Ensure that vm_object_deallocate() doesn't dereference a stale object

pointer: When vm_object_deallocate() sleeps because of a non-zero
paging in progress count on either object or object's shadow,
vm_object_deallocate() must ensure that object is still the shadow's
backing object when it reawakens.  In fact, object may have been
deallocated while vm_object_deallocate() slept.  If so, reacquiring
the lock on object can lead to a deadlock.

Submitted by: ups@
MFC after: 3 weeks
This commit is contained in:
Alan Cox 2006-07-17 06:45:03 +00:00
parent aab9226995
commit 2e9f4a698d

View File

@ -529,8 +529,11 @@ vm_object_deallocate(vm_object_t object)
VM_OBJECT_UNLOCK(object);
vm_object_pip_wait(robject,
"objde1");
VM_OBJECT_LOCK(object);
goto retry;
temp = robject->backing_object;
if (object == temp) {
VM_OBJECT_LOCK(object);
goto retry;
}
} else if (object->paging_in_progress) {
VM_OBJECT_UNLOCK(robject);
object->flags |= OBJ_PIPWNT;
@ -538,10 +541,14 @@ vm_object_deallocate(vm_object_t object)
VM_OBJECT_MTX(object),
PDROP | PVM, "objde2", 0);
VM_OBJECT_LOCK(robject);
VM_OBJECT_LOCK(object);
goto retry;
}
VM_OBJECT_UNLOCK(object);
temp = robject->backing_object;
if (object == temp) {
VM_OBJECT_LOCK(object);
goto retry;
}
} else
VM_OBJECT_UNLOCK(object);
if (robject->ref_count == 1) {
robject->ref_count--;
object = robject;