[src/trunk]: src/sys/uvm fix two bugs reported in

[chs <chs%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/798e39717dc1
branches:  trunk
changeset: 1002548:798e39717dc1
user:      chs <chs%NetBSD.org@localhost>
date:      Mon Aug 05 17:36:42 2019 +0000

description:
fix two bugs reported in
https://syzkaller.appspot.com/bug?id=8840dce484094a926e1ec388ffb83acb2fa291c9

 - in uvm_fault_check(), if the map entry is wired, handle the fault the same way
   that we would handle UVM_FAULT_WIRE.  faulting on wired mappings is valid
   if the mapped object was truncated and then later grown again.

 - in uvm_fault_unwire_locked(), we must hold the locks for the vm_map_entry
   while calling pmap_extract() in order to avoid races with the mapped object
   being truncated while we are unwiring it.

Reported-by: syzbot+2e0ae2fc35ab7301c7b8%syzkaller.appspotmail.com@localhost

diffstat:

 sys/uvm/uvm_fault.c |  14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

diffs (50 lines):

diff -r fa8c81ad8af4 -r 798e39717dc1 sys/uvm/uvm_fault.c
--- a/sys/uvm/uvm_fault.c       Mon Aug 05 16:24:48 2019 +0000
+++ b/sys/uvm/uvm_fault.c       Mon Aug 05 17:36:42 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uvm_fault.c,v 1.206 2019/05/28 08:59:35 msaitoh Exp $  */
+/*     $NetBSD: uvm_fault.c,v 1.207 2019/08/05 17:36:42 chs Exp $      */
 
 /*
  * Copyright (c) 1997 Charles D. Cranor and Washington University.
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uvm_fault.c,v 1.206 2019/05/28 08:59:35 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uvm_fault.c,v 1.207 2019/08/05 17:36:42 chs Exp $");
 
 #include "opt_uvmhist.h"
 
@@ -996,8 +996,11 @@
         */
 
        flt->enter_prot = ufi->entry->protection;
-       if (VM_MAPENT_ISWIRED(ufi->entry))
+       if (VM_MAPENT_ISWIRED(ufi->entry)) {
                flt->wire_mapping = true;
+               flt->wire_paging = true;
+               flt->narrow = true;
+       }
 
        if (flt->wire_mapping) {
                flt->access_type = flt->enter_prot; /* full access for wired */
@@ -2437,8 +2440,6 @@
 
        oentry = NULL;
        for (va = start; va < end; va += PAGE_SIZE) {
-               if (pmap_extract(pmap, va, &pa) == false)
-                       continue;
 
                /*
                 * find the map entry for the current address.
@@ -2469,6 +2470,9 @@
                 * if the entry is no longer wired, tell the pmap.
                 */
 
+               if (!pmap_extract(pmap, va, &pa))
+                       continue;
+
                if (VM_MAPENT_ISWIRED(entry) == 0)
                        pmap_unwire(pmap, va);