| #
369559 |
|
06-Apr-2021 |
markj |
vm_fault: Shoot down multiply mapped COW source page mappings
Reviewed by: kib, rlibby
Discussed with: alc
Approved by: so
Security: CVE-2021-29626
Security: FreeBSD-SA-21:08.vm
Git Hash: 71a0b26df14a18b720faaa924bd4e18fcb9638d5
Git Author: markj@FreeBSD.org
|
| #
345572 |
|
27-Mar-2019 |
kib |
MFC r345324:
vm_fault_copy_entry: accept invalid source pages.
|
| #
339204 |
|
05-Oct-2018 |
kib |
MFC r338999:
Correct vm_fault_copy_entry() handling of backing file truncation
after the file mapping was wired.
|
| #
339203 |
|
05-Oct-2018 |
kib |
MFC r338998:
In vm_fault_copy_entry(), we should not assert that entry is charged
if the dst_object is not of swap type.
|
| #
339202 |
|
05-Oct-2018 |
kib |
MFC r338997:
In vm_fault_copy_entry(), collect the code to initialize a newly
allocated dst_object in a single place.
|
| #
334697 |
|
06-Jun-2018 |
markj |
MFC r334389:
Typo.
PR: 228533
|
| #
333360 |
|
08-May-2018 |
kib |
MFC r333091:
Eliminate some vm object relocks in vm fault.
Approved by: re (marius)
|
| #
331921 |
|
03-Apr-2018 |
kib |
MFC r331557:
Allow to specify for vm_fault_quick_hold_pages() that nofault mode
should be honored.
|
| #
331722 |
|
29-Mar-2018 |
eadler |
Revert r330897:
This was intended to be a non-functional change. It wasn't. The commit
message was thus wrong. In addition it broke arm, and merged crypto
related code.
Revert with prejudice.
This revert skips files touched in r316370 since that commit was since
MFCed. This revert also skips files that require $FreeBSD$ property
changes.
Thank you to those who helped me get out of this mess including but not
limited to gonzo, kevans, rgrimes.
Requested by: gjb (re)
|
| #
330897 |
|
14-Mar-2018 |
eadler |
Partial merge of the SPDX changes
These changes are incomplete but are making it difficult
to determine what other changes can/should be merged.
No objections from: pfg
|
| #
329705 |
|
21-Feb-2018 |
kib |
MFC r329254:
Ensure memory consistency on COW.
|
| #
329704 |
|
21-Feb-2018 |
kib |
MFC r329252:
Do not call pmap_enter() with invalid protection mode.
|
| #
324399 |
|
07-Oct-2017 |
alc |
MFC r321386,321393
Utilize pmap_enter(..., psind=1) in vm_fault_soft_fast() on amd64. (The
Differential Revision discusses the benefits of this change.)
Add a function, vm_reserv_to_superpage(), that returns the superpage
containing the specified base page.
|
| #
323537 |
|
13-Sep-2017 |
kib |
MFC r322913:
Replace global swhash in swap pager with per-object trie to track swap
blocks assigned to the object pages.
MFC r322970 (by alc):
Do not call vm_pager_page_unswapped() on the fast fault path.
MFC r322971 (by alc):
Update a couple vm_object lock assertions in the swap pager.
MFC r323224:
In swp_pager_meta_build(), handle a race with other thread allocating
swapblk for our index while we dropped the object lock.
MFC r323226:
Do not leak empty swblk.
|
| #
320666 |
|
05-Jul-2017 |
kib |
Add MAP_GUARD and use it for stack grow area protection.
Bump __FreeBSD_version.
MFC r320317:
Implement address space guards.
MFC r320338:
Remove stale part of the comment.
MFC r320339:
Correctly handle small MAP_STACK requests.
MFC r320344:
For now, allow mprotect(2) over the guards to succeed regardless of
the requested protection.
MFC r320430:
Treat the addr argument for mmap(2) request without MAP_FIXED flag as
a hint.
MFC r320560 (by alc):
Modify vm_map_growstack() to protect itself from the possibility of the
gap entry in the vm map being smaller than the sysctl-derived stack guard
size.
|
| #
318716 |
|
23-May-2017 |
markj |
MFC r308474, r308691, r309203, r309365, r309703, r309898, r310720,
r308489, r308706:
Add PQ_LAUNDRY and remove PG_CACHED pages.
|
| #
316073 |
|
28-Mar-2017 |
kib |
MFC r315281:
Use atop() instead of OFF_TO_IDX() for convertion of addresses or
addresses offsets, as intended.
MFC r315580 (by alc):
Simplify the logic for clipping the range returned by the pager to fit
within the map entry.
Use atop() rather than OFF_TO_IDX() on addresses.
|
| #
315971 |
|
26-Mar-2017 |
kib |
MFC r315552:
Fix off-by-one in the vm_fault_populate() code.
|
| #
314589 |
|
03-Mar-2017 |
kib |
MFC r314195:
Properly handle possible underflow in vm_fault_prefault().
|
| #
312073 |
|
13-Jan-2017 |
kib |
MFC r309710:
Add a new populate() pager method and extend device pager ops vector
with cdev_pg_populate() to provide device drivers access to it.
MFC r310849:
Fix two similar bugs in the populate vm_fault() code.
|
| #
310109 |
|
15-Dec-2016 |
kib |
MFC r309709:
Move map_generation snapshot value into struct faultstate.
|
| #
309047 |
|
23-Nov-2016 |
kib |
MFC r308733:
Move the fast fault path into the separate function.
|
| #
308378 |
|
06-Nov-2016 |
alc |
MFC r308174, r308261
Move and revise a comment about the relation between the object's paging-
in-progress count and the vnode. Prior to r188331, we always acquired
the vnode lock before incrementing the object's paging-in-progress count.
Now, we increment it before attempting to acquire the vnode lock with
LK_NOWAIT, but we never sleep acquiring the vnode lock while we have the
count incremented.
In vm_fault()'s loop over the shadow chain, move a comment describing our
invariants to a better place. Also, add two comments concerning the
relationship between the map and vnode locks.
|
| #
308363 |
|
06-Nov-2016 |
kib |
MFC r308114:
Change remained internal uses of boolean_t to bool in vm/vm_fault.c.
|
| #
308361 |
|
06-Nov-2016 |
kib |
MFC r308109:
Remove vnode_locked label and goto.
|
| #
308359 |
|
06-Nov-2016 |
alc |
MFC r308096, r308098, r308112
With one exception, "hardfault" is used like a "bool". Change that
exception and make it a "bool".
The "lookup_still_valid" field is used as a "bool". Make it one.
Convert vm_fault_hold()'s Boolean variables that are only used
internally to "bool". Add a comment describing why the one
remaining "boolean_t" was not converted.
Merge and sort vm_fault_hold()'s "int" variable definitions.
|
| #
308331 |
|
05-Nov-2016 |
kib |
MFC r308094:
Add unlock_vp() helper.
MFC r308095 (by markj):
Add one more use of unlock_vp().
|
| #
307855 |
|
24-Oct-2016 |
kib |
MFC r307501:
If vm_fault_hold(9) finds that fs.m is wired, do not free it after a
pager error, leave the page to the wire owner.
|
| #
307744 |
|
21-Oct-2016 |
markj |
MFC r307236:
Plug a vnode lock leak in vm_fault_hold().
|
| #
303251 |
|
23-Jul-2016 |
alc |
MFC r303101
Add a comment describing the 'fast path' that was introduced in r270011.
Approved by: re (gjb)
|
| #
303161 |
|
21-Jul-2016 |
alc |
MFC r302980
Break up vm_fault()'s implementation of the read-ahead and delete-behind
optimizations into two distinct pieces. The first piece consists of the
code that should only be performed once per page fault and requires the
map to be locked. The second piece consists of the code that should be
performed each time a pager is called on an object in the shadow chain.
(This second piece expects the map to be unlocked.)
Previously, the entire implementation could be executed multiple times.
Moreover, the second and subsequent executions would occur with the map
unlocked. Usually, the ensuing unsynchronized accesses to the map were
harmless because the map was not changing. Nonetheless, it was possible
for a use-after-free error to occur, where vm_fault() wrote to a freed
map entry. This change corrects that problem.
Approved by: re (gjb)
|