Ensure that vm_object_deallocate() doesn't dereference a stale object
pointer: When vm_object_deallocate() sleeps because of a non-zero paging in progress count on either object or object's shadow, vm_object_deallocate() must ensure that object is still the shadow's backing object when it reawakens. In fact, object may have been deallocated while vm_object_deallocate() slept. If so, reacquiring the lock on object can lead to a deadlock. Submitted by: ups@ MFC after: 3 weeks
This commit is contained in:
parent
aab9226995
commit
2e9f4a698d
@ -529,8 +529,11 @@ vm_object_deallocate(vm_object_t object)
|
||||
VM_OBJECT_UNLOCK(object);
|
||||
vm_object_pip_wait(robject,
|
||||
"objde1");
|
||||
VM_OBJECT_LOCK(object);
|
||||
goto retry;
|
||||
temp = robject->backing_object;
|
||||
if (object == temp) {
|
||||
VM_OBJECT_LOCK(object);
|
||||
goto retry;
|
||||
}
|
||||
} else if (object->paging_in_progress) {
|
||||
VM_OBJECT_UNLOCK(robject);
|
||||
object->flags |= OBJ_PIPWNT;
|
||||
@ -538,10 +541,14 @@ vm_object_deallocate(vm_object_t object)
|
||||
VM_OBJECT_MTX(object),
|
||||
PDROP | PVM, "objde2", 0);
|
||||
VM_OBJECT_LOCK(robject);
|
||||
VM_OBJECT_LOCK(object);
|
||||
goto retry;
|
||||
}
|
||||
VM_OBJECT_UNLOCK(object);
|
||||
temp = robject->backing_object;
|
||||
if (object == temp) {
|
||||
VM_OBJECT_LOCK(object);
|
||||
goto retry;
|
||||
}
|
||||
} else
|
||||
VM_OBJECT_UNLOCK(object);
|
||||
|
||||
if (robject->ref_count == 1) {
|
||||
robject->ref_count--;
|
||||
object = robject;
|
||||
|
Loading…
Reference in New Issue
Block a user