CVS commit: src/sys/uvm

Mon, 05 Aug 2019 10:37:03 -0700 

Module Name:    src
Committed By:   chs
Date:           Mon Aug  5 17:36:42 UTC 2019

Modified Files:
        src/sys/uvm: uvm_fault.c

Log Message:
fix two bugs reported in
https://syzkaller.appspot.com/bug?id=8840dce484094a926e1ec388ffb83acb2fa291c9

 - in uvm_fault_check(), if the map entry is wired, handle the fault the same 
way
   that we would handle UVM_FAULT_WIRE.  faulting on wired mappings is valid
   if the mapped object was truncated and then later grown again.

 - in uvm_fault_unwire_locked(), we must hold the locks for the vm_map_entry
   while calling pmap_extract() in order to avoid races with the mapped object
   being truncated while we are unwiring it.

Reported-by: syzbot+2e0ae2fc35ab7301c...@syzkaller.appspotmail.com


To generate a diff of this commit:
cvs rdiff -u -r1.206 -r1.207 src/sys/uvm/uvm_fault.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/uvm/uvm_fault.c
diff -u src/sys/uvm/uvm_fault.c:1.206 src/sys/uvm/uvm_fault.c:1.207
--- src/sys/uvm/uvm_fault.c:1.206	Tue May 28 08:59:35 2019
+++ src/sys/uvm/uvm_fault.c	Mon Aug  5 17:36:42 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: uvm_fault.c,v 1.206 2019/05/28 08:59:35 msaitoh Exp $	*/
+/*	$NetBSD: uvm_fault.c,v 1.207 2019/08/05 17:36:42 chs Exp $	*/
 
 /*
  * Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_fault.c,v 1.206 2019/05/28 08:59:35 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_fault.c,v 1.207 2019/08/05 17:36:42 chs Exp $");
 
 #include "opt_uvmhist.h"
 
@@ -996,8 +996,11 @@ uvm_fault_check(
 	 */
 
 	flt->enter_prot = ufi->entry->protection;
-	if (VM_MAPENT_ISWIRED(ufi->entry))
+	if (VM_MAPENT_ISWIRED(ufi->entry)) {
 		flt->wire_mapping = true;
+		flt->wire_paging = true;
+		flt->narrow = true;
+	}
 
 	if (flt->wire_mapping) {
 		flt->access_type = flt->enter_prot; /* full access for wired */
@@ -2437,8 +2440,6 @@ uvm_fault_unwire_locked(struct vm_map *m
 
 	oentry = NULL;
 	for (va = start; va < end; va += PAGE_SIZE) {
-		if (pmap_extract(pmap, va, &pa) == false)
-			continue;
 
 		/*
 		 * find the map entry for the current address.
@@ -2469,6 +2470,9 @@ uvm_fault_unwire_locked(struct vm_map *m
 		 * if the entry is no longer wired, tell the pmap.
 		 */
 
+		if (!pmap_extract(pmap, va, &pa))
+			continue;
+
 		if (VM_MAPENT_ISWIRED(entry) == 0)
 			pmap_unwire(pmap, va);

Reply via email to