Date: Wed, 13 May 2009 07:42:53 +0000 (UTC) From: Alan Cox <alc@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r192035 - in head/sys: amd64/amd64 i386/i386 Message-ID: <200905130742.n4D7gr81045680@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: alc Date: Wed May 13 07:42:53 2009 New Revision: 192035 URL: http://svn.freebsd.org/changeset/base/192035 Log: Correct a rare use-after-free error in pmap_copy(). This error was introduced in amd64 revision 1.540 and i386 revision 1.547. However, it had no harmful effects until after a recent change, r189698, on amd64. (In other words, the error is harmless in RELENG_7.) The error is triggered by the failure to allocate a pv entry for the one and only mapping in a page table page. I am addressing the error by changing pmap_copy() to abort if either pv entry allocation or page table page allocation fails. This is appropriate because the creation of mappings by pmap_copy() is optional. They are a (possible) optimization, and not a requirement. Correct a nearby whitespace error in the i386 pmap_copy(). Crash reported by: jeff@ MFC after: 6 weeks Modified: head/sys/amd64/amd64/pmap.c head/sys/i386/i386/pmap.c Modified: head/sys/amd64/amd64/pmap.c ============================================================================== --- head/sys/amd64/amd64/pmap.c Wed May 13 05:39:39 2009 (r192034) +++ head/sys/amd64/amd64/pmap.c Wed May 13 07:42:53 2009 (r192035) @@ -3556,7 +3556,7 @@ pmap_copy(pmap_t dst_pmap, pmap_t src_pm dstmpte->wire_count++; else if ((dstmpte = pmap_allocpte(dst_pmap, addr, M_NOWAIT)) == NULL) - break; + goto out; dst_pte = (pt_entry_t *) PHYS_TO_DMAP(VM_PAGE_TO_PHYS(dstmpte)); dst_pte = &dst_pte[pmap_pte_index(addr)]; @@ -3579,6 +3579,7 @@ pmap_copy(pmap_t dst_pmap, pmap_t src_pm addr); pmap_free_zero_pages(free); } + goto out; } if (dstmpte->wire_count >= srcmpte->wire_count) break; @@ -3587,6 +3588,7 @@ pmap_copy(pmap_t dst_pmap, pmap_t src_pm src_pte++; } } +out: vm_page_unlock_queues(); PMAP_UNLOCK(src_pmap); PMAP_UNLOCK(dst_pmap); Modified: head/sys/i386/i386/pmap.c ============================================================================== --- head/sys/i386/i386/pmap.c Wed May 13 05:39:39 2009 (r192034) +++ head/sys/i386/i386/pmap.c Wed May 13 07:42:53 2009 (r192035) @@ -3638,7 +3638,7 @@ pmap_copy(pmap_t dst_pmap, pmap_t src_pm dstmpte = pmap_allocpte(dst_pmap, addr, M_NOWAIT); if (dstmpte == NULL) - break; + goto out; dst_pte = pmap_pte_quick(dst_pmap, addr); if (*dst_pte == 0 && pmap_try_insert_pv_entry(dst_pmap, addr, @@ -3653,12 +3653,13 @@ pmap_copy(pmap_t dst_pmap, pmap_t src_pm dst_pmap->pm_stats.resident_count++; } else { free = NULL; - if (pmap_unwire_pte_hold( dst_pmap, + if (pmap_unwire_pte_hold(dst_pmap, dstmpte, &free)) { pmap_invalidate_page(dst_pmap, addr); pmap_free_zero_pages(free); } + goto out; } if (dstmpte->wire_count >= srcmpte->wire_count) break; @@ -3667,6 +3668,7 @@ pmap_copy(pmap_t dst_pmap, pmap_t src_pm src_pte++; } } +out: sched_unpin(); vm_page_unlock_queues(); PMAP_UNLOCK(src_pmap);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200905130742.n4D7gr81045680>