Index: vm_map.c =================================================================== --- vm_map.c +++ vm_map.c @@ -966,55 +966,92 @@ } /* - * vm_map_entry_set_max_free: + * vm_map_entry_max_free_{left,right}: * - * Set the max_free field in a vm_map_entry. + * Compute the size of the largest free gap between two entries, + * one the root of a tree and the other the ancestor of that root + * that is the least or greatest ancestor found on the search path. */ -static inline void -vm_map_entry_set_max_free(vm_map_entry_t entry) +static inline vm_size_t +vm_map_entry_max_free_left(vm_map_entry_t root, vm_map_entry_t left_ancestor) { - vm_map_entry_t child; - vm_size_t max_left, max_right; - child = entry->left; - max_left = (child != NULL) ? child->max_free : - entry->start - entry->prev->end; - child = entry->right; - max_right = (child != NULL) ? child->max_free : - entry->next->start - entry->end; - entry->max_free = MAX(max_left, max_right); + return (root->left != NULL ? + root->left->max_free : root->start - left_ancestor->end); } -#define SPLAY_LEFT_STEP(root, y, rlist, test) do { \ - y = root->left; \ - if (y != NULL && (test)) { \ - /* Rotate right and make y root. */ \ - root->left = y->right; \ - y->right = root; \ - vm_map_entry_set_max_free(root); \ - root = y; \ - y = root->left; \ - } \ - /* Put root on rlist. */ \ - root->left = rlist; \ - rlist = root; \ - root = y; \ +static inline vm_size_t +vm_map_entry_max_free_right(vm_map_entry_t root, vm_map_entry_t right_ancestor) +{ + + return (root->right != NULL ? + root->right->max_free : right_ancestor->start - root->end); +} + +#define SPLAY_LEFT_STEP(root, y, rlist, test) do { \ + vm_size_t max_free; \ + \ + /* \ + * Infer root->right->max_free == root->max_free when \ + * y->max_free < root->max_free || root->max_free == 0. \ + * Otherwise, look right to find it. \ + */ \ + y = root->left; \ + max_free = root->max_free; \ + KASSERT(max_free >= vm_map_entry_max_free_right(root, rlist), \ + ("%s: max_free invariant fails", __func__)); \ + if (y == NULL ? max_free > 0 : max_free - 1 < y->max_free) \ + max_free = vm_map_entry_max_free_right(root, rlist); \ + if (y != NULL && (test)) { \ + /* Rotate right and make y root. */ \ + root->left = y->right; \ + y->right = root; \ + if (max_free < y->max_free) \ + root->max_free = max_free = MAX(max_free, \ + vm_map_entry_max_free_left(root, y)); \ + root = y; \ + y = root->left; \ + } \ + /* Copy right->max_free. Put root on rlist. */ \ + root->max_free = max_free; \ + KASSERT(max_free == vm_map_entry_max_free_right(root, rlist), \ + ("%s: max_free not copied from right", __func__)); \ + root->left = rlist; \ + rlist = root; \ + root = y; \ } while (0) -#define SPLAY_RIGHT_STEP(root, y, llist, test) do { \ - y = root->right; \ - if (y != NULL && (test)) { \ - /* Rotate left and make y root. */ \ - root->right = y->left; \ - y->left = root; \ - vm_map_entry_set_max_free(root); \ - root = y; \ - y = root->right; \ - } \ - /* Put root on llist. */ \ - root->right = llist; \ - llist = root; \ - root = y; \ +#define SPLAY_RIGHT_STEP(root, y, llist, test) do { \ + vm_size_t max_free; \ + \ + /* \ + * Infer root->left->max_free == root->max_free when \ + * y->max_free < root->max_free || root->max_free == 0. \ + * Otherwise, look left to find it. \ + */ \ + y = root->right; \ + max_free = root->max_free; \ + KASSERT(max_free >= vm_map_entry_max_free_left(root, llist), \ + ("%s: max_free invariant fails", __func__)); \ + if (y == NULL ? max_free > 0 : max_free - 1 < y->max_free) \ + max_free = vm_map_entry_max_free_left(root, llist); \ + if (y != NULL && (test)) { \ + /* Rotate left and make y root. */ \ + root->right = y->left; \ + y->left = root; \ + if (max_free < y->max_free) \ + root->max_free = max_free = MAX(max_free, \ + vm_map_entry_max_free_right(root, y)); \ + root = y; \ + y = root->right; \ + } \ + /* Copy left->max_free. Put root on llist. */ \ + root->max_free = max_free; \ + KASSERT(max_free == vm_map_entry_max_free_left(root, llist), \ + ("%s: max_free not copied from left", __func__)); \ + root->right = llist; \ + llist = root; \ + root = y; \ } while (0) /* @@ -1023,18 +1060,23 @@ * addr. Treat pointers to nodes with max_free < length as NULL pointers. * llist and rlist are the two sides in reverse order (bottom-up), with llist * linked by the right pointer and rlist linked by the left pointer in the - * vm_map_entry. + * vm_map_entry, and both lists terminated by &map->header, which should be the + * value of both list parameters on entry. */ static vm_map_entry_t vm_map_splay_split(vm_offset_t addr, vm_size_t length, - vm_map_entry_t root, vm_map_entry_t *out_llist, vm_map_entry_t *out_rlist) + vm_map_entry_t root, vm_map_entry_t *io_llist, vm_map_entry_t *io_rlist) { vm_map_entry_t llist, rlist; vm_map_entry_t y; - llist = NULL; - rlist = NULL; + llist = *io_llist; + rlist = *io_rlist; while (root != NULL && root->max_free >= length) { + KASSERT(llist->end <= addr && addr < rlist->start, + ("%s: addr not within tree bounds", __func__)); + KASSERT(llist->end <= root->start && root->end <= rlist->start, + ("%s: root not within tree bounds", __func__)); if (addr < root->start) { SPLAY_LEFT_STEP(root, y, rlist, y->max_free >= length && addr < y->start); @@ -1044,8 +1086,8 @@ } else break; } - *out_llist = llist; - *out_rlist = rlist; + *io_llist = llist; + *io_rlist = rlist; return (root); } @@ -1073,44 +1115,64 @@ *iolist = llist; } +static inline void +vm_map_entry_swap(vm_map_entry_t *a, vm_map_entry_t *b) +{ + vm_map_entry_t tmp; + + tmp = *b; + *b = *a; + *a = tmp; +} + /* * Walk back up the two spines, flip the pointers and set max_free. The * subtrees of the root go at the bottom of llist and rlist. */ -static vm_map_entry_t -vm_map_splay_merge(vm_map_entry_t root, - vm_map_entry_t llist, vm_map_entry_t rlist, - vm_map_entry_t ltree, vm_map_entry_t rtree) +static void +vm_map_splay_merge(vm_map_entry_t root, vm_map_entry_t header, + vm_map_entry_t llist, vm_map_entry_t rlist) { - vm_map_entry_t y; + vm_map_entry_t prev; + vm_size_t max_free_left, max_free_right; - while (llist != NULL) { - y = llist->right; - llist->right = ltree; - vm_map_entry_set_max_free(llist); - ltree = llist; - llist = y; + max_free_left = vm_map_entry_max_free_left(root, llist); + if (llist != header) { + prev = root->left; + do { + /* The max_free values of the children of llist are in + * llist->max_free and max_free_left. Update with the + * max value. + */ + llist->max_free = max_free_left = + MAX(llist->max_free, max_free_left); + vm_map_entry_swap(&llist->right, &prev); + vm_map_entry_swap(&prev, &llist); + } while (llist != header); + root->left = prev; } - while (rlist != NULL) { - y = rlist->left; - rlist->left = rtree; - vm_map_entry_set_max_free(rlist); - rtree = rlist; - rlist = y; - } - /* - * Final assembly: add ltree and rtree as subtrees of root. - */ - root->left = ltree; - root->right = rtree; - vm_map_entry_set_max_free(root); + max_free_right = vm_map_entry_max_free_right(root, rlist); + if (rlist != header) { + prev = root->right; + do { + /* The max_free values of the children of rlist are in + * rlist->max_free and max_free_right. Update with the + * max value. + */ + rlist->max_free = max_free_right = + MAX(rlist->max_free, max_free_right); + vm_map_entry_swap(&rlist->left, &prev); + vm_map_entry_swap(&prev, &rlist); + } while (rlist != header); + root->right = prev; + } - return (root); + root->max_free = MAX(max_free_left, max_free_right); } /* - * vm_map_entry_splay: + * vm_map_splay: * * The Sleator and Tarjan top-down splay algorithm with the * following variation. Max_free must be computed bottom-up, so @@ -1127,14 +1189,15 @@ * Returns: the new root. */ static vm_map_entry_t -vm_map_entry_splay(vm_offset_t addr, vm_map_entry_t root) +vm_map_splay(vm_offset_t addr, vm_map_t map) { - vm_map_entry_t llist, rlist; + vm_map_entry_t llist, rlist, root; - root = vm_map_splay_split(addr, 0, root, &llist, &rlist); + llist = rlist = &map->header; + root = vm_map_splay_split(addr, 0, map->root, &llist, &rlist); if (root != NULL) { /* do nothing */ - } else if (llist != NULL) { + } else if (llist != &map->header) { /* * Recover the greatest node in the left * subtree and make it the root. @@ -1142,7 +1205,7 @@ root = llist; llist = root->right; root->right = NULL; - } else if (rlist != NULL) { + } else if (rlist != &map->header) { /* * Recover the least node in the right * subtree and make it the root. @@ -1154,8 +1217,10 @@ /* There is no root. */ return (NULL); } - return (vm_map_splay_merge(root, llist, rlist, - root->left, root->right)); + vm_map_splay_merge(root, &map->header, llist, rlist); + map->root = root; + VM_MAP_ASSERT_CONSISTENT(map); + return (root); } /* @@ -1174,14 +1239,15 @@ map->nentries, entry); VM_MAP_ASSERT_LOCKED(map); map->nentries++; - root = map->root; - root = vm_map_splay_split(entry->start, 0, root, &llist, &rlist); + llist = rlist = &map->header; + root = vm_map_splay_split(entry->start, 0, map->root, &llist, &rlist); KASSERT(root == NULL, ("vm_map_entry_link: link object already mapped")); - entry->prev = (llist == NULL) ? &map->header : llist; - entry->next = (rlist == NULL) ? &map->header : rlist; - entry->prev->next = entry->next->prev = entry; - root = vm_map_splay_merge(entry, llist, rlist, NULL, NULL); + entry->prev = llist; + entry->next = rlist; + llist->next = rlist->prev = entry; + entry->left = entry->right = NULL; + vm_map_splay_merge(entry, &map->header, llist, rlist); map->root = entry; VM_MAP_ASSERT_CONSISTENT(map); } @@ -1200,12 +1266,8 @@ vm_map_entry_t llist, rlist, root, y; VM_MAP_ASSERT_LOCKED(map); - llist = entry->prev; - rlist = entry->next; - llist->next = rlist; - rlist->prev = llist; - root = map->root; - root = vm_map_splay_split(entry->start, 0, root, &llist, &rlist); + llist = rlist = &map->header; + root = vm_map_splay_split(entry->start, 0, map->root, &llist, &rlist); KASSERT(root != NULL, ("vm_map_entry_unlink: unlink object not mapped")); @@ -1230,11 +1292,11 @@ case UNLINK_MERGE_NONE: vm_map_splay_findprev(root, &llist); vm_map_splay_findnext(root, &rlist); - if (llist != NULL) { + if (llist != &map->header) { root = llist; llist = root->right; root->right = NULL; - } else if (rlist != NULL) { + } else if (rlist != &map->header) { root = rlist; rlist = root->left; root->left = NULL; @@ -1242,9 +1304,11 @@ root = NULL; break; } + y = entry->next; + y->prev = entry->prev; + y->prev->next = y; if (root != NULL) - root = vm_map_splay_merge(root, llist, rlist, - root->left, root->right); + vm_map_splay_merge(root, &map->header, llist, rlist); map->root = root; VM_MAP_ASSERT_CONSISTENT(map); map->nentries--; @@ -1266,15 +1330,15 @@ vm_map_entry_t llist, rlist, root; VM_MAP_ASSERT_LOCKED(map); - root = map->root; - root = vm_map_splay_split(entry->start, 0, root, &llist, &rlist); + llist = rlist = &map->header; + root = vm_map_splay_split(entry->start, 0, map->root, &llist, &rlist); KASSERT(root != NULL, ("%s: resize object not mapped", __func__)); vm_map_splay_findnext(root, &rlist); root->right = NULL; entry->end += grow_amount; - map->root = vm_map_splay_merge(root, llist, rlist, - root->left, root->right); + vm_map_splay_merge(root, &map->header, llist, rlist); + map->root = root; VM_MAP_ASSERT_CONSISTENT(map); CTR4(KTR_VM, "%s: map %p, nentries %d, entry %p", __func__, map, map->nentries, entry); @@ -1320,8 +1384,7 @@ * change the map. Thus, the map's timestamp need not change * on a temporary upgrade. */ - map->root = cur = vm_map_entry_splay(address, cur); - VM_MAP_ASSERT_CONSISTENT(map); + cur = vm_map_splay(address, map); if (!locked) sx_downgrade(&map->lock); @@ -1608,11 +1671,11 @@ * After splay, if start comes before root node, then there * must be a gap from start to the root. */ - root = vm_map_splay_split(start, length, map->root, - &llist, &rlist); + llist = rlist = &map->header; + root = vm_map_splay_split(start, length, map->root, &llist, &rlist); if (root != NULL) start = root->end; - else if (rlist != NULL) { + else if (rlist != &map->header) { root = rlist; rlist = root->left; root->left = NULL; @@ -1621,8 +1684,8 @@ llist = root->right; root->right = NULL; } - map->root = vm_map_splay_merge(root, llist, rlist, - root->left, root->right); + vm_map_splay_merge(root, &map->header, llist, rlist); + map->root = root; VM_MAP_ASSERT_CONSISTENT(map); if (start + length <= root->start) return (start); @@ -1643,39 +1706,33 @@ /* * Splay for the least large-enough gap in the right subtree. */ - llist = NULL; - rlist = NULL; + llist = rlist = &map->header; for (left_length = 0; ; - left_length = root->left != NULL ? - root->left->max_free : root->start - llist->end) { + left_length = vm_map_entry_max_free_left(root, llist)) { if (length <= left_length) SPLAY_LEFT_STEP(root, y, rlist, - length <= (y->left != NULL ? - y->left->max_free : y->start - llist->end)); + length <= vm_map_entry_max_free_left(y, llist)); else SPLAY_RIGHT_STEP(root, y, llist, - length > (y->left != NULL ? - y->left->max_free : y->start - root->end)); + length > vm_map_entry_max_free_left(y, root)); if (root == NULL) break; } root = llist; llist = root->right; - if ((y = rlist) == NULL) + if (rlist == &map->header) root->right = NULL; else { + y = rlist; rlist = y->left; + vm_map_splay_merge(y, &map->header, &map->header, rlist); y->left = NULL; - root->right = y->right; - } - root = vm_map_splay_merge(root, llist, rlist, - root->left, root->right); - if (y != NULL) { - y->right = root->right; - vm_map_entry_set_max_free(y); + y->max_free = MAX( + vm_map_entry_max_free_left(y, root), + vm_map_entry_max_free_right(y, &map->header)); root->right = y; - vm_map_entry_set_max_free(root); } + vm_map_splay_merge(root, &map->header, llist, &map->header); map->root = root; VM_MAP_ASSERT_CONSISTENT(map); return (root->end); @@ -4502,6 +4559,8 @@ vm_size_t size; struct ucred *cred; + if (vaddr < vm_map_min(map) || vaddr >= vm_map_max(map)) + return (KERN_INVALID_ADDRESS); RetryLookup: vm_map_lock_read(map);