Prevent parallel object collapses. Both vm_object_collapse_scan() and

swap_pager_copy() might unlock the object, which allows the parallel collapse to execute. Besides destroying the object, it also might move the reference from parent to the backing object, firing the assertion ref_count == 1. Collapses are prevented by bumping paging_in_progress counters on both the object and its backing object. Reported by: cem Tested by: pho (previous version) Reviewed by: alc Sponsored by: The FreeBSD Foundation MFC after: 1 week X-Differential revision: https://reviews.freebsd.org/D6085
2016-05-26 16:59:29 +00:00 · 2016-05-26 16:59:29 +00:00 · aa9bc3b171
commit aa9bc3b171
parent 4cbedf8a36
1 changed files with 5 additions and 0 deletions
--- a/sys/vm/vm_object.c
+++ b/sys/vm/vm_object.c
@ -1717,6 +1717,9 @@ vm_object_collapse(vm_object_t object)
 		 * case.
 		 */
 		if (backing_object->ref_count == 1) {
+			vm_object_pip_add(object, 1);
+			vm_object_pip_add(backing_object, 1);
+
 			/*
 			 * If there is exactly one reference to the backing
 			 * object, we can collapse it into the parent.
@ -1788,11 +1791,13 @@ vm_object_collapse(vm_object_t object)
 			KASSERT(backing_object->ref_count == 1, (
 "backing_object %p was somehow re-referenced during collapse!",
 			    backing_object));
+			vm_object_pip_wakeup(backing_object);
 			backing_object->type = OBJT_DEAD;
 			backing_object->ref_count = 0;
 			VM_OBJECT_WUNLOCK(backing_object);
 			vm_object_destroy(backing_object);

+			vm_object_pip_wakeup(object);
 			object_collapses++;
 		} else {
 			/*