From owner-svn-src-head@FreeBSD.ORG  Tue Nov  5 06:18:51 2013
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 2605C92A;
 Tue,  5 Nov 2013 06:18:51 +0000 (UTC) (envelope-from kib@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 145B52E5C;
 Tue,  5 Nov 2013 06:18:51 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rA56IoLu029476;
 Tue, 5 Nov 2013 06:18:50 GMT (envelope-from kib@svn.freebsd.org)
Received: (from kib@localhost)
 by svn.freebsd.org (8.14.7/8.14.5/Submit) id rA56IopR029475;
 Tue, 5 Nov 2013 06:18:50 GMT (envelope-from kib@svn.freebsd.org)
Message-Id: <201311050618.rA56IopR029475@svn.freebsd.org>
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Tue, 5 Nov 2013 06:18:50 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r257680 - head/sys/vm
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2013 06:18:51 -0000

Author: kib
Date: Tue Nov  5 06:18:50 2013
New Revision: 257680
URL: http://svnweb.freebsd.org/changeset/base/257680

Log:
  Do not coalesce if the swap object belongs to tmpfs vnode.  The
  coalesce would extend the object to keep pages for the anonymous
  mapping created by the process.  The pages has no relations to the
  tmpfs file content which could be written into the corresponding
  range, causing anonymous mapping and file content aliasing and
  subsequent corruption.
  
  Another lesser problem created by coalescing is over-accounting on the
  tmpfs node destruction, since the object size is substracted from the
  total count of the pages owned by the tmpfs mount.
  
  Reported and tested by:	bdrewery
  Sponsored by:	The FreeBSD Foundation
  MFC after:	1 week

Modified:
  head/sys/vm/vm_object.c

Modified: head/sys/vm/vm_object.c
==============================================================================
--- head/sys/vm/vm_object.c	Tue Nov  5 06:13:46 2013	(r257679)
+++ head/sys/vm/vm_object.c	Tue Nov  5 06:18:50 2013	(r257680)
@@ -2099,8 +2099,9 @@ vm_object_coalesce(vm_object_t prev_obje
 	if (prev_object == NULL)
 		return (TRUE);
 	VM_OBJECT_WLOCK(prev_object);
-	if (prev_object->type != OBJT_DEFAULT &&
-	    prev_object->type != OBJT_SWAP) {
+	if ((prev_object->type != OBJT_DEFAULT &&
+	    prev_object->type != OBJT_SWAP) ||
+	    (prev_object->flags & OBJ_TMPFS) != 0) {
 		VM_OBJECT_WUNLOCK(prev_object);
 		return (FALSE);
 	}