From owner-dev-commits-src-all@freebsd.org  Mon Mar 29 23:24:03 2021
Return-Path: <owner-dev-commits-src-all@freebsd.org>
Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EBF255AFECD;
 Mon, 29 Mar 2021 23:24:03 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4F8TDM64xwz4stN;
 Mon, 29 Mar 2021 23:24:03 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C39791C0CA;
 Mon, 29 Mar 2021 23:24:03 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 12TNO3e4063650;
 Mon, 29 Mar 2021 23:24:03 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 12TNO3Yf063649;
 Mon, 29 Mar 2021 23:24:03 GMT (envelope-from git)
Date: Mon, 29 Mar 2021 23:24:03 GMT
Message-Id: <202103292324.12TNO3Yf063649@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
From: Brandon Bergren <bdragon@FreeBSD.org>
Subject: git: 5a08df100b58 - main - [PowerPC] Fix 32-bit Book-E panic due to
 pve leak
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: bdragon
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 5a08df100b58911396e0cc1403f0504bc68461bd
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-all@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for all branches of the src repository
 <dev-commits-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-all/>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Help: <mailto:dev-commits-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all>, 
 <mailto:dev-commits-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2021 23:24:04 -0000

The branch main has been updated by bdragon:

URL: https://cgit.FreeBSD.org/src/commit/?id=5a08df100b58911396e0cc1403f0504bc68461bd

commit 5a08df100b58911396e0cc1403f0504bc68461bd
Author:     Brandon Bergren <bdragon@FreeBSD.org>
AuthorDate: 2021-03-29 22:59:19 +0000
Commit:     Brandon Bergren <bdragon@FreeBSD.org>
CommitDate: 2021-03-29 23:22:16 +0000

    [PowerPC] Fix 32-bit Book-E panic due to pve leak
    
    On an INVARIANTS kernel on 32-bit Book-E, we were panicing when running
    the libproc tests. This was caused by extra pv entries being generated
    accidentally by the pmap icache invalidation code.
    
    Use the same VA (i.e. 0) when freeing the temporary mapping, instead of
    some arbitrary address within the zero page.
    
    Failure to do this was causing kernel-side icache syncing to leak
    PVE entries when invalidating icache for a non page-aligned address, which
    would later result in pages erroneously showing up as mapped to vm_page.
    
    This bug was introduced in r347354 in 2019.
    
    Reviewed by:    jhibbits (in irc)
    Sponsored by:   Tag1 Consulting, Inc.
---
 sys/powerpc/booke/pmap_32.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/sys/powerpc/booke/pmap_32.c b/sys/powerpc/booke/pmap_32.c
index a9f8af0565f0..924eb223a2b6 100644
--- a/sys/powerpc/booke/pmap_32.c
+++ b/sys/powerpc/booke/pmap_32.c
@@ -748,14 +748,23 @@ mmu_booke_sync_icache(pmap_t pm, vm_offset_t va, vm_size_t sz)
 		sync_sz = min(sync_sz, sz);
 		if (valid) {
 			if (!active) {
-				/* Create a mapping in the active pmap. */
+				/*
+				 * Create a mapping in the active pmap.
+				 *
+				 * XXX: We use the zero page here, because
+				 * it isn't likely to be in use.
+				 * If we ever decide to support
+				 * security.bsd.map_at_zero on Book-E, change
+				 * this to some other address that isn't
+				 * normally mappable.
+				 */
 				addr = 0;
 				m = PHYS_TO_VM_PAGE(pa);
 				PMAP_LOCK(pmap);
 				pte_enter(pmap, m, addr,
 				    PTE_SR | PTE_VALID, FALSE);
-				addr += (va & PAGE_MASK);
-				__syncicache((void *)addr, sync_sz);
+				__syncicache((void *)(addr + (va & PAGE_MASK)),
+				    sync_sz);
 				pte_remove(pmap, addr, PTBL_UNHOLD);
 				PMAP_UNLOCK(pmap);
 			} else