Author: jeff Date: Fri Jan 17 03:44:04 2020 New Revision: 356822 URL: https://svnweb.freebsd.org/changeset/base/356822
Log: Fix a long standing bug that was made worse in r355765. When we are cowing a page that was previously mapped read-only it exists in pmap until pmap_enter() returns. However, we held no reference to the original page after the copy was complete. This allowed vm_object_scan_all_shadowed() to collapse an object that still had pages mapped. To resolve this, add another page pointer to the faultstate so we can keep the page xbusy until we're done with pmap_enter(). Handle busy pages in scan_all_shadowed. This is already done in vm_object_collapse_scan(). Reviewed by: kib, markj Differential Revision: https://reviews.freebsd.org/D23155 Modified: head/sys/vm/vm_fault.c head/sys/vm/vm_object.c Modified: head/sys/vm/vm_fault.c ============================================================================== --- head/sys/vm/vm_fault.c Fri Jan 17 01:20:48 2020 (r356821) +++ head/sys/vm/vm_fault.c Fri Jan 17 03:44:04 2020 (r356822) @@ -121,6 +121,7 @@ __FBSDID("$FreeBSD$"); struct faultstate { vm_page_t m; + vm_page_t m_cow; vm_object_t object; vm_pindex_t pindex; vm_page_t first_m; @@ -208,6 +209,7 @@ static void fault_deallocate(struct faultstate *fs) { + fault_page_release(&fs->m_cow); fault_page_release(&fs->m); vm_object_pip_wakeup(fs->object); if (fs->object != fs->first_object) { @@ -818,7 +820,7 @@ RetryFault_oom: fs.lookup_still_valid = true; - fs.m = fs.first_m = NULL; + fs.m_cow = fs.m = fs.first_m = NULL; /* * Search for the page at object/offset. @@ -1254,9 +1256,11 @@ readrest: vm_page_unwire(fs.m, PQ_INACTIVE); } /* - * We no longer need the old page or object. + * Save the cow page to be released after + * pmap_enter is complete. */ - fault_page_release(&fs.m); + fs.m_cow = fs.m; + fs.m = NULL; } /* * fs.object != fs.first_object due to above Modified: head/sys/vm/vm_object.c ============================================================================== --- head/sys/vm/vm_object.c Fri Jan 17 01:20:48 2020 (r356821) +++ head/sys/vm/vm_object.c Fri Jan 17 03:44:04 2020 (r356822) @@ -1605,6 +1605,14 @@ vm_object_scan_all_shadowed(vm_object_t object) break; /* + * If the backing object page is busy a grandparent or older + * page may still be undergoing CoW. It is not safe to + * collapse the backing object until it is quiesced. + */ + if (p != NULL && vm_page_busied(p)) + return (false); + + /* * See if the parent has the page or if the parent's object * pager has the page. If the parent has the page but the page * is not valid, the parent's object pager must have the page. @@ -1907,8 +1915,7 @@ vm_object_collapse(vm_object_t object) * If we do not entirely shadow the backing object, * there is nothing we can do so we give up. */ - if (object->resident_page_count != object->size && - !vm_object_scan_all_shadowed(object)) { + if (!vm_object_scan_all_shadowed(object)) { VM_OBJECT_WUNLOCK(backing_object); break; } _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "[email protected]"
