diff options
| author | Mark Johnston <markj@FreeBSD.org> | 2022-07-25 20:53:21 +0000 |
|---|---|---|
| committer | Mark Johnston <markj@FreeBSD.org> | 2022-08-09 19:44:45 +0000 |
| commit | 5c50e900ad779fccbf0a230bfb6a68a3e93ccf60 (patch) | |
| tree | 52f9b6d9f4165242cc9024ad3e2488038f255abb | |
| parent | 00d17cf342cd9f4f8fd1dcd79c8caec359145532 (diff) | |
vm_fault: Shoot down shared mappings in vm_fault_copy_entry()
As in vm_fault_cow(), it's possible, albeit rare, for multiple vm_maps
to share a shadow object. When copying a page from a backing object
into the shadow, all mappings of the source page must therefore be
removed. Otherwise, future operations on the object tree may detect
that the source page is fully shadowed and thus can be freed.
Approved by: so
Security: FreeBSD-SA-22:11.vm
Reviewed by: alc, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35635
| -rw-r--r-- | sys/vm/vm_fault.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c index 0433b6dd3d7e..8f30c5b93828 100644 --- a/sys/vm/vm_fault.c +++ b/sys/vm/vm_fault.c @@ -2107,6 +2107,13 @@ again: VM_OBJECT_WLOCK(dst_object); goto again; } + + /* + * See the comment in vm_fault_cow(). + */ + if (src_object == dst_object && + (object->flags & OBJ_ONEMAPPING) == 0) + pmap_remove_all(src_m); pmap_copy_page(src_m, dst_m); /* |