From nobody Mon Apr 13 02:54:57 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fvBpT6zJkz6ZMnL
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Mon, 13 Apr 2026 02:54:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fvBpT51TKz3nHj
	for <dev-commits-src-all@FreeBSD.org>; Mon, 13 Apr 2026 02:54:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1776048897;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=H4WCpiLvS21ohd/zFX34dR52bcBPvXL4iOj/C09rtC8=;
	b=Ks9LB2A4gyQRe9ahDe9NEM8HjSKhlQOC0tPDgq1se/g7hMmQ0cnaMohU9S/Q50rAH2wA1u
	ZTPB3ngBF+8ajOpkF0VJrCX0nGwebUZgJ2pUv5B0AQLOpBwrDLISe+YHGRm0nUFhTnaN4L
	Bt+WF/3aZQdetCgBClZ1lCAkTlMep7P2+KFX6aQvp1yzD5iggR35pG6ko96zQVzp3K5NLp
	vbq31yatk/JHLPoSdWx1nwUJGARWxqnnQZ31JPtm8GQZ/1KzU11yK1IDX4+gG2uVUmuM1u
	oIFbkdqy62gbaStrar83np9kjbBEbrVse54ik5ILwi9+hmuZ6wJpAzlrhyzzaw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1776048897; a=rsa-sha256; cv=none;
	b=aHRkulZ3ue0r9VWgyZrFdSMRXI8wtR1+gqyvk3G2hi2+lOzMhbJRfZYwFTJsLy/xA0IA16
	ctG4tr+wR/3V5W4ESZ7NfMSnGy3ECkQpEpHKRI0m9rRjqR3YfvkJNpiaVWaLiLX71RYZsj
	f7eA6zSGjiWSLE4S8RKZ0WcZqdUFhVagml92Wyoa3xAzRYFSbohUFRSbKFst3PatyRAHp3
	ZMGmjYEbeTXugGkO5NYT3ir7mFMTO3n0BGBF8A+jmomF6EjpW5pNhWLMIJXrZSpL45AATO
	hDtsBfghM4eeJVI+F9FRzThdjuRUn70Vi/zm2fs4M+feKwb4CaASSn8xvKUeYw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1776048897;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=H4WCpiLvS21ohd/zFX34dR52bcBPvXL4iOj/C09rtC8=;
	b=vhs/k/6qj+S43MUAJ7UzsfskKZhqeRwsQ14u0WzjGkYtK2xiOsjlbOm86ghYeb0nIPK7Se
	+9iAAQyRUDHkpt+Hg9PzoS7DW5I9ywGp3oM5jTg7B9oA5/6TzIjWdYnZuJj0KHtr98SMjt
	MQpHn8o0rG4JYwJ0F38EL+9ALkGqOmr/Vhlqo5arO0lR7xiXJr5EPd6xBgpotq3lhS6kXw
	ybb5kxwWJCAJwH1SlPJafTDqtz+LbjS30XuT7xSH3RscGev3Fvm6ooE/5OC5eiJLg2TsU1
	fj0XSKnYPOXlx5R+MPJF8ISdkQlyDaEKT8HSQaVgnxbPp0xRmWnETnPBT/AlvA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fvBpT4XJ2zm5m
	for <dev-commits-src-all@FreeBSD.org>; Mon, 13 Apr 2026 02:54:57 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 463f7
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 13 Apr 2026 02:54:57 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 2791bc4219e8 - stable/15 - vm_fault: Avoid creating clean, writeable superpage mappings
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: 2791bc4219e8e5e99e0160ff398b31436e0f04de
Auto-Submitted: auto-generated
Date: Mon, 13 Apr 2026 02:54:57 +0000
Message-Id: <69dc5b01.463f7.33b9bf1a@gitrepo.freebsd.org>

The branch stable/15 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=2791bc4219e8e5e99e0160ff398b31436e0f04de

commit 2791bc4219e8e5e99e0160ff398b31436e0f04de
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-03-27 00:25:31 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-13 02:53:05 +0000

    vm_fault: Avoid creating clean, writeable superpage mappings
    
    The pmap layer requires writeable superpage mappings to be dirty.
    Otherwise, during demotion, we may miss a hw update of the PDE which
    sets the dirty bit.
    
    When creating a managed superpage mapping without promotion, i.e., with
    pmap_enter(psind == 1), we must therefore ensure that a writeable
    mapping is created with the dirty bit pre-set.  To that end,
    vm_fault_soft_fast(), when handling a map entry with write permissions,
    checks whether all constituent pages are dirty, and if so, converts the
    fault to a write fault, so that pmap_enter() does the right thing.  If
    one or more pages is not dirty, we simply create a 4K mapping.
    
    vm_fault_populate(), which may also create superpage mappings, did not
    do this, and thus could create mappings which violate the invariant
    described above.  Modify it to instead check whether all constituent
    pages are already dirty, and if so, convert the fault to a write fault.
    Otherwise the mapping is downgraded to read-only.
    
    Reported by:    ashafer
    Reviewed by:    alc, kib
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D55536
    
    (cherry picked from commit f404109e90eee7f67ddaae3f52286d524a190fa0)
---
 sys/vm/vm_fault.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index addda72e2b56..2eed9851135a 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -642,6 +642,8 @@ vm_fault_populate(struct faultstate *fs)
 		pager_last = map_last;
 	}
 	for (pidx = pager_first; pidx <= pager_last; pidx += npages) {
+		bool writeable;
+
 		m = vm_page_lookup(fs->first_object, pidx);
 		vaddr = fs->entry->start + IDX_TO_OFF(pidx) - fs->entry->offset;
 		KASSERT(m != NULL && m->pindex == pidx,
@@ -652,14 +654,28 @@ vm_fault_populate(struct faultstate *fs)
 		    !pmap_ps_enabled(fs->map->pmap)))
 			psind--;
 
+		writeable = (fs->prot & VM_PROT_WRITE) != 0;
 		npages = atop(pagesizes[psind]);
 		for (i = 0; i < npages; i++) {
 			vm_fault_populate_check_page(&m[i]);
 			vm_fault_dirty(fs, &m[i]);
+
+			/*
+			 * If this is a writeable superpage mapping, all
+			 * constituent pages and the new mapping should be
+			 * dirty, otherwise the mapping should be read-only.
+			 */
+			if (writeable && psind > 0 &&
+			    (m[i].oflags & VPO_UNMANAGED) == 0 &&
+			    m[i].dirty != VM_PAGE_BITS_ALL)
+				writeable = false;
 		}
+		if (psind > 0 && writeable)
+			fs->fault_type |= VM_PROT_WRITE;
 		VM_OBJECT_WUNLOCK(fs->first_object);
-		rv = pmap_enter(fs->map->pmap, vaddr, m, fs->prot, fs->fault_type |
-		    (fs->wired ? PMAP_ENTER_WIRED : 0), psind);
+		rv = pmap_enter(fs->map->pmap, vaddr, m,
+		    fs->prot & ~(writeable ? 0 : VM_PROT_WRITE),
+		    fs->fault_type | (fs->wired ? PMAP_ENTER_WIRED : 0), psind);
 
 		/*
 		 * pmap_enter() may fail for a superpage mapping if additional