git: dd349089ff92 - releng/13.0 - vm_fault: Shoot down shared mappings in vm_fault_copy_entry()

The branch releng/13.0 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=dd349089ff92643f084fdef2cd8bb07659c82aaf

commit dd349089ff92643f084fdef2cd8bb07659c82aaf
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-07-25 20:53:21 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-08-09 19:59:49 +0000

    vm_fault: Shoot down shared mappings in vm_fault_copy_entry()
    
    As in vm_fault_cow(), it's possible, albeit rare, for multiple vm_maps
    to share a shadow object.  When copying a page from a backing object
    into the shadow, all mappings of the source page must therefore be
    removed.  Otherwise, future operations on the object tree may detect
    that the source page is fully shadowed and thus can be freed.
    
    Approved by:    so
    Security:       FreeBSD-SA-22:11.vm
    Reviewed by:    alc, kib
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D35635
    
    (cherry picked from commit 5c50e900ad779fccbf0a230bfb6a68a3e93ccf60)
    (cherry picked from commit 3ea8c7ad90f75129c52a2b64213c5578af23dc8d)
---
 sys/vm/vm_fault.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index 8b212f3f84e5..da15ed5f4254 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -2018,6 +2018,13 @@ again:
 				VM_OBJECT_WLOCK(dst_object);
 				goto again;
 			}
+
+			/*
+			 * See the comment in vm_fault_cow().
+			 */
+			if (src_object == dst_object &&
+			    (object->flags & OBJ_ONEMAPPING) == 0)
+				pmap_remove_all(src_m);
 			pmap_copy_page(src_m, dst_m);
 			VM_OBJECT_RUNLOCK(object);
 			dst_m->dirty = dst_m->valid = src_m->valid;