vm_fault: Shoot down shared mappings in vm_fault_copy_entry()

As in vm_fault_cow(), it's possible, albeit rare, for multiple vm_maps to share a shadow object. When copying a page from a backing object into the shadow, all mappings of the source page must therefore be removed. Otherwise, future operations on the object tree may detect that the source page is fully shadowed and thus can be freed. Approved by: so Security: FreeBSD-SA-22:11.vm Reviewed by: alc, kib Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D35635 (cherry picked from commit 5c50e900ad779fccbf0a230bfb6a68a3e93ccf60) (cherry picked from commit 9a2a2871c4908cfe7012236912918622e0ed0b32)
author: Mark Johnston <markj@FreeBSD.org> 2022-07-25 23:53:21 +0300
committer: Mark Johnston <markj@FreeBSD.org> 2022-08-09 22:58:12 +0300
commit: 1120c36b075c9c0df22fc3d2e870ba8f85ceed2c (patch)
tree: 93825313bbe217ada88c4fe214939af351b3621d
parent: 0aa6d8576d9e7e4463323b82b7dac178f56237e0 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index 7829b3691d83..efbe0b23f259 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -1884,6 +1884,13 @@ again:
 				VM_OBJECT_WLOCK(dst_object);
 				goto again;
 			}
+
+			/*
+			 * See the comment in vm_fault_cow().
+			 */
+			if (src_object == dst_object &&
+			    (object->flags & OBJ_ONEMAPPING) == 0)
+				pmap_remove_all(src_m);
 			pmap_copy_page(src_m, dst_m);
 			VM_OBJECT_RUNLOCK(object);
 			dst_m->dirty = dst_m->valid = src_m->valid;
author	Mark Johnston <markj@FreeBSD.org>	2022-07-25 23:53:21 +0300
committer	Mark Johnston <markj@FreeBSD.org>	2022-08-09 22:58:12 +0300
commit	1120c36b075c9c0df22fc3d2e870ba8f85ceed2c (patch)
tree	93825313bbe217ada88c4fe214939af351b3621d
parent	0aa6d8576d9e7e4463323b82b7dac178f56237e0 (diff)