svn commit: r300758 - head/sys/vm

[Konstantin Belousov]

Author: kib
Date: Thu May 26 16:59:29 2016
New Revision: 300758
URL: https://svnweb.freebsd.org/changeset/base/300758

Log:
  Prevent parallel object collapses.  Both vm_object_collapse_scan() and
  swap_pager_copy() might unlock the object, which allows the parallel
  collapse to execute.  Besides destroying the object, it also might
  move the reference from parent to the backing object, firing the
  assertion ref_count == 1.
  
  Collapses are prevented by bumping paging_in_progress counters on both
  the object and its backing object.
  
  Reported by:	cem
  Tested by:	pho (previous version)
  Reviewed by:	alc
  Sponsored by:	The FreeBSD Foundation
  MFC after:	1 week
  X-Differential revision:	https://reviews.freebsd.org/D6085

Modified:
  head/sys/vm/vm_object.c

Modified: head/sys/vm/vm_object.c
==============================================================================
--- head/sys/vm/vm_object.c	Thu May 26 16:53:50 2016	(r300757)
+++ head/sys/vm/vm_object.c	Thu May 26 16:59:29 2016	(r300758)
@@ -1717,6 +1717,9 @@ vm_object_collapse(vm_object_t object)
 		 * case.
 		 */
 		if (backing_object->ref_count == 1) {
+			vm_object_pip_add(object, 1);
+			vm_object_pip_add(backing_object, 1);
+
 			/*
 			 * If there is exactly one reference to the backing
 			 * object, we can collapse it into the parent.
@@ -1788,11 +1791,13 @@ vm_object_collapse(vm_object_t object)
 			KASSERT(backing_object->ref_count == 1, (
 "backing_object %p was somehow re-referenced during collapse!",
 			    backing_object));
+			vm_object_pip_wakeup(backing_object);
 			backing_object->type = OBJT_DEAD;
 			backing_object->ref_count = 0;
 			VM_OBJECT_WUNLOCK(backing_object);
 			vm_object_destroy(backing_object);
 
+			vm_object_pip_wakeup(object);
 			object_collapses++;
 		} else {
 			/*