git: c718009884b3 - main - vm_map.c: plug several more places which might modify entry->offset

Reply: tuexen_a_freebsd.org: "Re: git: c718009884b3 - main - vm_map.c: plug several more places which might modify entry->offset"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Fri, 18 Aug 2023 12:44:04 UTC

The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=c718009884b3d65528deaff24712cbf98e3be656

commit c718009884b3d65528deaff24712cbf98e3be656
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-08-15 19:05:33 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-08-18 12:43:35 +0000

    vm_map.c: plug several more places which might modify entry->offset
    
    for the GUARD entries protecting stacks gaps.
    
    syzkaller: https://syzkaller.appspot.com/bug?extid=c325d6a75e4fd0a68714
    Reviewed by:    dougm, markj (previous version)
    Tested by:      pho (previous version)
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential revision:  https://reviews.freebsd.org/D41475
---
 sys/vm/vm_map.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c
index 252b58ad2924..f609d1fd68d7 100644
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@@ -1413,7 +1413,9 @@ vm_map_entry_link(vm_map_t map, vm_map_entry_t entry)
 		KASSERT(entry->end < root->end,
 		    ("%s: clip_start not within entry", __func__));
 		vm_map_splay_findprev(root, &llist);
-		root->offset += entry->end - root->start;
+		if ((root->eflags & (MAP_ENTRY_STACK_GAP_DN |
+		    MAP_ENTRY_STACK_GAP_UP)) == 0)
+			root->offset += entry->end - root->start;
 		root->start = entry->end;
 		max_free_left = vm_map_splay_merge_pred(header, entry, llist);
 		max_free_right = root->max_free = vm_size_max(
@@ -1429,7 +1431,9 @@ vm_map_entry_link(vm_map_t map, vm_map_entry_t entry)
 		KASSERT(entry->end == root->end,
 		    ("%s: clip_start not within entry", __func__));
 		vm_map_splay_findnext(root, &rlist);
-		entry->offset += entry->start - root->start;
+		if ((entry->eflags & (MAP_ENTRY_STACK_GAP_DN |
+		    MAP_ENTRY_STACK_GAP_UP)) == 0)
+			entry->offset += entry->start - root->start;
 		root->end = entry->start;
 		max_free_left = root->max_free = vm_size_max(
 		    vm_map_splay_merge_left(header, root, llist),
@@ -1463,6 +1467,8 @@ vm_map_entry_unlink(vm_map_t map, vm_map_entry_t entry,
 	vm_map_splay_findnext(root, &rlist);
 	if (op == UNLINK_MERGE_NEXT) {
 		rlist->start = root->start;
+		MPASS((rlist->eflags & (MAP_ENTRY_STACK_GAP_DN |
+		    MAP_ENTRY_STACK_GAP_UP) == 0);
 		rlist->offset = root->offset;
 	}
 	if (llist != header) {
@@ -3103,7 +3109,8 @@ vm_map_madvise(
 		    entry = vm_map_entry_succ(entry)) {
 			vm_offset_t useEnd, useStart;
 
-			if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) != 0)
+			if ((entry->eflags & (MAP_ENTRY_IS_SUB_MAP |
+			    MAP_ENTRY_GUARD)) != 0)
 				continue;
 
 			/*