From owner-dev-commits-src-branches@freebsd.org  Mon Jun 21 14:22:06 2021
Return-Path: <owner-dev-commits-src-branches@freebsd.org>
Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 151CC64994A;
 Mon, 21 Jun 2021 14:22:06 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4G7sDG0182z3jst;
 Mon, 21 Jun 2021 14:22:06 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id DCD7D1E964;
 Mon, 21 Jun 2021 14:22:05 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 15LEM5fP058064;
 Mon, 21 Jun 2021 14:22:05 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 15LEM5jt058063;
 Mon, 21 Jun 2021 14:22:05 GMT (envelope-from git)
Date: Mon, 21 Jun 2021 14:22:05 GMT
Message-Id: <202106211422.15LEM5jt058063@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 4a77ce73eadf - stable/13 - amd64: Fix propagation of LDT updates
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 4a77ce73eadfe7ceddc3f2330028880b886401fd
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-branches@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commits to the stable branches of the FreeBSD src repository
 <dev-commits-src-branches.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-branches/>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Help: <mailto:dev-commits-src-branches-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-branches>, 
 <mailto:dev-commits-src-branches-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 14:22:06 -0000

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=4a77ce73eadfe7ceddc3f2330028880b886401fd

commit 4a77ce73eadfe7ceddc3f2330028880b886401fd
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-06-14 21:32:18 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-21 13:13:20 +0000

    amd64: Fix propagation of LDT updates
    
    When a process has used sysarch(2) to specify descriptors for its
    private LDT, upon rfork(RFMEM) descriptors are copied into the new child
    process.  Any updates to the descriptors are thus reflected to all other
    processes sharing the vmspace.  However, this is incorrect in the rather
    obscure case where the child process was created before the LDT was
    modified.  Fix this by only modifying other processes which already
    share the LDT.
    
    Reported by:    syzkaller
    Reviewed by:    kib
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 70dd5eebc025badb7b835dfee3915d8b5f1e7468)
---
 sys/amd64/amd64/sys_machdep.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/sys/amd64/amd64/sys_machdep.c b/sys/amd64/amd64/sys_machdep.c
index 5a0145e76ccd..c10b15896132 100644
--- a/sys/amd64/amd64/sys_machdep.c
+++ b/sys/amd64/amd64/sys_machdep.c
@@ -492,15 +492,19 @@ set_user_ldt(struct mdproc *mdp)
 }
 
 static void
-set_user_ldt_rv(struct vmspace *vmsp)
+set_user_ldt_rv(void *arg)
 {
-	struct thread *td;
+	struct proc *orig, *target;
+	struct proc_ldt *ldt;
+
+	orig = arg;
+	target = curthread->td_proc;
 
-	td = curthread;
-	if (vmsp != td->td_proc->p_vmspace)
+	ldt = (void *)atomic_load_acq_ptr((uintptr_t *)&orig->p_md.md_ldt);
+	if (target->p_md.md_ldt != ldt)
 		return;
 
-	set_user_ldt(&td->td_proc->p_md);
+	set_user_ldt(&target->p_md);
 }
 
 struct proc_ldt *
@@ -550,8 +554,7 @@ user_ldt_alloc(struct proc *p, int force)
 	atomic_thread_fence_rel();
 	mdp->md_ldt = new_ldt;
 	critical_exit();
-	smp_rendezvous(NULL, (void (*)(void *))set_user_ldt_rv, NULL,
-	    p->p_vmspace);
+	smp_rendezvous(NULL, set_user_ldt_rv, NULL, p);
 
 	return (mdp->md_ldt);
 }