyMuJcl
	1SCzBxPg7OEVyvN2syU3CY9+pw5ADEAATyV5s+pRwPeVnNz5g8H9VsOeXdrPCuU70MLhUY
	YBLsl/AZtNKSVs2Z+FeW70NnvIVhc3M6cO3fspjeZFr19BEob1+72I7eyyX6Pe10vc4shu
	DdCekiY39n35PZoigFy5hkAoKGqGumylHQt6+vmlQOqHnJv73vMkug18TAZRaQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1677513535;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=UIS4OFVUDSy8ERSIRzICO9mmXc4Hknu/vG0sKZq1OvI=;
	b=j4ukjG7RkdcnCzo7kXnSX7RtqQ8kZJUxc54j7u6NBaPh+Hs6uifnwZ/I3Buur5s4GLl5nv
	C7A3qMRoHmdllL55cb0Bmgli8TYdQCictR6qn9psXaNapSwslEPcUC56fBf7q21g23Fvp6
	C4xcj6VquX1NeHfLGPhmZs7JD3JX0wJKERFu4l/adhoKVqqzbIcD/yxtGJrcbwAKJKzGMb
	gKHEY59R7rxsrfLqV5l9dkxn6z4PEf8m0/smUzFCM7B9iOE/8fCex47ZWyUOD2db3/qa06
	F0JM50pQLDyBATjqF29lbUraofN6HI/TZGO2FGK+8dQVBvLNt7+cW9Uep+JCEw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677513535; a=rsa-sha256; cv=none;
	b=c13fuNxL29wdxL344gCbOqltt7Vv/OFi7O/rY3Tj8je3poo8ZtseH4SHT1GS+tfjgjcwip
	YgC8mIFUsX96zLfMJ/yMNgehdwNLEpmxNrmUdzlV6efKOS+U8i+hSRY9C1rd8jPaDR8tC9
	oEtYXWLSqsfXWSPiIZ8cbxKIsQmNjOQlXPebmiRZFFefEEJ+7ZzDcWBV6Jw6zk+KYVpXy/
	PG9j5MhqifczTF1xdIMxZ/9/KF1ZY6AiL2DNBrvgLVGVL30oVXyxJ0HObhYT8oUp6tTkuu
	PevFplUxEryjDMbRtf5IDsfM1/Lhu5YiSR4bZCYeZ7QT1//z7eeyDPSKLRsFBg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PQQCg13D8zWZx;
	Mon, 27 Feb 2023 15:58:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31RFwtvn002982;
	Mon, 27 Feb 2023 15:58:55 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31RFwtjs002981;
	Mon, 27 Feb 2023 15:58:55 GMT
	(envelope-from git)
Date: Mon, 27 Feb 2023 15:58:55 GMT
Message-Id: <202302271558.31RFwtjs002981@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 1780bdba96d3 - releng/13.2 - vm_fault: Fix a race in vm_fault_soft_fast()
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/13.2
X-Git-Reftype: branch
X-Git-Commit: 1780bdba96d381a9e473ab15ed92009893c822cb
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch releng/13.2 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=1780bdba96d381a9e473ab15ed92009893c822cb

commit 1780bdba96d381a9e473ab15ed92009893c822cb
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-02-13 21:24:40 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-02-27 15:58:34 +0000

    vm_fault: Fix a race in vm_fault_soft_fast()
    
    When vm_fault_soft_fast() creates a mapping, it release the VM map lock
    before unbusying the top-level object.  Without the map lock, however,
    nothing prevents the VM object from being deallocated while still busy.
    
    Fix the problem by unbusying the object before releasing the VM map
    lock.  If vm_fault_soft_fast() fails to create a mapping, the VM map
    lock is not released, so those cases don't need to change.
    
    Approved by:    re (cperciva)
    Reported by:    syzkaller
    Reviewed by:    kib (previous version)
    Sponsored by:   The FreeBSD Foundation
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D38527
    
    (cherry picked from commit d0991948182a1a149ee84f1b9c4d3e30450c8f0b)
    (cherry picked from commit 2f57ef2d3b8f776a28e195cd780a3bb4924570be)
---
 sys/vm/vm_fault.c | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index 605cf1203554..4872990c33ec 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -322,20 +322,16 @@ vm_fault_soft_fast(struct faultstate *fs)
 #endif
 	int psind;
 	vm_offset_t vaddr;
-	enum fault_status res;
 
 	MPASS(fs->vp == NULL);
 
-	res = FAULT_SUCCESS;
 	vaddr = fs->vaddr;
 	vm_object_busy(fs->first_object);
 	m = vm_page_lookup(fs->first_object, fs->first_pindex);
 	/* A busy page can be mapped for read|execute access. */
 	if (m == NULL || ((fs->prot & VM_PROT_WRITE) != 0 &&
-	    vm_page_busied(m)) || !vm_page_all_valid(m)) {
-		res = FAULT_FAILURE;
-		goto out;
-	}
+	    vm_page_busied(m)) || !vm_page_all_valid(m))
+		goto fail;
 	m_map = m;
 	psind = 0;
 #if VM_NRESERVLEVEL > 0
@@ -370,10 +366,8 @@ vm_fault_soft_fast(struct faultstate *fs)
 #endif
 	if (pmap_enter(fs->map->pmap, vaddr, m_map, fs->prot, fs->fault_type |
 	    PMAP_ENTER_NOSLEEP | (fs->wired ? PMAP_ENTER_WIRED : 0), psind) !=
-	    KERN_SUCCESS) {
-		res = FAULT_FAILURE;
-		goto out;
-	}
+	    KERN_SUCCESS)
+		goto fail;
 	if (fs->m_hold != NULL) {
 		(*fs->m_hold) = m;
 		vm_page_wire(m);
@@ -382,12 +376,13 @@ vm_fault_soft_fast(struct faultstate *fs)
 		vm_fault_prefault(fs, vaddr, PFBAK, PFFOR, true);
 	VM_OBJECT_RUNLOCK(fs->first_object);
 	vm_fault_dirty(fs, m);
+	vm_object_unbusy(fs->first_object);
 	vm_map_lookup_done(fs->map, fs->entry);
 	curthread->td_ru.ru_minflt++;
-
-out:
+	return (FAULT_SUCCESS);
+fail:
 	vm_object_unbusy(fs->first_object);
-	return (res);
+	return (FAULT_FAILURE);
 }
 
 static void