[src/trunk]: src/sys/arch/hppa/hppa Pull across pmap_remove fix from OpenBSD.

[skrll <skrll%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/fa7b85f34f49
branches:  trunk
changeset: 753574:fa7b85f34f49
user:      skrll <skrll%NetBSD.org@localhost>
date:      Fri Apr 02 15:25:51 2010 +0000

description:
Pull across pmap_remove fix from OpenBSD.

Fix user-after-free bug in pmap_remove().  Page table pages are freed as soon
as the last page table entry that was actually used is cleared.  So make sure
we check the page table page is still there for every page we remove.
Otherwise we will bring back the tlb entry and cache lines when we touch the
freed page, and we will create an illegal alias (non-equivalent mapping)
as soon as the page gets re-used.

diffstat:

 sys/arch/hppa/hppa/pmap.c |  18 ++++++++----------
 1 files changed, 8 insertions(+), 10 deletions(-)

diffs (40 lines):

diff -r 93545d823ce0 -r fa7b85f34f49 sys/arch/hppa/hppa/pmap.c
--- a/sys/arch/hppa/hppa/pmap.c Fri Apr 02 15:25:04 2010 +0000
+++ b/sys/arch/hppa/hppa/pmap.c Fri Apr 02 15:25:51 2010 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: pmap.c,v 1.74 2010/03/19 07:35:29 skrll Exp $  */
+/*     $NetBSD: pmap.c,v 1.75 2010/04/02 15:25:51 skrll Exp $  */
 
 /*-
  * Copyright (c) 2001, 2002 The NetBSD Foundation, Inc.
@@ -65,7 +65,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.74 2010/03/19 07:35:29 skrll Exp $");
+__KERNEL_RCSID(0, "$NetBSD: pmap.c,v 1.75 2010/04/02 15:25:51 skrll Exp $");
 
 #include "opt_cputype.h"
 
@@ -1279,15 +1279,13 @@
 
        PMAP_LOCK(pmap);
 
-       for (batch = 0, pdemask = 1; sva < eva; sva += PAGE_SIZE) {
-               if (pdemask != (sva & PDE_MASK)) {
-                       pdemask = sva & PDE_MASK;
-                       if (!(pde = pmap_pde_get(pmap->pm_pdir, sva))) {
-                               sva = pdemask + PDE_SIZE - PAGE_SIZE;
-                               continue;
-                       }
-                       batch = pdemask == sva && sva + PDE_SIZE <= eva;
+       for (batch = 0; sva < eva; sva += PAGE_SIZE) {
+               pdemask = sva & PDE_MASK;
+               if (!(pde = pmap_pde_get(pmap->pm_pdir, sva))) {
+                       sva = pdemask + PDE_SIZE - PAGE_SIZE;
+                       continue;
                }
+               batch = pdemask == sva && sva + PDE_SIZE <= eva;
 
                if ((pte = pmap_pte_get(pde, sva))) {