vm_fault: only rely on PG_ZERO when the page was newly allocated

Approved by:	so
Security:	FreeBSD-EN-26:03.vm

(cherry picked from commit cff67bc43df14d492ccc08ec92fddceadd069953)
(cherry picked from commit 99f641267d449f26a2e13449964f29d17897c29f)

sys/vm/vm_fault.c

@@ -139,6 +139,7 @@ struct faultstate {
 	vm_object_t	object;
 	vm_pindex_t	pindex;
 	vm_page_t	m;
+	bool		m_needs_zeroing;
 
 	/* Top-level map object. */
 	vm_object_t	first_object;
@@ -265,6 +266,7 @@ static void
 vm_fault_deallocate(struct faultstate *fs)
 {
 
+	fs->m_needs_zeroing = true;
 	vm_fault_page_release(&fs->m_cow);
 	vm_fault_page_release(&fs->m);
 	vm_object_pip_wakeup(fs->object);
@@ -1172,7 +1174,7 @@ vm_fault_zerofill(struct faultstate *fs)
 	/*
 	 * Zero the page if necessary and mark it valid.
 	 */
-	if ((fs->m->flags & PG_ZERO) == 0) {
+	if (fs->m_needs_zeroing) {
 		pmap_zero_page(fs->m);
 	} else {
 		VM_CNT_INC(v_ozfod);
@@ -1286,6 +1288,7 @@ vm_fault_allocate(struct faultstate *fs)
 			vm_waitpfault(dset, vm_pfault_oom_wait * hz);
 		return (FAULT_RESTART);
 	}
+	fs->m_needs_zeroing = (fs->m->flags & PG_ZERO) == 0;
 	fs->oom_started = false;
 
 	return (FAULT_CONTINUE);
@@ -1553,6 +1556,7 @@ vm_fault(vm_map_t map, vm_offset_t vaddr, vm_prot_t fault_type,
 	fs.fault_flags = fault_flags;
 	fs.map = map;
 	fs.lookup_still_valid = false;
+	fs.m_needs_zeroing = true;
 	fs.oom_started = false;
 	fs.nera = -1;
 	fs.can_read_lock = true;