Check if the mapping for an vm_map_entry exists while holding its lock.

Prevent a race where the mapped object is being truncated while we are spinning
to unwire it.

Reported-by: syzbot+189cd03d088cddbee591@syzkaller.appspotmail.com

Adapted from NetBSD r1.207, ok miod@

1 files changed, 4 insertions, 4 deletions

diff --git a/sys/uvm/uvm_fault.c b/sys/uvm/uvm_fault.c
index 06b1c8b9198..4b904adf67f 100644
--- a/sys/uvm/uvm_fault.c
+++ b/sys/uvm/uvm_fault.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_fault.c,v 1.136 2024/11/02 10:23:34 mpi Exp $	*/
+/*	$OpenBSD: uvm_fault.c,v 1.137 2024/11/02 10:31:16 mpi Exp $	*/
 /*	$NetBSD: uvm_fault.c,v 1.51 2000/08/06 00:22:53 thorpej Exp $	*/
 
 /*
@@ -1651,9 +1651,6 @@ uvm_fault_unwire_locked(vm_map_t map, vaddr_t start, vaddr_t end)
 		panic("uvm_fault_unwire_locked: address not in map");
 
 	for (va = start; va < end ; va += PAGE_SIZE) {
-		if (pmap_extract(pmap, va, &pa) == FALSE)
-			continue;
-
 		/*
 		 * find the map entry for the current address.
 		 */
@@ -1679,6 +1676,9 @@ uvm_fault_unwire_locked(vm_map_t map, vaddr_t start, vaddr_t end)
 			oentry = entry;
 		}
 
+		if (!pmap_extract(pmap, va, &pa))
+			continue;
+
 		/*
 		 * if the entry is no longer wired, tell the pmap.
 		 */