From owner-freebsd-current@freebsd.org  Fri Feb 19 08:40:10 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 943E3AAC5C3
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Fri, 19 Feb 2016 08:40:10 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
 by mx1.freebsd.org (Postfix) with ESMTP id ADB5F138A;
 Fri, 19 Feb 2016 08:40:09 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua
 [212.40.38.100])
 by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id KAA24802;
 Fri, 19 Feb 2016 10:40:07 +0200 (EET) (envelope-from avg@FreeBSD.org)
Received: from localhost ([127.0.0.1])
 by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD))
 id 1aWgbf-0001c4-F9; Fri, 19 Feb 2016 10:40:07 +0200
Subject: Re: Memory modified after free in "MAP ENTRY" zone
 (vm_map_entry_t->read_ahead)
To: Konstantin Belousov <kostikbel@gmail.com>
References: <56BBAB6E.5050601@FreeBSD.org> <56C08AAA.5050206@FreeBSD.org>
 <CAJUyCcNy19rArmgjzpPZvsDE7Ln4OoMWU+75Q+THdp0T7+DxPg@mail.gmail.com>
 <56C1953F.60604@FreeBSD.org> <20160218151321.GR91220@kib.kiev.ua>
Cc: alc@FreeBSD.org, FreeBSD Current <freebsd-current@FreeBSD.org>
From: Andriy Gapon <avg@FreeBSD.org>
Message-ID: <56C6D496.1060509@FreeBSD.org>
Date: Fri, 19 Feb 2016 10:38:46 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101
 Thunderbird/38.5.0
MIME-Version: 1.0
In-Reply-To: <20160218151321.GR91220@kib.kiev.ua>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 08:40:10 -0000

On 18/02/2016 17:13, Konstantin Belousov wrote:
> So this is arguably a fallout from r188331.
> The following is somewhat non-insistent attempt to fix the problem.

Kostik,

thank you very much, I am testing the patch.

> diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
> index a7e3d37..cddf1eb 100644
> --- a/sys/vm/vm_fault.c
> +++ b/sys/vm/vm_fault.c
> @@ -291,7 +291,8 @@ vm_fault_hold(vm_map_t map, vm_offset_t vaddr, vm_prot_t fault_type,
>  	struct faultstate fs;
>  	struct vnode *vp;
>  	vm_page_t m;
> -	int ahead, behind, cluster_offset, error, locked;
> +	int ahead, behind, cluster_offset, error, locked, rv;
> +	u_char behavior;
>  
>  	hardfault = 0;
>  	growstack = TRUE;
> @@ -550,9 +551,18 @@ readrest:
>  		 * zero-filled pages.
>  		 */
>  		if (fs.object->type != OBJT_DEFAULT) {
> -			int rv;
> -			u_char behavior = vm_map_entry_behavior(fs.entry);
> -
> +			if (!fs.lookup_still_valid) {
> +				locked = vm_map_trylock_read(fs.map);
> +				if (locked)
> +					fs.lookup_still_valid = TRUE;
> +				if (!locked || fs.map->timestamp !=
> +				    map_generation) {
> +					release_page(&fs);
> +					unlock_and_deallocate(&fs);
> +					goto RetryFault;
> +				}
> +			}
> +			behavior = vm_map_entry_behavior(fs.entry);
>  			era = fs.entry->read_ahead;
>  			if (behavior == MAP_ENTRY_BEHAV_RANDOM ||
>  			    P_KILLED(curproc)) {
> @@ -603,6 +613,7 @@ readrest:
>  			}
>  			ahead = ulmin(ahead, atop(fs.entry->end - vaddr) - 1);
>  			if (era != nera)
> +				/* XXX only read-lock on map */
>  				fs.entry->read_ahead = nera;
>  
>  			/*
> 


-- 
Andriy Gapon