From owner-svn-src-head@freebsd.org Wed May 30 15:25:50 2018 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4032F763A3; Wed, 30 May 2018 15:25:49 +0000 (UTC) (envelope-from andrew@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 82FC568ED7; Wed, 30 May 2018 15:25:49 +0000 (UTC) (envelope-from andrew@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 63C394CCF; Wed, 30 May 2018 15:25:49 +0000 (UTC) (envelope-from andrew@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w4UFPnIB018515; Wed, 30 May 2018 15:25:49 GMT (envelope-from andrew@FreeBSD.org) Received: (from andrew@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w4UFPneq018514; Wed, 30 May 2018 15:25:49 GMT (envelope-from andrew@FreeBSD.org) Message-Id: <201805301525.w4UFPneq018514@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: andrew set sender to andrew@FreeBSD.org using -f From: Andrew Turner Date: Wed, 30 May 2018 15:25:49 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r334385 - head/sys/arm64/arm64 X-SVN-Group: head X-SVN-Commit-Author: andrew X-SVN-Commit-Paths: head/sys/arm64/arm64 X-SVN-Commit-Revision: 334385 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2018 15:25:50 -0000 Author: andrew Date: Wed May 30 15:25:48 2018 New Revision: 334385 URL: https://svnweb.freebsd.org/changeset/base/334385 Log: Further limit when we call pmap_fault. We should only call pmap_fault in the kernel when accessing a userspace address. As this should always happen through specific functions that set a fault handler we can use this to limit calls to pmap_fault to when this is set. This should help with NULL pointer dereferences when we are unable to sleep so we fall into the correct case. Sponsored by: DARPA, AFRL Modified: head/sys/arm64/arm64/trap.c Modified: head/sys/arm64/arm64/trap.c ============================================================================== --- head/sys/arm64/arm64/trap.c Wed May 30 15:08:59 2018 (r334384) +++ head/sys/arm64/arm64/trap.c Wed May 30 15:25:48 2018 (r334385) @@ -190,16 +190,32 @@ data_abort(struct thread *td, struct trapframe *frame, } /* - * We may fault from userspace or when in a DMAP region due to - * a superpage being unmapped when the access took place. In these - * cases we need to wait for the pmap to be unlocked and check - * if the translation is still invalid. + * The call to pmap_fault can be dangerous when coming from the + * kernel as it may be not be able to lock the pmap to check if + * the address is now valid. Because of this we filter the cases + * when we are not going to see superpage activity. */ - if (map != kernel_map || VIRT_IN_DMAP(far)) { - if (pmap_fault(map->pmap, esr, far) == KERN_SUCCESS) - return; + if (!lower) { + /* + * We may fault in a DMAP region due to a superpage being + * unmapped when the access took place. + */ + if (map == kernel_map && !VIRT_IN_DMAP(far)) + goto no_pmap_fault; + /* + * We can also fault in the userspace handling functions, + * e.g. copyin. In these cases we will have set a fault + * handler so we can check if this is set before calling + * pmap_fault. + */ + if (map != kernel_map && pcb->pcb_onfault == 0) + goto no_pmap_fault; } + if (pmap_fault(map->pmap, esr, far) == KERN_SUCCESS) + return; + +no_pmap_fault: KASSERT(td->td_md.md_spinlock_count == 0, ("data abort with spinlock held")); if (td->td_critnest != 0 || WITNESS_CHECK(WARN_SLEEPOK |