Background: When proc_rwmem() wired and mapped a page, it also added
a reference to the containing object. The purpose of the reference being to prevent the destruction of the object and an attempt to free the wired page. (Wired pages can't be freed.) Unfortunately, this approach does not work. Some operations, like fork(2) that call vm_object_split(), can move the wired page to a difference object, thereby making the reference pointless and opening the possibility of the wired page being freed. A solution is to use vm_page_hold() in place of vm_page_wire(). Held pages can be freed. They are moved to a special hold queue until the hold is released. Submitted by: tegge
This commit is contained in:
parent
03bab8d60f
commit
c6eb850aac
@ -227,16 +227,8 @@ proc_rwmem(struct proc *p, struct uio *uio)
|
||||
tmap = map;
|
||||
error = vm_map_lookup(&tmap, pageno, reqprot, &out_entry,
|
||||
&object, &pindex, &out_prot, &wired);
|
||||
|
||||
if (error) {
|
||||
error = EFAULT;
|
||||
|
||||
/*
|
||||
* Make sure that there is no residue in 'object' from
|
||||
* an error return on vm_map_lookup.
|
||||
*/
|
||||
object = NULL;
|
||||
|
||||
break;
|
||||
}
|
||||
VM_OBJECT_LOCK(object);
|
||||
@ -253,32 +245,21 @@ proc_rwmem(struct proc *p, struct uio *uio)
|
||||
}
|
||||
VM_OBJECT_UNLOCK(object);
|
||||
if (m == NULL) {
|
||||
error = EFAULT;
|
||||
|
||||
/*
|
||||
* Make sure that there is no residue in 'object' from
|
||||
* an error return on vm_map_lookup.
|
||||
*/
|
||||
object = NULL;
|
||||
|
||||
vm_map_lookup_done(tmap, out_entry);
|
||||
|
||||
error = EFAULT;
|
||||
break;
|
||||
}
|
||||
|
||||
/*
|
||||
* Wire the page into memory
|
||||
* Hold the page in memory.
|
||||
*/
|
||||
vm_page_lock_queues();
|
||||
vm_page_wire(m);
|
||||
vm_page_hold(m);
|
||||
vm_page_unlock_queues();
|
||||
|
||||
/*
|
||||
* We're done with tmap now.
|
||||
* But reference the object first, so that we won't loose
|
||||
* it.
|
||||
*/
|
||||
vm_object_reference(object);
|
||||
vm_map_lookup_done(tmap, out_entry);
|
||||
|
||||
pmap_qenter(kva, &m, 1);
|
||||
@ -291,20 +272,14 @@ proc_rwmem(struct proc *p, struct uio *uio)
|
||||
pmap_qremove(kva, 1);
|
||||
|
||||
/*
|
||||
* release the page and the object
|
||||
* Release the page.
|
||||
*/
|
||||
vm_page_lock_queues();
|
||||
vm_page_unwire(m, 1);
|
||||
vm_page_unhold(m);
|
||||
vm_page_unlock_queues();
|
||||
vm_object_deallocate(object);
|
||||
|
||||
object = NULL;
|
||||
|
||||
} while (error == 0 && uio->uio_resid > 0);
|
||||
|
||||
if (object)
|
||||
vm_object_deallocate(object);
|
||||
|
||||
kmem_free(kernel_map, kva, PAGE_SIZE);
|
||||
vmspace_free(vm);
|
||||
return (error);
|
||||
|
Loading…
Reference in New Issue
Block a user