From ff3cc83262d602dbc6c2b1274d24f4f1a9dae1cd Mon Sep 17 00:00:00 2001 From: Mark Kettenis Date: Sun, 28 Mar 2010 18:00:52 +0000 Subject: Fix user-after-free bug in pmap_remove(). Page table pages are freed as soon as the last page table entry that was actually used is cleared. So make sure we check the page table page is still there for every page we remove. Otherwise we will bring back the tlb entry and cache lines when we touch the freed page, and we will create an illegal alias (non-equivalent mapping) as soon as the page gets re-used. Seems to fix the last remaining issue with fast page recycling (although I need to do a bit more testing to be sure). Help from drahn@, ok jsing@ and miod@ (for an earlier version of this diff) --- sys/arch/hppa/hppa/pmap.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/sys/arch/hppa/hppa/pmap.c b/sys/arch/hppa/hppa/pmap.c index 500afce5632..5303315aed8 100644 --- a/sys/arch/hppa/hppa/pmap.c +++ b/sys/arch/hppa/hppa/pmap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pmap.c,v 1.148 2010/03/16 17:12:50 miod Exp $ */ +/* $OpenBSD: pmap.c,v 1.149 2010/03/28 18:00:51 kettenis Exp $ */ /* * Copyright (c) 1998-2004 Michael Shalayeff @@ -886,14 +886,14 @@ pmap_remove(pmap, sva, eva) simple_lock(&pmap->pm_lock); - for (batch = 0, pdemask = 1; sva < eva; sva += PAGE_SIZE) { - if (pdemask != (sva & PDE_MASK)) { - pdemask = sva & PDE_MASK; - if (!(pde = pmap_pde_get(pmap->pm_pdir, sva))) { - sva = pdemask + (~PDE_MASK + 1) - PAGE_SIZE; - continue; - } - if (pdemask == sva && sva + (~PDE_MASK + 1) <= eva) + for (batch = 0; sva < eva; sva += PAGE_SIZE) { + pdemask = sva & PDE_MASK; + if (!(pde = pmap_pde_get(pmap->pm_pdir, sva))) { + sva = pdemask + (~PDE_MASK + 1) - PAGE_SIZE; + continue; + } + if (pdemask == sva) { + if (sva + (~PDE_MASK + 1) <= eva) batch = 1; else batch = 0; -- cgit v1.2.3