Page MenuHomeFreeBSD
Differential D33416

vm_fault: Fix vm_fault_populate()'s handling of VM_FAULT_WIRE
ClosedPublic
Actions

Authored by markj on Dec 13 2021, 5:35 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Mar 24, 2:43 AM
Unknown Object (File)
Feb 13 2024, 2:19 AM
Unknown Object (File)
Feb 1 2024, 9:52 AM
Unknown Object (File)
Dec 20 2023, 7:35 AM
Unknown Object (File)
Dec 13 2023, 7:35 AM
Unknown Object (File)
Dec 12 2023, 5:44 PM
Unknown Object (File)
Nov 22 2023, 4:08 PM
Unknown Object (File)
Nov 15 2023, 10:46 AM
View All 35 Files
Subscribers
imp

Details

Reviewers
alc
kib
Commits
rG88642d978a99: vm_fault: Fix vm_fault_populate()'s handling of VM_FAULT_WIRE
Summary

vm_map_wire() works by calling vm_fault(VM_FAULT_WIRE) on each page in
the rage. (For largepage mappings, it calls vm_fault() once per large
page.)

A pager's populate method may return more than one page to be mapped.
If VM_FAULT_WIRE is also specified, we'd wire each page in the run, not
just the fault page. Consider an object with two pages mapped in a
vm_map_entry, and suppose vm_map_wire() is called on the entry. Then,
the first vm_fault() would allocate and wire both pages, and the second
would encounter a valid page upon lookup and wire it again in the
regular fault handler. So the second page is wired twice and will be
leaked when the object is destroyed.

Fix the problem by modify vm_fault_populate() to wire only the fault
page. Similarly, wire only the PTE for the mapping of the fault page.

This leak can be triggered by loading and unloading a kernel module,
since OBJT_PHYS objects now use the populate method, and since the
kernel linker explicitly wires KLD sections/segments.

PR: 260347

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 43339
Build 40227: arc lint + arc unit

Event Timeline

markj created this revision.Dec 13 2021, 5:35 PM
Herald added a subscriber: imp. · View Herald TranscriptDec 13 2021, 5:35 PM
markj requested review of this revision.Dec 13 2021, 5:35 PM
Harbormaster completed remote builds in B43312: Diff 99943.Dec 13 2021, 5:35 PM
kib accepted this revision.Dec 13 2021, 11:16 PM

s/rage/range/ in the first paragraph of the commit message

This revision is now accepted and ready to land.Dec 13 2021, 11:16 PM
alc added inline comments.Dec 14 2021, 8:46 AM
sys/vm/vm_fault.c
602–604

I'm confused. Lines 578 and 579 seem to be setting psind to 0 if fs->wired is true. So, I don't see how you can be executing this line with fs->wired being true.

markj marked an inline comment as done.Dec 14 2021, 2:34 PM
markj added inline comments.
sys/vm/vm_fault.c
602–604

Indeed, this was unnecessary. I was confused by the existing use of fs->wired in the pmap_enter() parameters.

markj updated this revision to Diff 99997.Dec 14 2021, 2:55 PM
markj marked an inline comment as done.

Do not attempt to pass PMAP_ENTER_WIRED if we failed to map
a superpage.

This revision now requires review to proceed.Dec 14 2021, 2:55 PM
Harbormaster completed remote builds in B43339: Diff 99997.Dec 14 2021, 2:55 PM
alc accepted this revision.Dec 14 2021, 6:21 PM
This revision is now accepted and ready to land.Dec 14 2021, 6:21 PM
Closed by commit rG88642d978a99: vm_fault: Fix vm_fault_populate()'s handling of VM_FAULT_WIRE (authored by markj). · Explain WhyDec 14 2021, 8:22 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG88642d978a99: vm_fault: Fix vm_fault_populate()'s handling of VM_FAULT_WIRE.

Revision Contents
Changeset List

PathSize
sys/
vm/
10 lines

Diff 99997

View Options

sys/vm/vm_fault.c

Loading...