cvs commit: src/sys/vm vm_object.c

Alan Cox alc at
Tue Mar 27 08:55:19 UTC 2007

alc         2007-03-27 08:55:18 UTC

  FreeBSD src repository

  Modified files:
    sys/vm               vm_object.c 
  Prevent a race between vm_object_collapse() and vm_object_split() from
  causing a crash.
  Suppose that we have two objects, obj and backing_obj, where
  backing_obj is obj's backing object.  Further, suppose that
  backing_obj has a reference count of two.  One being the reference
  held by obj and the other by a map entry.  Now, suppose that the map
  entry is deallocated and its reference removed by
  vm_object_deallocate().  vm_object_deallocate() recognizes that the
  only remaining reference is from a shadow object, obj, and calls
  vm_object_collapse() on obj.  vm_object_collapse() executes
                  if (backing_object->ref_count == 1) {
                           * If there is exactly one reference to the backing
                           * object, we can collapse it into the parent.
                          vm_object_backing_scan(object, OBSC_COLLAPSE_WAIT);
  vm_object_backing_scan(OBSC_COLLAPSE_WAIT) executes
          if (op & OBSC_COLLAPSE_WAIT) {
                  vm_object_set_flag(backing_object, OBJ_DEAD);
  Finally, suppose that either vm_object_backing_scan() or
  vm_object_collapse() sleeps releasing its locks.  At this instant,
  another thread executes vm_object_split().  It crashes in
  vm_object_reference_locked() on the assertion that the object is not
  dead.  If, however, assertions are not enabled, it crashes much later,
  after the object has been recycled, in vm_object_deallocate() because
  the shadow count and shadow list are inconsistent.
  Reviewed by: tegge
  Reported by: jhb
  MFC after: 1 week
  Revision  Changes    Path
  1.377     +8 -0      src/sys/vm/vm_object.c

More information about the cvs-src mailing list