From owner-svn-src-all@freebsd.org Mon Feb 5 12:49:21 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B2CCEEDC3A; Mon, 5 Feb 2018 12:49:21 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C333D71C5D; Mon, 5 Feb 2018 12:49:20 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id A54BDD29; Mon, 5 Feb 2018 12:49:20 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w15CnKnL020408; Mon, 5 Feb 2018 12:49:20 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w15CnKxn020407; Mon, 5 Feb 2018 12:49:20 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201802051249.w15CnKxn020407@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Mon, 5 Feb 2018 12:49:20 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r328880 - head/sys/vm X-SVN-Group: head X-SVN-Commit-Author: kib X-SVN-Commit-Paths: head/sys/vm X-SVN-Commit-Revision: 328880 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2018 12:49:21 -0000 Author: kib Date: Mon Feb 5 12:49:20 2018 New Revision: 328880 URL: https://svnweb.freebsd.org/changeset/base/328880 Log: On munlock(), unwire correct page. It is possible, for complex fork()/collapse situations, to have sibling address spaces to partially share shadow chains. If one sibling performs wiring, it can happen that a transient page, invalid and busy, is installed into a shadow object which is visible to other sibling for the duration of vm_fault_hold(). When the backing object contains the valid page, and the wiring is performed on read-only entry, the transient page is eventually removed. But the sibling which observed the transient page might perform the unwire, executing vm_object_unwire(). There, the first page found in the shadow chain is considered as the page that was wired for the mapping. It is really the page below it which is wired. So we unwire the wrong page, either triggering the asserts of breaking the page' wire counter. As the fix, wait for the busy state to finish if we find such page during unwire, and restart the shadow chain walk after the sleep. Reported and tested by: pho Reviewed by: markj Sponsored by: The FreeBSD Foundation MFC after: 1 week Differential revision: https://reviews.freebsd.org/D14184 Modified: head/sys/vm/vm_object.c Modified: head/sys/vm/vm_object.c ============================================================================== --- head/sys/vm/vm_object.c Mon Feb 5 10:29:57 2018 (r328879) +++ head/sys/vm/vm_object.c Mon Feb 5 12:49:20 2018 (r328880) @@ -2278,7 +2278,7 @@ void vm_object_unwire(vm_object_t object, vm_ooffset_t offset, vm_size_t length, uint8_t queue) { - vm_object_t tobject; + vm_object_t tobject, t1object; vm_page_t m, tm; vm_pindex_t end_pindex, pindex, tpindex; int depth, locked_depth; @@ -2292,6 +2292,7 @@ vm_object_unwire(vm_object_t object, vm_ooffset_t offs return; pindex = OFF_TO_IDX(offset); end_pindex = pindex + atop(length); +again: locked_depth = 1; VM_OBJECT_RLOCK(object); m = vm_page_find_least(object, pindex); @@ -2325,16 +2326,26 @@ vm_object_unwire(vm_object_t object, vm_ooffset_t offs m = TAILQ_NEXT(m, listq); } vm_page_lock(tm); + if (vm_page_xbusied(tm)) { + for (tobject = object; locked_depth >= 1; + locked_depth--) { + t1object = tobject->backing_object; + VM_OBJECT_RUNLOCK(tobject); + tobject = t1object; + } + vm_page_busy_sleep(tm, "unwbo", true); + goto again; + } vm_page_unwire(tm, queue); vm_page_unlock(tm); next_page: pindex++; } /* Release the accumulated object locks. */ - for (depth = 0; depth < locked_depth; depth++) { - tobject = object->backing_object; - VM_OBJECT_RUNLOCK(object); - object = tobject; + for (tobject = object; locked_depth >= 1; locked_depth--) { + t1object = tobject->backing_object; + VM_OBJECT_RUNLOCK(tobject); + tobject = t1object; } }