cvs commit: src/sys/vm vm_object.c

Alan Cox alc at FreeBSD.org
Tue Mar 27 08:55:19 UTC 2007


alc         2007-03-27 08:55:18 UTC

  FreeBSD src repository

  Modified files:
    sys/vm               vm_object.c 
  Log:
  Prevent a race between vm_object_collapse() and vm_object_split() from
  causing a crash.
  
  Suppose that we have two objects, obj and backing_obj, where
  backing_obj is obj's backing object.  Further, suppose that
  backing_obj has a reference count of two.  One being the reference
  held by obj and the other by a map entry.  Now, suppose that the map
  entry is deallocated and its reference removed by
  vm_object_deallocate().  vm_object_deallocate() recognizes that the
  only remaining reference is from a shadow object, obj, and calls
  vm_object_collapse() on obj.  vm_object_collapse() executes
  
                  if (backing_object->ref_count == 1) {
                          /*
                           * If there is exactly one reference to the backing
                           * object, we can collapse it into the parent.
                           */
                          vm_object_backing_scan(object, OBSC_COLLAPSE_WAIT);
  
  vm_object_backing_scan(OBSC_COLLAPSE_WAIT) executes
  
          if (op & OBSC_COLLAPSE_WAIT) {
                  vm_object_set_flag(backing_object, OBJ_DEAD);
          }
  
  Finally, suppose that either vm_object_backing_scan() or
  vm_object_collapse() sleeps releasing its locks.  At this instant,
  another thread executes vm_object_split().  It crashes in
  vm_object_reference_locked() on the assertion that the object is not
  dead.  If, however, assertions are not enabled, it crashes much later,
  after the object has been recycled, in vm_object_deallocate() because
  the shadow count and shadow list are inconsistent.
  
  Reviewed by: tegge
  Reported by: jhb
  MFC after: 1 week
  
  Revision  Changes    Path
  1.377     +8 -0      src/sys/vm/vm_object.c


More information about the cvs-src mailing list