vm_fault: Shoot down shared mappings in vm_fault_copy_entry()

As in vm_fault_cow(), it's possible, albeit rare, for multiple vm_maps to share a shadow object. When copying a page from a backing object into the shadow, all mappings of the source page must therefore be removed. Otherwise, future operations on the object tree may detect that the source page is fully shadowed and thus can be freed. Approved by: so Security: FreeBSD-SA-22:11.vm Reviewed by: alc, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35635
2022-07-25 16:53:21 -04:00 · 2022-07-25 16:53:21 -04:00 · 5c50e900ad
commit 5c50e900ad
parent 00d17cf342
1 changed files with 7 additions and 0 deletions
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@ -2107,6 +2107,13 @@ vm_fault_copy_entry(vm_map_t dst_map, vm_map_t src_map __unused,
 				VM_OBJECT_WLOCK(dst_object);
 				goto again;
 			}
+
+			/*
+			 * See the comment in vm_fault_cow().
+			 */
+			if (src_object == dst_object &&
+			    (object->flags & OBJ_ONEMAPPING) == 0)
+				pmap_remove_all(src_m);
 			pmap_copy_page(src_m, dst_m);

 			/*