Fix a use-after-free in the riscv pmap_release() implementation.

Don't bother zeroing the top-level page before freeing it. Previously, the page was freed before being zeroed. Reviewed by: jhb, kib MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D18720
svn path=/head/; revision=342736
2019-01-03 16:26:52 +00:00 · 2019-01-03 16:26:52 +00:00 · 7c59ec14e6 · 2020-12-20 02:59:44 +00:00
commit 7c59ec14e6
parent bad66a29d4
1 changed files with 3 additions and 7 deletions
--- a/sys/riscv/riscv/pmap.c
+++ b/sys/riscv/riscv/pmap.c
@ -1297,17 +1297,13 @@ pmap_release(pmap_t pmap)
 	    ("pmap_release: pmap resident count %ld != 0",
 	    pmap->pm_stats.resident_count));

-	m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pmap->pm_l1));
-	vm_page_unwire_noq(m);
-	vm_page_free_zero(m);
-
-	/* Remove pmap from the allpmaps list */
 	mtx_lock(&allpmaps_lock);
 	LIST_REMOVE(pmap, pm_list);
 	mtx_unlock(&allpmaps_lock);

-	/* Remove kernel pagetables */
-	bzero(pmap->pm_l1, PAGE_SIZE);
+	m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pmap->pm_l1));
+	vm_page_unwire_noq(m);
+	vm_page_free(m);
 }

 #if 0