Re: uvm_map_protect(9) & amd64 pmap bug?

Thu, 27 Mar 2025 11:00:04 -0700 

On 26/03/25(Wed) 13:33, Mark Kettenis wrote:
> > Date: Tue, 25 Mar 2025 18:59:46 +0000
> > From: Miod Vallat <[email protected]>
> [...] 
> > This STRONGLY hints that this routine has never been used on
> > pmap_kernel() addresses until now.
> 
> I guess we stopped swapping out kernel stacks long before amd64 was a
> thing?

If this code has never been tested on pmap_kernel() then it is dead code
and I'd rather remove it.  Whoever wants to reduce the permission of the
mapping will have to check on all architectures that this is supported.

Here's an alternate diff that remove the useless uvm_map_protect(9) and
correct the one in vmcmd_map_readvn().  While here prevent leaks in
error code paths.

ok?

Index: kern/exec_subr.c
===================================================================
RCS file: /cvs/src/sys/kern/exec_subr.c,v
diff -u -p -r1.68 exec_subr.c
--- kern/exec_subr.c    2 Nov 2024 10:02:23 -0000       1.68
+++ kern/exec_subr.c    10 Mar 2025 19:26:50 -0000
@@ -260,7 +260,7 @@ vmcmd_map_readvn(struct proc *p, struct 
                 * uvm_map_protect() to fix up the protection.  ICK.
                 */
                error = (uvm_map_protect(&p->p_vmspace->vm_map,
-                   cmd->ev_addr, round_page(cmd->ev_len),
+                   cmd->ev_addr, round_page(cmd->ev_addr + cmd->ev_len),
                    prot, 0, FALSE, TRUE));
        }
        if (error == 0) {
Index: kern/kern_exec.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_exec.c,v
diff -u -p -r1.262 kern_exec.c
--- kern/kern_exec.c    17 Feb 2025 10:07:10 -0000      1.262
+++ kern/kern_exec.c    27 Mar 2025 16:34:01 -0000
@@ -874,12 +874,11 @@ exec_sigcode_map(struct process *pr)
                int r;
 
                sigobject = uao_create(sz, 0);
-               uao_reference(sigobject);       /* permanent reference */
-
                if ((r = uvm_map(kernel_map, &va, round_page(sz), sigobject,
                    0, 0, UVM_MAPFLAG(PROT_READ | PROT_WRITE, PROT_READ | 
PROT_WRITE,
                    MAP_INHERIT_SHARE, MADV_RANDOM, 0)))) {
                        uao_detach(sigobject);
+                       sigobject = NULL;
                        return (ENOMEM);
                }
 
@@ -890,9 +889,6 @@ exec_sigcode_map(struct process *pr)
                        left -= chunk;
                }
                memcpy((caddr_t)va, sigcode, sz);
-
-               (void) uvm_map_protect(kernel_map, va, round_page(sz),
-                   PROT_READ, 0, FALSE, FALSE);
                sigcode_va = va;
                sigcode_sz = round_page(sz);
        }
@@ -927,8 +923,6 @@ exec_timekeep_map(struct process *pr)
                vaddr_t va = 0;
 
                timekeep_object = uao_create(timekeep_sz, 0);
-               uao_reference(timekeep_object);
-
                if (uvm_map(kernel_map, &va, timekeep_sz, timekeep_object,
                    0, 0, UVM_MAPFLAG(PROT_READ | PROT_WRITE, PROT_READ | 
PROT_WRITE,
                    MAP_INHERIT_SHARE, MADV_RANDOM, 0))) {

Reply via email to