git: cc81b8661d50 - stable/13 - vm_fault: Fix a racy copy of page valid bits
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 29 Jun 2022 14:40:55 UTC
The branch stable/13 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=cc81b8661d5085a470c0f1821fa68bee2d8fa39c
commit cc81b8661d5085a470c0f1821fa68bee2d8fa39c
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-06-14 20:36:54 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-06-29 14:12:34 +0000
vm_fault: Fix a racy copy of page valid bits
We do not hold the object lock or a page busy lock when copying src_m's
validity state. Prior to commit 45d72c7d7fca we marked dst_m as fully
valid.
Use the source object's read lock to ensure that valid bits are not
concurrently cleared.
Reviewed by: alc, kib
Fixes: 45d72c7d7fca ("vm_fault_copy_entry: accept invalid source pages.")
Sponsored by: The FreeBSD Foundation
(cherry picked from commit d0443e2b9832f01319bcaaece8102d998bf81f01)
---
sys/vm/vm_fault.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index 0e155ed1f39d..8981be84b5d2 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -2100,8 +2100,15 @@ again:
goto again;
}
pmap_copy_page(src_m, dst_m);
- VM_OBJECT_RUNLOCK(object);
+
+ /*
+ * The object lock does not guarantee that "src_m" will
+ * transition from invalid to valid, but it does ensure
+ * that "src_m" will not transition from valid to
+ * invalid.
+ */
dst_m->dirty = dst_m->valid = src_m->valid;
+ VM_OBJECT_RUNLOCK(object);
} else {
dst_m = src_m;
if (vm_page_busy_acquire(dst_m, VM_ALLOC_WAITFAIL) == 0)