From be35ad05711194820f5255328ec8ef589bc60acb Mon Sep 17 00:00:00 2001
From: Martin Pieuchot <mpi@cvs.openbsd.org>
Date: Sat, 16 Nov 2024 10:09:09 +0000
Subject: Do not dereference `pve' after releasing `pv_mtx'.

Prevent a race where anything can happen on `pve' resultint in an incorrect
locking of a given pmap.  Found the hardway by sthen@.

ok jsg@, miod@, kettenis@, jca@
---
 sys/arch/i386/i386/pmapae.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sys/arch')

diff --git a/sys/arch/i386/i386/pmapae.c b/sys/arch/i386/i386/pmapae.c
index c8a0d668ed9..f5155942ebc 100644
--- a/sys/arch/i386/i386/pmapae.c
+++ b/sys/arch/i386/i386/pmapae.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pmapae.c,v 1.74 2024/11/08 13:18:29 jsg Exp $	*/
+/*	$OpenBSD: pmapae.c,v 1.75 2024/11/16 10:09:08 mpi Exp $	*/
 
 /*
  * Copyright (c) 2006-2008 Michael Shalayeff
@@ -1347,7 +1347,7 @@ pmap_page_remove_pae(struct vm_page *pg)
 		pm = pve->pv_pmap;
 		mtx_leave(&pg->mdpage.pv_mtx);
 
-		ptes = pmap_map_ptes_pae(pve->pv_pmap);	/* locks pmap */
+		ptes = pmap_map_ptes_pae(pm);	/* locks pmap */
 
 		/*
 		 * We dropped the pvlist lock before grabbing the pmap
-- 
cgit v1.2.3