From a9c7546a1df1b1e249c6c1e45bf4ced36f00c7af Mon Sep 17 00:00:00 2001 From: Konstantin Belousov Date: Fri, 24 May 2019 17:19:06 +0000 Subject: [PATCH] Fix a corner case in demotion of kernel mappings. It is possible for the kernel mapping to be created with superpage by directly installing pde using pmap_enter_2mpage() without filling the corresponding page table page. This can happen e.g. if the range is already backed by reservation and vm_fault_soft_fast() conditions are satisfied, which was observed on the pipe_map. In this case, demotion must fill the page obtained from the pmap radix, same as if the page is newly allocated. Use PG_PROMOTED bit as an indicator that the page is valid, instead of the wire count of the page table page. Since the PG_PROMOTED bit is set on pde when we leave TLB entries for 4k pages around, which in particular means that the ptes were filled, it provides more correct indicator. Note that pmap_protect_pde() clears PG_PROMOTED, which handles the case when protection was changed on the superpage without adjusting ptes. Reported by: pho In collaboration with: alc Tested by: alc, pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D20380 --- sys/amd64/amd64/pmap.c | 12 +++++++----- sys/i386/i386/pmap.c | 12 +++++++----- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/sys/amd64/amd64/pmap.c b/sys/amd64/amd64/pmap.c index 89ba9da19d86..50cfbd3ce96a 100644 --- a/sys/amd64/amd64/pmap.c +++ b/sys/amd64/amd64/pmap.c @@ -4537,8 +4537,10 @@ pmap_demote_pde_locked(pmap_t pmap, pd_entry_t *pde, vm_offset_t va, " in pmap %p", va, pmap); return (FALSE); } - if (va < VM_MAXUSER_ADDRESS) + if (va < VM_MAXUSER_ADDRESS) { + mpte->wire_count = NPTEPG; pmap_resident_count_inc(pmap, 1); + } } mptepa = VM_PAGE_TO_PHYS(mpte); firstpte = (pt_entry_t *)PHYS_TO_DMAP(mptepa); @@ -4551,12 +4553,12 @@ pmap_demote_pde_locked(pmap_t pmap, pd_entry_t *pde, vm_offset_t va, newpte = pmap_swap_pat(pmap, newpte); /* - * If the page table page is new, initialize it. + * If the page table page is not leftover from an earlier promotion, + * initialize it. */ - if (mpte->wire_count == 1) { - mpte->wire_count = NPTEPG; + if ((oldpde & PG_PROMOTED) == 0) pmap_fill_ptp(firstpte, newpte); - } + KASSERT((*firstpte & PG_FRAME) == (newpte & PG_FRAME), ("pmap_demote_pde: firstpte and newpte map different physical" " addresses")); diff --git a/sys/i386/i386/pmap.c b/sys/i386/i386/pmap.c index 2aee12d7f265..56619e23d68c 100644 --- a/sys/i386/i386/pmap.c +++ b/sys/i386/i386/pmap.c @@ -2768,8 +2768,10 @@ pmap_demote_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t va) " in pmap %p", va, pmap); return (FALSE); } - if (pmap != kernel_pmap) + if (pmap != kernel_pmap) { + mpte->wire_count = NPTEPG; pmap->pm_stats.resident_count++; + } } mptepa = VM_PAGE_TO_PHYS(mpte); @@ -2818,12 +2820,12 @@ pmap_demote_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t va) newpte ^= PG_PDE_PAT | PG_PTE_PAT; /* - * If the page table page is new, initialize it. + * If the page table page is not leftover from an earlier promotion, + * initialize it. */ - if (mpte->wire_count == 1) { - mpte->wire_count = NPTEPG; + if ((oldpde & PG_PROMOTED) == 0) pmap_fill_ptp(firstpte, newpte); - } + KASSERT((*firstpte & PG_FRAME) == (newpte & PG_FRAME), ("pmap_demote_pde: firstpte and newpte map different physical" " addresses"));