Correct a very old error in both vm_object_madvise() (originating in

vm/vm_object.c revision 1.88) and vm_object_sync() (originating in vm/vm_map.c revision 1.36): When descending a chain of backing objects, both use the wrong object's backing offset. Consequently, both may operate on the wrong pages. Quoting Matt, "This could be responsible for all of the sporatic madvise oddness that has been reported over the years." Reviewed by: Matt Dillon
2004-07-28 18:23:08 +00:00 · 2004-07-28 18:23:08 +00:00 · 56e0670fdc
commit 56e0670fdc
parent 77ef8a97cd
1 changed files with 2 additions and 2 deletions
--- a/sys/vm/vm_object.c
+++ b/sys/vm/vm_object.c
@ -985,9 +985,9 @@ vm_object_sync(vm_object_t object, vm_ooffset_t offset, vm_size_t size,
 	VM_OBJECT_LOCK(object);
 	while ((backing_object = object->backing_object) != NULL) {
 		VM_OBJECT_LOCK(backing_object);
+		offset += object->backing_object_offset;
 		VM_OBJECT_UNLOCK(object);
 		object = backing_object;
-		offset += object->backing_object_offset;
 		if (object->size < OFF_TO_IDX(offset + size))
 			size = IDX_TO_OFF(object->size) - offset;
 	}
@ -1096,9 +1096,9 @@ vm_object_madvise(vm_object_t object, vm_pindex_t pindex, int count, int advise)
 			if (backing_object == NULL)
 				goto unlock_tobject;
 			VM_OBJECT_LOCK(backing_object);
+			tpindex += OFF_TO_IDX(tobject->backing_object_offset);
 			VM_OBJECT_UNLOCK(tobject);
 			tobject = backing_object;
-			tpindex += OFF_TO_IDX(tobject->backing_object_offset);
 			goto shadowlookup;
 		}
 		/*