diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2022-07-25 20:53:21 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2022-08-09 20:01:00 +0000 |
| commit | 0c88ecaa12555cfea0395abdb0ffac9b3e0f3204 (patch) | |
| tree | e15002209e5cdfc0f182998178b1f397d9204fcb | |
| parent | 69a456c0b60bb6d1122391e1c78243aec345f36c (diff) | |
| download | src-0c88ecaa12555cfea0395abdb0ffac9b3e0f3204.tar.gz src-0c88ecaa12555cfea0395abdb0ffac9b3e0f3204.zip | |
vm_fault: Shoot down shared mappings in vm_fault_copy_entry()
As in vm_fault_cow(), it's possible, albeit rare, for multiple vm_maps
to share a shadow object. When copying a page from a backing object
into the shadow, all mappings of the source page must therefore be
removed. Otherwise, future operations on the object tree may detect
that the source page is fully shadowed and thus can be freed.
Approved by: so
Security: FreeBSD-SA-22:11.vm
Reviewed by: alc, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35635
(cherry picked from commit 5c50e900ad779fccbf0a230bfb6a68a3e93ccf60)
(cherry picked from commit 3ea8c7ad90f75129c52a2b64213c5578af23dc8d)
| -rw-r--r-- | sys/vm/vm_fault.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c index 41346f8635ea..8aa8dca3509a 100644 --- a/sys/vm/vm_fault.c +++ b/sys/vm/vm_fault.c @@ -2099,6 +2099,13 @@ again: VM_OBJECT_WLOCK(dst_object); goto again; } + + /* + * See the comment in vm_fault_cow(). + */ + if (src_object == dst_object && + (object->flags & OBJ_ONEMAPPING) == 0) + pmap_remove_all(src_m); pmap_copy_page(src_m, dst_m); VM_OBJECT_RUNLOCK(object); dst_m->dirty = dst_m->valid = src_m->valid; |