Date: Thu, 25 Feb 2021 20:28:57 GMT From: Ryan Libby <rlibby@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: d7671ad8d6eb - main - Close races in vm object chain traversal for unlock Message-ID: <202102252028.11PKSvQL040951@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by rlibby: URL: https://cgit.FreeBSD.org/src/commit/?id=d7671ad8d6ebe205933628466dc0a52d32eea2e8 commit d7671ad8d6ebe205933628466dc0a52d32eea2e8 Author: Ryan Libby <rlibby@FreeBSD.org> AuthorDate: 2021-02-25 20:11:19 +0000 Commit: Ryan Libby <rlibby@FreeBSD.org> CommitDate: 2021-02-25 20:11:19 +0000 Close races in vm object chain traversal for unlock We were unlocking the vm object before reading the backing_object field. In the meantime, the object could be freed and reused. This could cause us to go off the rails in the object chain traversal, failing to unlock the rest of the objects in the original chain and corrupting the lock state of the victim chain. Reviewed by: bdrewery, kib, markj, vangyzen MFC after: 3 days Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D28926 --- sys/fs/procfs/procfs_map.c | 5 +++-- sys/kern/kern_proc.c | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/sys/fs/procfs/procfs_map.c b/sys/fs/procfs/procfs_map.c index a9893e5e10f0..e4969d795dcc 100644 --- a/sys/fs/procfs/procfs_map.c +++ b/sys/fs/procfs/procfs_map.c @@ -84,7 +84,7 @@ procfs_doprocmap(PFS_FILL_ARGS) struct vnode *vp; char *fullpath, *freepath, *type; struct ucred *cred; - vm_object_t obj, tobj, lobj; + vm_object_t lobj, nobj, obj, tobj; int error, privateresident, ref_count, resident, shadow_count, flags; vm_offset_t e_start, e_end; vm_eflags_t e_eflags; @@ -144,7 +144,8 @@ procfs_doprocmap(PFS_FILL_ARGS) } if (obj != NULL) kern_proc_vmmap_resident(map, entry, &resident, &super); - for (tobj = obj; tobj != NULL; tobj = tobj->backing_object) { + for (tobj = obj; tobj != NULL; tobj = nobj) { + nobj = tobj->backing_object; if (tobj != obj && tobj != lobj) VM_OBJECT_RUNLOCK(tobj); } diff --git a/sys/kern/kern_proc.c b/sys/kern/kern_proc.c index f8fed2573712..817cb9766bbf 100644 --- a/sys/kern/kern_proc.c +++ b/sys/kern/kern_proc.c @@ -2505,7 +2505,7 @@ kern_proc_vmmap_out(struct proc *p, struct sbuf *sb, ssize_t maxlen, int flags) vm_map_entry_t entry, tmp_entry; struct vattr va; vm_map_t map; - vm_object_t obj, tobj, lobj; + vm_object_t lobj, nobj, obj, tobj; char *fullpath, *freepath; struct kinfo_vmentry *kve; struct ucred *cred; @@ -2551,8 +2551,8 @@ kern_proc_vmmap_out(struct proc *p, struct sbuf *sb, ssize_t maxlen, int flags) &kve->kve_resident, &super); if (super) kve->kve_flags |= KVME_FLAG_SUPER; - for (tobj = obj; tobj != NULL; - tobj = tobj->backing_object) { + for (tobj = obj; tobj != NULL; tobj = nobj) { + nobj = tobj->backing_object; if (tobj != obj && tobj != lobj) VM_OBJECT_RUNLOCK(tobj); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202102252028.11PKSvQL040951>