Site Navigation

Date:      Thu, 8 Feb 2018 08:36:38 +0200
From:      Andriy Gapon <avg@FreeBSD.org>
To:        Steven Hartland <steven.hartland@multiplay.co.uk>, src-committers@FreeBSD.org, svn-src-all@FreeBSD.org, svn-src-head@FreeBSD.org
Subject:   Re: svn commit: r328996 - head/sys/kern
Message-ID:  <4b73bfc1-9b08-11e6-85a6-2b8e4d689a81@FreeBSD.org>
In-Reply-To: <1076365a-db07-0b28-9f97-3a7cc2a73dd6@multiplay.co.uk>
References:  <201802072152.w17Lq0gd048728@repo.freebsd.org> <1076365a-db07-0b28-9f97-3a7cc2a73dd6@multiplay.co.uk>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

On 08/02/2018 00:41, Steven Hartland wrote:
> What would be the expected behavior if this was triggered, app crash or kernel
> panic...?

To be honest, I haven't analyzed it much.
I would expect either a crash when trying to unbusy a page that is not busy
or hanging while forever waiting for a leaked page to get unbusied or hitting
some KASSERT.

> On 07/02/2018 21:52, Andriy Gapon wrote:
>> Author: avg
>> Date: Wed Feb  7 21:51:59 2018
>> New Revision: 328996
>> URL: https://svnweb.freebsd.org/changeset/base/328996
>>
>> Log:
>>   exec_map_first_page: fix an inverse condition introduced in r254138
>>   
>>   While the bug itself was serious, as we could either pass a non-busied
>>   page to vm_pager_get_pages() or leak a busy page, it could only be
>>   triggered under a very rare condition where the page is already inserted
>>   into the object, but it is not valid yet.
>>   
>>   Reviewed by:	kib
>>   MFC after:	2 weeks
>>
>> Modified:
>>   head/sys/kern/kern_exec.c
>>
>> Modified: head/sys/kern/kern_exec.c
>> ==============================================================================
>> --- head/sys/kern/kern_exec.c	Wed Feb  7 20:36:37 2018	(r328995)
>> +++ head/sys/kern/kern_exec.c	Wed Feb  7 21:51:59 2018	(r328996)
>> @@ -1009,7 +1009,7 @@ exec_map_first_page(imgp)
>>  			if ((ma[i] = vm_page_next(ma[i - 1])) != NULL) {
>>  				if (ma[i]->valid)
>>  					break;
>> -				if (vm_page_tryxbusy(ma[i]))
>> +				if (!vm_page_tryxbusy(ma[i]))
>>  					break;
>>  			} else {
>>  				ma[i] = vm_page_alloc(object, i,
>>
> 


-- 
Andriy Gapon

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4b73bfc1-9b08-11e6-85a6-2b8e4d689a81>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact