mirror of
https://git.FreeBSD.org/src.git
synced 2025-01-10 14:02:43 +00:00
b5e8f167b9
vm_object_terminate() on a device-backed object at the same time that another processor, call it Pa, is performing dev_pager_alloc() on the same device. The problem is that vm_pager_object_lookup() should not be allowed to return a doomed object, i.e., an object with OBJ_DEAD set, but it does. In detail, the unfortunate sequence of events is: Pt in vm_object_terminate() holds the doomed object's lock and sets OBJ_DEAD on the object. Pa in dev_pager_alloc() holds dev_pager_sx and calls vm_pager_object_lookup(), which returns the doomed object. Next, Pa calls vm_object_reference(), which requires the doomed object's lock, so Pa waits for Pt to release the doomed object's lock. Pt proceeds to the point in vm_object_terminate() where it releases the doomed object's lock. Pa is now able to complete vm_object_reference() because it can now complete the acquisition of the doomed object's lock. So, now the doomed object has a reference count of one! Pa releases dev_pager_sx and returns the doomed object from dev_pager_alloc(). Pt now acquires dev_pager_mtx, removes the doomed object from dev_pager_object_list, releases dev_pager_mtx, and finally calls uma_zfree with the doomed object. However, the doomed object is still in use by Pa. Repeating my key point, vm_pager_object_lookup() must not return a doomed object. Moreover, the test for the object's state, i.e., doomed or not, and the increment of the object's reference count should be carried out atomically. Reviewed by: kib Approved by: re (kensmith) MFC after: 3 weeks
512 lines
12 KiB
C
512 lines
12 KiB
C
/*-
|
|
* Copyright (c) 1991, 1993
|
|
* The Regents of the University of California. All rights reserved.
|
|
*
|
|
* This code is derived from software contributed to Berkeley by
|
|
* The Mach Operating System project at Carnegie-Mellon University.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* from: @(#)vm_pager.c 8.6 (Berkeley) 1/12/94
|
|
*
|
|
*
|
|
* Copyright (c) 1987, 1990 Carnegie-Mellon University.
|
|
* All rights reserved.
|
|
*
|
|
* Authors: Avadis Tevanian, Jr., Michael Wayne Young
|
|
*
|
|
* Permission to use, copy, modify and distribute this software and
|
|
* its documentation is hereby granted, provided that both the copyright
|
|
* notice and this permission notice appear in all copies of the
|
|
* software, derivative works or modified versions, and any portions
|
|
* thereof, and that both notices appear in supporting documentation.
|
|
*
|
|
* CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
|
|
* CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND
|
|
* FOR ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
|
|
*
|
|
* Carnegie Mellon requests users of this software to return to
|
|
*
|
|
* Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU
|
|
* School of Computer Science
|
|
* Carnegie Mellon University
|
|
* Pittsburgh PA 15213-3890
|
|
*
|
|
* any improvements or extensions that they make and grant Carnegie the
|
|
* rights to redistribute these changes.
|
|
*/
|
|
|
|
/*
|
|
* Paging space routine stubs. Emulates a matchmaker-like interface
|
|
* for builtin pagers.
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/vnode.h>
|
|
#include <sys/bio.h>
|
|
#include <sys/buf.h>
|
|
#include <sys/ucred.h>
|
|
#include <sys/malloc.h>
|
|
|
|
#include <vm/vm.h>
|
|
#include <vm/vm_param.h>
|
|
#include <vm/vm_object.h>
|
|
#include <vm/vm_page.h>
|
|
#include <vm/vm_pager.h>
|
|
#include <vm/vm_extern.h>
|
|
|
|
MALLOC_DEFINE(M_VMPGDATA, "vm_pgdata", "XXX: VM pager private data");
|
|
|
|
int cluster_pbuf_freecnt = -1; /* unlimited to begin with */
|
|
|
|
static int dead_pager_getpages(vm_object_t, vm_page_t *, int, int);
|
|
static vm_object_t dead_pager_alloc(void *, vm_ooffset_t, vm_prot_t,
|
|
vm_ooffset_t);
|
|
static void dead_pager_putpages(vm_object_t, vm_page_t *, int, int, int *);
|
|
static boolean_t dead_pager_haspage(vm_object_t, vm_pindex_t, int *, int *);
|
|
static void dead_pager_dealloc(vm_object_t);
|
|
|
|
static int
|
|
dead_pager_getpages(obj, ma, count, req)
|
|
vm_object_t obj;
|
|
vm_page_t *ma;
|
|
int count;
|
|
int req;
|
|
{
|
|
return VM_PAGER_FAIL;
|
|
}
|
|
|
|
static vm_object_t
|
|
dead_pager_alloc(handle, size, prot, off)
|
|
void *handle;
|
|
vm_ooffset_t size;
|
|
vm_prot_t prot;
|
|
vm_ooffset_t off;
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
static void
|
|
dead_pager_putpages(object, m, count, flags, rtvals)
|
|
vm_object_t object;
|
|
vm_page_t *m;
|
|
int count;
|
|
int flags;
|
|
int *rtvals;
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < count; i++) {
|
|
rtvals[i] = VM_PAGER_AGAIN;
|
|
}
|
|
}
|
|
|
|
static int
|
|
dead_pager_haspage(object, pindex, prev, next)
|
|
vm_object_t object;
|
|
vm_pindex_t pindex;
|
|
int *prev;
|
|
int *next;
|
|
{
|
|
if (prev)
|
|
*prev = 0;
|
|
if (next)
|
|
*next = 0;
|
|
return FALSE;
|
|
}
|
|
|
|
static void
|
|
dead_pager_dealloc(object)
|
|
vm_object_t object;
|
|
{
|
|
return;
|
|
}
|
|
|
|
static struct pagerops deadpagerops = {
|
|
.pgo_alloc = dead_pager_alloc,
|
|
.pgo_dealloc = dead_pager_dealloc,
|
|
.pgo_getpages = dead_pager_getpages,
|
|
.pgo_putpages = dead_pager_putpages,
|
|
.pgo_haspage = dead_pager_haspage,
|
|
};
|
|
|
|
struct pagerops *pagertab[] = {
|
|
&defaultpagerops, /* OBJT_DEFAULT */
|
|
&swappagerops, /* OBJT_SWAP */
|
|
&vnodepagerops, /* OBJT_VNODE */
|
|
&devicepagerops, /* OBJT_DEVICE */
|
|
&physpagerops, /* OBJT_PHYS */
|
|
&deadpagerops /* OBJT_DEAD */
|
|
};
|
|
|
|
static const int npagers = sizeof(pagertab) / sizeof(pagertab[0]);
|
|
|
|
/*
|
|
* Kernel address space for mapping pages.
|
|
* Used by pagers where KVAs are needed for IO.
|
|
*
|
|
* XXX needs to be large enough to support the number of pending async
|
|
* cleaning requests (NPENDINGIO == 64) * the maximum swap cluster size
|
|
* (MAXPHYS == 64k) if you want to get the most efficiency.
|
|
*/
|
|
vm_map_t pager_map;
|
|
static int bswneeded;
|
|
static vm_offset_t swapbkva; /* swap buffers kva */
|
|
struct mtx pbuf_mtx;
|
|
static TAILQ_HEAD(swqueue, buf) bswlist;
|
|
|
|
void
|
|
vm_pager_init()
|
|
{
|
|
struct pagerops **pgops;
|
|
|
|
TAILQ_INIT(&bswlist);
|
|
/*
|
|
* Initialize known pagers
|
|
*/
|
|
for (pgops = pagertab; pgops < &pagertab[npagers]; pgops++)
|
|
if (pgops && ((*pgops)->pgo_init != NULL))
|
|
(*(*pgops)->pgo_init) ();
|
|
}
|
|
|
|
void
|
|
vm_pager_bufferinit()
|
|
{
|
|
struct buf *bp;
|
|
int i;
|
|
|
|
mtx_init(&pbuf_mtx, "pbuf mutex", NULL, MTX_DEF);
|
|
bp = swbuf;
|
|
/*
|
|
* Now set up swap and physical I/O buffer headers.
|
|
*/
|
|
for (i = 0; i < nswbuf; i++, bp++) {
|
|
TAILQ_INSERT_HEAD(&bswlist, bp, b_freelist);
|
|
BUF_LOCKINIT(bp);
|
|
LIST_INIT(&bp->b_dep);
|
|
bp->b_rcred = bp->b_wcred = NOCRED;
|
|
bp->b_xflags = 0;
|
|
}
|
|
|
|
cluster_pbuf_freecnt = nswbuf / 2;
|
|
vnode_pbuf_freecnt = nswbuf / 2 + 1;
|
|
|
|
swapbkva = kmem_alloc_nofault(pager_map, nswbuf * MAXPHYS);
|
|
if (!swapbkva)
|
|
panic("Not enough pager_map VM space for physical buffers");
|
|
}
|
|
|
|
/*
|
|
* Allocate an instance of a pager of the given type.
|
|
* Size, protection and offset parameters are passed in for pagers that
|
|
* need to perform page-level validation (e.g. the device pager).
|
|
*/
|
|
vm_object_t
|
|
vm_pager_allocate(objtype_t type, void *handle, vm_ooffset_t size,
|
|
vm_prot_t prot, vm_ooffset_t off)
|
|
{
|
|
vm_object_t ret;
|
|
struct pagerops *ops;
|
|
|
|
ops = pagertab[type];
|
|
if (ops)
|
|
ret = (*ops->pgo_alloc) (handle, size, prot, off);
|
|
else
|
|
ret = NULL;
|
|
return (ret);
|
|
}
|
|
|
|
/*
|
|
* The object must be locked.
|
|
*/
|
|
void
|
|
vm_pager_deallocate(object)
|
|
vm_object_t object;
|
|
{
|
|
|
|
VM_OBJECT_LOCK_ASSERT(object, MA_OWNED);
|
|
(*pagertab[object->type]->pgo_dealloc) (object);
|
|
}
|
|
|
|
/*
|
|
* vm_pager_get_pages() - inline, see vm/vm_pager.h
|
|
* vm_pager_put_pages() - inline, see vm/vm_pager.h
|
|
* vm_pager_has_page() - inline, see vm/vm_pager.h
|
|
*/
|
|
|
|
/*
|
|
* Search the specified pager object list for an object with the
|
|
* specified handle. If an object with the specified handle is found,
|
|
* increase its reference count and return it. Otherwise, return NULL.
|
|
*
|
|
* The pager object list must be locked.
|
|
*/
|
|
vm_object_t
|
|
vm_pager_object_lookup(struct pagerlst *pg_list, void *handle)
|
|
{
|
|
vm_object_t object;
|
|
|
|
TAILQ_FOREACH(object, pg_list, pager_object_list) {
|
|
VM_OBJECT_LOCK(object);
|
|
if (object->handle == handle &&
|
|
(object->flags & OBJ_DEAD) == 0) {
|
|
vm_object_reference_locked(object);
|
|
VM_OBJECT_UNLOCK(object);
|
|
break;
|
|
}
|
|
VM_OBJECT_UNLOCK(object);
|
|
}
|
|
return (object);
|
|
}
|
|
|
|
/*
|
|
* initialize a physical buffer
|
|
*/
|
|
|
|
/*
|
|
* XXX This probably belongs in vfs_bio.c
|
|
*/
|
|
static void
|
|
initpbuf(struct buf *bp)
|
|
{
|
|
KASSERT(bp->b_bufobj == NULL, ("initpbuf with bufobj"));
|
|
KASSERT(bp->b_vp == NULL, ("initpbuf with vp"));
|
|
bp->b_rcred = NOCRED;
|
|
bp->b_wcred = NOCRED;
|
|
bp->b_qindex = 0; /* On no queue (QUEUE_NONE) */
|
|
bp->b_saveaddr = (caddr_t) (MAXPHYS * (bp - swbuf)) + swapbkva;
|
|
bp->b_data = bp->b_saveaddr;
|
|
bp->b_kvabase = bp->b_saveaddr;
|
|
bp->b_kvasize = MAXPHYS;
|
|
bp->b_xflags = 0;
|
|
bp->b_flags = 0;
|
|
bp->b_ioflags = 0;
|
|
bp->b_iodone = NULL;
|
|
bp->b_error = 0;
|
|
BUF_LOCK(bp, LK_EXCLUSIVE, NULL);
|
|
}
|
|
|
|
/*
|
|
* allocate a physical buffer
|
|
*
|
|
* There are a limited number (nswbuf) of physical buffers. We need
|
|
* to make sure that no single subsystem is able to hog all of them,
|
|
* so each subsystem implements a counter which is typically initialized
|
|
* to 1/2 nswbuf. getpbuf() decrements this counter in allocation and
|
|
* increments it on release, and blocks if the counter hits zero. A
|
|
* subsystem may initialize the counter to -1 to disable the feature,
|
|
* but it must still be sure to match up all uses of getpbuf() with
|
|
* relpbuf() using the same variable.
|
|
*
|
|
* NOTE: pfreecnt can be NULL, but this 'feature' will be removed
|
|
* relatively soon when the rest of the subsystems get smart about it. XXX
|
|
*/
|
|
struct buf *
|
|
getpbuf(int *pfreecnt)
|
|
{
|
|
struct buf *bp;
|
|
|
|
mtx_lock(&pbuf_mtx);
|
|
|
|
for (;;) {
|
|
if (pfreecnt) {
|
|
while (*pfreecnt == 0) {
|
|
msleep(pfreecnt, &pbuf_mtx, PVM, "wswbuf0", 0);
|
|
}
|
|
}
|
|
|
|
/* get a bp from the swap buffer header pool */
|
|
if ((bp = TAILQ_FIRST(&bswlist)) != NULL)
|
|
break;
|
|
|
|
bswneeded = 1;
|
|
msleep(&bswneeded, &pbuf_mtx, PVM, "wswbuf1", 0);
|
|
/* loop in case someone else grabbed one */
|
|
}
|
|
TAILQ_REMOVE(&bswlist, bp, b_freelist);
|
|
if (pfreecnt)
|
|
--*pfreecnt;
|
|
mtx_unlock(&pbuf_mtx);
|
|
|
|
initpbuf(bp);
|
|
return bp;
|
|
}
|
|
|
|
/*
|
|
* allocate a physical buffer, if one is available.
|
|
*
|
|
* Note that there is no NULL hack here - all subsystems using this
|
|
* call understand how to use pfreecnt.
|
|
*/
|
|
struct buf *
|
|
trypbuf(int *pfreecnt)
|
|
{
|
|
struct buf *bp;
|
|
|
|
mtx_lock(&pbuf_mtx);
|
|
if (*pfreecnt == 0 || (bp = TAILQ_FIRST(&bswlist)) == NULL) {
|
|
mtx_unlock(&pbuf_mtx);
|
|
return NULL;
|
|
}
|
|
TAILQ_REMOVE(&bswlist, bp, b_freelist);
|
|
|
|
--*pfreecnt;
|
|
|
|
mtx_unlock(&pbuf_mtx);
|
|
|
|
initpbuf(bp);
|
|
|
|
return bp;
|
|
}
|
|
|
|
/*
|
|
* release a physical buffer
|
|
*
|
|
* NOTE: pfreecnt can be NULL, but this 'feature' will be removed
|
|
* relatively soon when the rest of the subsystems get smart about it. XXX
|
|
*/
|
|
void
|
|
relpbuf(struct buf *bp, int *pfreecnt)
|
|
{
|
|
|
|
if (bp->b_rcred != NOCRED) {
|
|
crfree(bp->b_rcred);
|
|
bp->b_rcred = NOCRED;
|
|
}
|
|
if (bp->b_wcred != NOCRED) {
|
|
crfree(bp->b_wcred);
|
|
bp->b_wcred = NOCRED;
|
|
}
|
|
|
|
KASSERT(bp->b_vp == NULL, ("relpbuf with vp"));
|
|
KASSERT(bp->b_bufobj == NULL, ("relpbuf with bufobj"));
|
|
|
|
BUF_UNLOCK(bp);
|
|
|
|
mtx_lock(&pbuf_mtx);
|
|
TAILQ_INSERT_HEAD(&bswlist, bp, b_freelist);
|
|
|
|
if (bswneeded) {
|
|
bswneeded = 0;
|
|
wakeup(&bswneeded);
|
|
}
|
|
if (pfreecnt) {
|
|
if (++*pfreecnt == 1)
|
|
wakeup(pfreecnt);
|
|
}
|
|
mtx_unlock(&pbuf_mtx);
|
|
}
|
|
|
|
/*
|
|
* Associate a p-buffer with a vnode.
|
|
*
|
|
* Also sets B_PAGING flag to indicate that vnode is not fully associated
|
|
* with the buffer. i.e. the bp has not been linked into the vnode or
|
|
* ref-counted.
|
|
*/
|
|
void
|
|
pbgetvp(struct vnode *vp, struct buf *bp)
|
|
{
|
|
|
|
KASSERT(bp->b_vp == NULL, ("pbgetvp: not free"));
|
|
KASSERT(bp->b_bufobj == NULL, ("pbgetvp: not free (bufobj)"));
|
|
|
|
bp->b_vp = vp;
|
|
bp->b_flags |= B_PAGING;
|
|
bp->b_bufobj = &vp->v_bufobj;
|
|
}
|
|
|
|
/*
|
|
* Associate a p-buffer with a vnode.
|
|
*
|
|
* Also sets B_PAGING flag to indicate that vnode is not fully associated
|
|
* with the buffer. i.e. the bp has not been linked into the vnode or
|
|
* ref-counted.
|
|
*/
|
|
void
|
|
pbgetbo(struct bufobj *bo, struct buf *bp)
|
|
{
|
|
|
|
KASSERT(bp->b_vp == NULL, ("pbgetbo: not free (vnode)"));
|
|
KASSERT(bp->b_bufobj == NULL, ("pbgetbo: not free (bufobj)"));
|
|
|
|
bp->b_flags |= B_PAGING;
|
|
bp->b_bufobj = bo;
|
|
}
|
|
|
|
/*
|
|
* Disassociate a p-buffer from a vnode.
|
|
*/
|
|
void
|
|
pbrelvp(struct buf *bp)
|
|
{
|
|
|
|
KASSERT(bp->b_vp != NULL, ("pbrelvp: NULL"));
|
|
KASSERT(bp->b_bufobj != NULL, ("pbrelvp: NULL bufobj"));
|
|
|
|
/* XXX REMOVE ME */
|
|
BO_LOCK(bp->b_bufobj);
|
|
if (TAILQ_NEXT(bp, b_bobufs) != NULL) {
|
|
panic(
|
|
"relpbuf(): b_vp was probably reassignbuf()d %p %x",
|
|
bp,
|
|
(int)bp->b_flags
|
|
);
|
|
}
|
|
BO_UNLOCK(bp->b_bufobj);
|
|
bp->b_vp = NULL;
|
|
bp->b_bufobj = NULL;
|
|
bp->b_flags &= ~B_PAGING;
|
|
}
|
|
|
|
/*
|
|
* Disassociate a p-buffer from a bufobj.
|
|
*/
|
|
void
|
|
pbrelbo(struct buf *bp)
|
|
{
|
|
|
|
KASSERT(bp->b_vp == NULL, ("pbrelbo: vnode"));
|
|
KASSERT(bp->b_bufobj != NULL, ("pbrelbo: NULL bufobj"));
|
|
|
|
/* XXX REMOVE ME */
|
|
BO_LOCK(bp->b_bufobj);
|
|
if (TAILQ_NEXT(bp, b_bobufs) != NULL) {
|
|
panic(
|
|
"relpbuf(): b_vp was probably reassignbuf()d %p %x",
|
|
bp,
|
|
(int)bp->b_flags
|
|
);
|
|
}
|
|
BO_UNLOCK(bp->b_bufobj);
|
|
bp->b_bufobj = NULL;
|
|
bp->b_flags &= ~B_PAGING;
|
|
}
|