diff options
| author | Alan Cox <alc@FreeBSD.org> | 2021-06-26 03:29:38 +0000 |
|---|---|---|
| committer | Alan Cox <alc@FreeBSD.org> | 2021-06-26 04:01:32 +0000 |
| commit | 5dd84e315a9f777772017f9f628aa67f08a6493a (patch) | |
| tree | f85349640cb085be360fa6f9a62f8e3936e35ed8 | |
| parent | 18b19f8c6e04935a63a951afe0e540674bc94455 (diff) | |
| download | src-5dd84e315a9f777772017f9f628aa67f08a6493a.tar.gz src-5dd84e315a9f777772017f9f628aa67f08a6493a.zip | |
arm64: fix a potential KVA leak in pmap_demote_l1()
In the unlikely event that the 1 GB page mapping being demoted is used
to access the L1 page table page containing the 1 GB page mapping and
the vm_page_alloc() to allocate a new L2 page table page fails, we
would leak a page of kernel virtual address space. Fix this leak.
MFC after: 1 week
| -rw-r--r-- | sys/arm64/arm64/pmap.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c index a6f716370810..76ca8eab70ff 100644 --- a/sys/arm64/arm64/pmap.c +++ b/sys/arm64/arm64/pmap.c @@ -6010,7 +6010,8 @@ pmap_demote_l1(pmap_t pmap, pt_entry_t *l1, vm_offset_t va) VM_ALLOC_NOOBJ | VM_ALLOC_WIRED)) == NULL) { CTR2(KTR_PMAP, "pmap_demote_l1: failure for va %#lx" " in pmap %p", va, pmap); - return (NULL); + l2 = NULL; + goto fail; } l2phys = VM_PAGE_TO_PHYS(ml2); @@ -6039,6 +6040,7 @@ pmap_demote_l1(pmap_t pmap, pt_entry_t *l1, vm_offset_t va) pmap_update_entry(pmap, l1, l2phys | L1_TABLE, va, PAGE_SIZE); +fail: if (tmpl1 != 0) { pmap_kremove(tmpl1); kva_free(tmpl1, PAGE_SIZE); |