upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-12 15:24:40 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/sys/vm
History
Alan Cox 19c244d064 Prevent a race between vm_object_collapse() and vm_object_split() from 
causing a crash.

Suppose that we have two objects, obj and backing_obj, where
backing_obj is obj's backing object.  Further, suppose that
backing_obj has a reference count of two.  One being the reference
held by obj and the other by a map entry.  Now, suppose that the map
entry is deallocated and its reference removed by
vm_object_deallocate().  vm_object_deallocate() recognizes that the
only remaining reference is from a shadow object, obj, and calls
vm_object_collapse() on obj.  vm_object_collapse() executes

                if (backing_object->ref_count == 1) {
                        /*
                         * If there is exactly one reference to the backing
                         * object, we can collapse it into the parent.
                         */
                        vm_object_backing_scan(object, OBSC_COLLAPSE_WAIT);

vm_object_backing_scan(OBSC_COLLAPSE_WAIT) executes

        if (op & OBSC_COLLAPSE_WAIT) {
                vm_object_set_flag(backing_object, OBJ_DEAD);
        }

Finally, suppose that either vm_object_backing_scan() or
vm_object_collapse() sleeps releasing its locks.  At this instant,
another thread executes vm_object_split().  It crashes in
vm_object_reference_locked() on the assertion that the object is not
dead.  If, however, assertions are not enabled, it crashes much later,
after the object has been recycled, in vm_object_deallocate() because
the shadow count and shadow list are inconsistent.

Reviewed by: tegge
Reported by: jhb
MFC after: 1 week
2007-03-27 08:55:17 +00:00
..
default_pager.c /* -> /*- for license, minor formatting changes 2005-01-07 02:29:27 +00:00
device_pager.c Replace PG_BUSY with VPO_BUSY. In other words, changes to the page's 2006-10-22 04:28:14 +00:00
memguard.c Improve memguard a bit: 2005-12-30 11:45:07 +00:00
memguard.h Improve memguard a bit: 2005-12-30 11:45:07 +00:00
phys_pager.c Change the way that unmanaged pages are created. Specifically, 2007-02-25 06:14:58 +00:00
pmap.h Complete the transition from pmap_page_protect() to pmap_remove_write(). 2006-08-01 19:06:06 +00:00
redzone.c Add buffer corruption protection (RedZone) for kernel's malloc(9). 2006-01-31 11:09:21 +00:00
redzone.h Add buffer corruption protection (RedZone) for kernel's malloc(9). 2006-01-31 11:09:21 +00:00
swap_pager.c Use pause() rather than tsleep() on stack variables and function pointers. 2007-02-27 17:23:29 +00:00
swap_pager.h - Move 'struct swdevt' back into swap_pager.h and expose it to userland. 2007-02-07 17:43:11 +00:00
uma.h Add uma_set_align() interface, which will be called at most once during 2007-02-11 20:13:52 +00:00
uma_core.c Add uma_set_align() interface, which will be called at most once during 2007-02-11 20:13:52 +00:00
uma_dbg.c Improve canonicalization of copyrights. Order copyrights by order of 2005-07-16 09:51:52 +00:00
uma_dbg.h Improve canonicalization of copyrights. Order copyrights by order of 2005-07-16 09:51:52 +00:00
uma_int.h Wrap inlines in uma_int.h in #ifdef _KERNEL so that uma_int.h can be 2005-08-04 10:03:53 +00:00
vm.h Retire debug.mpsafevm. None of the architectures supported in CVS require 2006-07-21 23:22:49 +00:00
vm_contig.c Change the free page queue lock from a spin mutex to a default (blocking) 2007-02-05 06:02:55 +00:00
vm_extern.h Close race between vmspace_exitfree() and exit1() and races between 2006-05-29 21:28:56 +00:00
vm_fault.c vm_page_busy() no longer requires the page queues lock to be held. Reduce 2007-03-23 06:11:25 +00:00
vm_glue.c - Remove setrunqueue and replace it with direct calls to sched_add(). 2007-01-23 08:46:51 +00:00
vm_init.c Add the vm.exec_map_entries tunable and read-only sysctl, which controls 2005-04-25 19:22:05 +00:00
vm_kern.c Change the way that unmanaged pages are created. Specifically, 2007-02-25 06:14:58 +00:00
vm_kern.h The clean_map has been made local to vm_init.c long ago. 2006-11-20 16:23:34 +00:00
vm_map.c Two small changes to vm_map_pmap_enter(): 2007-03-25 19:33:40 +00:00
vm_map.h Close race between vmspace_exitfree() and exit1() and races between 2006-05-29 21:28:56 +00:00
vm_meter.c Remove a redundant pointer-type variable. 2006-11-20 08:33:55 +00:00
vm_mmap.c Sweep kernel replacing suser(9) calls with priv(9) calls, assigning 2006-11-06 13:42:10 +00:00
vm_object.c Prevent a race between vm_object_collapse() and vm_object_split() from 2007-03-27 08:55:17 +00:00
vm_object.h Eliminate OBJ_WRITEABLE. It hasn't been used in a long time. 2006-07-21 06:40:29 +00:00
vm_page.c Change the way that unmanaged pages are created. Specifically, 2007-02-25 06:14:58 +00:00
vm_page.h Change the way that unmanaged pages are created. Specifically, 2007-02-25 06:14:58 +00:00
vm_pageout.c Change the pagedaemon, vm_wait(), and vm_waitpfault() to sleep on the 2007-02-07 06:37:30 +00:00
vm_pageout.h /* -> /*- for license, minor formatting changes 2005-01-07 02:29:27 +00:00
vm_pageq.c Change the free page queue lock from a spin mutex to a default (blocking) 2007-02-05 06:02:55 +00:00
vm_pager.c Normalize a significant number of kernel malloc type names: 2005-10-31 15:41:29 +00:00
vm_pager.h Update some comments to reflect the change from spl-based to lock-based 2005-05-18 22:08:52 +00:00
vm_param.h /* -> /*- for license, minor formatting changes 2005-01-07 02:29:27 +00:00
vm_unix.c /* -> /*- for license, minor formatting changes 2005-01-07 02:29:27 +00:00
vm_zeroidle.c Use the free page queue mutex instead of the page queue mutex to 2007-02-11 05:18:40 +00:00
vnode_pager.c Long ago, revision 1.22 of vm/vm_pager.h introduced a bug. Specifically, 2006-10-14 23:21:48 +00:00
vnode_pager.h Move the body of vop_stdcreatevobject() over to the vnode_pager under 2005-01-24 21:21:59 +00:00