svn commit: r342736 - head/sys/riscv/riscv

Thu, 03 Jan 2019 08:27:23 -0800 

Author: markj
Date: Thu Jan  3 16:26:52 2019
New Revision: 342736
URL: https://svnweb.freebsd.org/changeset/base/342736

Log:
  Fix a use-after-free in the riscv pmap_release() implementation.
  
  Don't bother zeroing the top-level page before freeing it.  Previously,
  the page was freed before being zeroed.
  
  Reviewed by:  jhb, kib
  MFC after:    1 week
  Sponsored by: The FreeBSD Foundation
  Differential Revision:        https://reviews.freebsd.org/D18720

Modified:
  head/sys/riscv/riscv/pmap.c

Modified: head/sys/riscv/riscv/pmap.c
==============================================================================
--- head/sys/riscv/riscv/pmap.c Thu Jan  3 16:24:03 2019        (r342735)
+++ head/sys/riscv/riscv/pmap.c Thu Jan  3 16:26:52 2019        (r342736)
@@ -1297,17 +1297,13 @@ pmap_release(pmap_t pmap)
            ("pmap_release: pmap resident count %ld != 0",
            pmap->pm_stats.resident_count));
 
-       m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pmap->pm_l1));
-       vm_page_unwire_noq(m);
-       vm_page_free_zero(m);
-
-       /* Remove pmap from the allpmaps list */
        mtx_lock(&allpmaps_lock);
        LIST_REMOVE(pmap, pm_list);
        mtx_unlock(&allpmaps_lock);
 
-       /* Remove kernel pagetables */
-       bzero(pmap->pm_l1, PAGE_SIZE);
+       m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pmap->pm_l1));
+       vm_page_unwire_noq(m);
+       vm_page_free(m);
 }
 
 #if 0
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to