git: ffb21713d9fd - releng/15.0 - vm_fault: Reset m_needs_zeroing properly

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 21 Apr 2026 15:44:24 UTC
The branch releng/15.0 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=ffb21713d9fdaef1e416a4443c7bc234cfb5457d

commit ffb21713d9fdaef1e416a4443c7bc234cfb5457d
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2026-04-08 04:21:09 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-04-15 19:02:32 +0000

    vm_fault: Reset m_needs_zeroing properly
    
    - When allocating a page, we should only consider the PG_ZERO flag when
      handling the top-level page.
    - Unconditionally reset the flag when restarting the fault handler.
      Previously, vm_fault_busy_sleep() would fail to reset it.
    
    Approved by:    so
    Security:       FreeBSD-EN-26:05.vm
    PR:             294039
    Reviewed by:    kib
    Tested by:      Peter Much <pmc@citylink.dinoex.sub.org>
    MFC after:      3 days
    Fixes:          cff67bc43df1 ("vm_fault: only rely on PG_ZERO when the page was newly allocated")
    Differential Revision:  https://reviews.freebsd.org/D56234
    
    (cherry picked from commit 04132e01004316ddd0e0cde6ef15b100b7b1844d)
    (cherry picked from commit 58718cf365933dc2c75d43f7154371344bf47286)
---
 sys/vm/vm_fault.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index f9711548e23e..fb9cf250ad5f 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -264,8 +264,6 @@ vm_fault_unlock_vp(struct faultstate *fs)
 static void
 vm_fault_deallocate(struct faultstate *fs)
 {
-
-	fs->m_needs_zeroing = true;
 	vm_fault_page_release(&fs->m_cow);
 	vm_fault_page_release(&fs->m);
 	vm_object_pip_wakeup(fs->object);
@@ -1298,7 +1296,8 @@ vm_fault_allocate(struct faultstate *fs, struct pctrie_iter *pages)
 			vm_waitpfault(dset, vm_pfault_oom_wait * hz);
 		return (FAULT_RESTART);
 	}
-	fs->m_needs_zeroing = (fs->m->flags & PG_ZERO) == 0;
+	if (fs->object == fs->first_object)
+		fs->m_needs_zeroing = (fs->m->flags & PG_ZERO) == 0;
 	fs->oom_started = false;
 
 	return (FAULT_CONTINUE);
@@ -1589,7 +1588,6 @@ vm_fault(vm_map_t map, vm_offset_t vaddr, vm_prot_t fault_type,
 	fs.fault_flags = fault_flags;
 	fs.map = map;
 	fs.lookup_still_valid = false;
-	fs.m_needs_zeroing = true;
 	fs.oom_started = false;
 	fs.nera = -1;
 	fs.can_read_lock = true;
@@ -1598,6 +1596,7 @@ vm_fault(vm_map_t map, vm_offset_t vaddr, vm_prot_t fault_type,
 
 RetryFault:
 	fs.fault_type = fault_type;
+	fs.m_needs_zeroing = true;
 
 	/*
 	 * Find the backing store object and offset into it to begin the