From 160f9286fd8b6e358244e2642c3068c9484d82d0 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Mon, 14 Aug 2023 22:05:39 +0200
Subject: pmap: Fix mayhem when releasing near the end of virtual memory

l is used to skip over the area mapped by a whole pde. It was clipped to
e, but if e is already near the end of virtual memory, l will
wrap-around to 0, and mayhem entails.
---
 i386/intel/pmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/i386/intel/pmap.c b/i386/intel/pmap.c
index d15e2418..6218b27a 100644
--- a/i386/intel/pmap.c
+++ b/i386/intel/pmap.c
@@ -1713,7 +1713,7 @@ void pmap_remove(
 	    pt_entry_t *pde = pmap_pde(map, s);
 
 	    l = (s + PDE_MAPPED_SIZE) & ~(PDE_MAPPED_SIZE-1);
-	    if (l > e)
+	    if (l > e || l < s)
 		l = e;
 	    if (pde && (*pde & INTEL_PTE_VALID)) {
 		spte = (pt_entry_t *)ptetokv(*pde);
@@ -1948,7 +1948,7 @@ void pmap_protect(
 	    pt_entry_t *pde = pde = pmap_pde(map, s);
 
 	    l = (s + PDE_MAPPED_SIZE) & ~(PDE_MAPPED_SIZE-1);
-	    if (l > e)
+	    if (l > e || l < s)
 		l = e;
 	    if (pde && (*pde & INTEL_PTE_VALID)) {
 		spte = (pt_entry_t *)ptetokv(*pde);
-- 
cgit v1.2.3