invlpg on a non canonical address is a noop, so no chance to invalidate

the TLB and the CPU will not notice the access right change. This results in write protection faults in supervisor mode when patching kernel code through ddb(4) (originally mapped as read only). Bug reported by David Laight on port-amd64@ (thanks!), patch and test by me. i386 is unaffected as PG_LGFRAME does not mask the sign bits. For the sake of correctness, use VA_SIGN_NEG(...) anyway. XXX this is the patch that will be pulled-up to -5 and -6.
2012-05-07 12:20:27 +00:00 · 2012-05-07 12:20:27 +00:00 · 6a8edbf721
parent 7db24764fe
commit 6a8edbf721
1 changed files with 3 additions and 3 deletions
--- a/sys/arch/amd64/amd64/db_memrw.c
+++ b/sys/arch/amd64/amd64/db_memrw.c
@ -1,4 +1,4 @@
-/*	$NetBSD: db_memrw.c,v 1.10 2012/05/07 12:12:04 jym Exp $	*/
+/*	$NetBSD: db_memrw.c,v 1.11 2012/05/07 12:20:27 jym Exp $	*/

 /*-
 * Copyright (c) 1996, 2000 The NetBSD Foundation, Inc.
@ -51,7 +51,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: db_memrw.c,v 1.10 2012/05/07 12:12:04 jym Exp $");
+__KERNEL_RCSID(0, "$NetBSD: db_memrw.c,v 1.11 2012/05/07 12:20:27 jym Exp $");

 #include <sys/param.h>
 #include <sys/proc.h>
@ -123,7 +123,7 @@ db_write_text(vaddr_t addr, size_t size, const char *data)
 		 * Get the VA for the page.
 		 */
 		if (pte & PG_PS)
-			pgva = (vaddr_t)dst & PG_LGFRAME;
+			pgva = VA_SIGN_NEG((vaddr_t)dst & PG_LGFRAME);
 		else
 			pgva = x86_trunc_page(dst);