Suppose a vnode is mapped with MAP_PROT and MAP_PRIVATE, mlock() is
called on the mapping, and then the vnode is truncated such that the
last page of the mapping becomes invalid. The now-invalid page will be
unmapped, but stays resident in the VM object to preserve the invariant
that a range of pages mapped by a wired map entry is always resident.
This invariant is checked by vm_object_unwire(), for example.
Then, suppose that the mapping is upgraded to PROT_READ|PROT_WRITE. We
will copy the invalid page into a new anonymous VM object. If the
process then forks, vm_object_split() may then be called on the object.
Upon encountering an invalid page, rather than moving it into the
destination object, it is removed. However, this is wrong when the
entry is wired, since the invalid page's wiring belongs to the map
entry; this behaviour also violates the invariant mentioned above.
Fix this by moving invalid pages into the destination object if the map
entry is wired. In this case we must not dirty the page, so add a flag
to vm_page_iter_rename() to control this.
Reported by: syzkaller
Reviewed by: dougm, kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D49443
(cherry picked from commit 43c1eb894a57ef30562a02708445c512610d4f02)
afbe2bb9e9