Page MenuHomeFreeBSD

vm_fault: Fix vm_fault_populate()'s handling of VM_FAULT_WIRE
ClosedPublic

Authored by markj on Dec 13 2021, 5:35 PM.

Details

Summary

vm_map_wire() works by calling vm_fault(VM_FAULT_WIRE) on each page in
the rage. (For largepage mappings, it calls vm_fault() once per large
page.)

A pager's populate method may return more than one page to be mapped.
If VM_FAULT_WIRE is also specified, we'd wire each page in the run, not
just the fault page. Consider an object with two pages mapped in a
vm_map_entry, and suppose vm_map_wire() is called on the entry. Then,
the first vm_fault() would allocate and wire both pages, and the second
would encounter a valid page upon lookup and wire it again in the
regular fault handler. So the second page is wired twice and will be
leaked when the object is destroyed.

Fix the problem by modify vm_fault_populate() to wire only the fault
page. Similarly, wire only the PTE for the mapping of the fault page.

This leak can be triggered by loading and unloading a kernel module,
since OBJT_PHYS objects now use the populate method, and since the
kernel linker explicitly wires KLD sections/segments.

PR: 260347

Diff Detail

Repository
rG FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

markj requested review of this revision.Dec 13 2021, 5:35 PM

s/rage/range/ in the first paragraph of the commit message

This revision is now accepted and ready to land.Dec 13 2021, 11:16 PM
sys/vm/vm_fault.c
601–603

I'm confused. Lines 578 and 579 seem to be setting psind to 0 if fs->wired is true. So, I don't see how you can be executing this line with fs->wired being true.

markj added inline comments.
sys/vm/vm_fault.c
601–603

Indeed, this was unnecessary. I was confused by the existing use of fs->wired in the pmap_enter() parameters.

markj marked an inline comment as done.

Do not attempt to pass PMAP_ENTER_WIRED if we failed to map
a superpage.

This revision now requires review to proceed.Dec 14 2021, 2:55 PM
This revision is now accepted and ready to land.Dec 14 2021, 6:21 PM