From: mpi <mpi@openbsd.org>
Date: Tue, 16 Apr 2024 08:53:02 +0000 (+0000)
Subject: Prevent a NULL dereference in error code path.
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e24863265e34f4cfb83c826c02d5349776140d42;p=openbsd

Prevent a NULL dereference in error code path.

Under memory pressure allocating an amap chunk can fail.  In such case it
is not possible to call amap_wipeout() because the newly allocated amap
isn't yet on the global list.

Issue reported by bluhm@, ok jsg@
---

diff --git a/sys/uvm/uvm_amap.c b/sys/uvm/uvm_amap.c
index 63dc8534081..fb85a3c91a8 100644
--- a/sys/uvm/uvm_amap.c
+++ b/sys/uvm/uvm_amap.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_amap.c,v 1.92 2023/04/11 00:45:09 jsg Exp $	*/
+/*	$OpenBSD: uvm_amap.c,v 1.93 2024/04/16 08:53:02 mpi Exp $	*/
 /*	$NetBSD: uvm_amap.c,v 1.27 2000/11/25 06:27:59 chs Exp $	*/
 
 /*
@@ -662,9 +662,10 @@ amap_copy(struct vm_map *map, struct vm_map_entry *entry, int waitf,
 
 		chunk = amap_chunk_get(amap, lcv, 1, PR_NOWAIT);
 		if (chunk == NULL) {
-			/* amap_wipeout() releases the lock. */
-			amap->am_ref = 0;
-			amap_wipeout(amap);
+			amap_unlock(srcamap);
+			/* Destroy the new amap. */
+			amap->am_ref--;
+			amap_free(amap);
 			return;
 		}