Module Name: src Committed By: chs Date: Sun Apr 8 20:47:11 UTC 2012
Modified Files: src/sys/uvm: uvm_amap.c Log Message: initialize amap per-page reference counts before changing the amap's overall reference count. this fixes the crashes seen for the last 9 months with web browers and plugins, which was also the cause of PR 46193. To generate a diff of this commit: cvs rdiff -u -r1.106 -r1.107 src/sys/uvm/uvm_amap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/uvm/uvm_amap.c diff -u src/sys/uvm/uvm_amap.c:1.106 src/sys/uvm/uvm_amap.c:1.107 --- src/sys/uvm/uvm_amap.c:1.106 Fri Mar 30 02:25:24 2012 +++ src/sys/uvm/uvm_amap.c Sun Apr 8 20:47:10 2012 @@ -1,4 +1,4 @@ -/* $NetBSD: uvm_amap.c,v 1.106 2012/03/30 02:25:24 chs Exp $ */ +/* $NetBSD: uvm_amap.c,v 1.107 2012/04/08 20:47:10 chs Exp $ */ /* * Copyright (c) 1997 Charles D. Cranor and Washington University. @@ -35,7 +35,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: uvm_amap.c,v 1.106 2012/03/30 02:25:24 chs Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uvm_amap.c,v 1.107 2012/04/08 20:47:10 chs Exp $"); #include "opt_uvmhist.h" @@ -888,6 +888,7 @@ amap_copy(struct vm_map *map, struct vm_ continue; KASSERT(amap->am_anon[lcv]->an_lock == srcamap->am_lock); KASSERT(amap->am_anon[lcv]->an_ref > 0); + KASSERT(amap->am_nused < amap->am_maxslot); amap->am_anon[lcv]->an_ref++; amap->am_bckptr[lcv] = amap->am_nused; amap->am_slots[amap->am_nused] = lcv; @@ -1193,6 +1194,7 @@ amap_pp_adjref(struct vm_amap *amap, int } ref += adjval; KASSERT(ref >= 0); + KASSERT(ref <= amap->am_ref); if (lcv == prevlcv + prevlen && ref == prevref) { pp_setreflen(ppref, prevlcv, ref, prevlen + len); } else { @@ -1490,6 +1492,7 @@ amap_add(struct vm_aref *aref, vaddr_t o } } else { KASSERT(amap->am_anon[slot] == NULL); + KASSERT(amap->am_nused < amap->am_maxslot); amap->am_bckptr[slot] = amap->am_nused; amap->am_slots[amap->am_nused] = slot; amap->am_nused++; @@ -1534,7 +1537,7 @@ amap_unadd(struct vm_aref *aref, vaddr_t } /* - * amap_adjref_anons: adjust the reference count(s) on anons of the amap. + * amap_adjref_anons: adjust the reference count(s) on amap and its anons. */ static void amap_adjref_anons(struct vm_amap *amap, vaddr_t offset, vsize_t len, @@ -1545,9 +1548,19 @@ amap_adjref_anons(struct vm_amap *amap, #ifdef UVM_AMAP_PPREF KASSERT(mutex_owned(amap->am_lock)); + /* + * We must establish the ppref array before changing am_ref + * so that the ppref values match the current amap refcount. + */ + if (amap->am_ppref == NULL && !all && len != amap->am_nslot) { amap_pp_establish(amap, offset); } +#endif + + amap->am_ref += refv; + +#ifdef UVM_AMAP_PPREF if (amap->am_ppref && amap->am_ppref != PPREF_NONE) { if (all) { amap_pp_adjref(amap, 0, amap->am_nslot, refv, &tofree); @@ -1575,7 +1588,6 @@ amap_ref(struct vm_amap *amap, vaddr_t o if (flags & AMAP_SHARED) { amap->am_flags |= AMAP_SHARED; } - amap->am_ref++; amap_adjref_anons(amap, offset, len, 1, (flags & AMAP_REFALL) != 0); UVMHIST_LOG(maphist,"<- done! amap=0x%x", amap, 0, 0, 0); @@ -1599,10 +1611,12 @@ amap_unref(struct vm_amap *amap, vaddr_t amap, amap->am_ref, amap->am_nused, 0); KASSERT(amap->am_ref > 0); - if (--amap->am_ref == 0) { + if (amap->am_ref == 1) { + /* * If the last reference - wipeout and destroy the amap. */ + amap->am_ref--; amap_wipeout(amap); UVMHIST_LOG(maphist,"<- done (was last ref)!", 0, 0, 0, 0); return; @@ -1612,7 +1626,7 @@ amap_unref(struct vm_amap *amap, vaddr_t * Otherwise, drop the reference count(s) on anons. */ - if (amap->am_ref == 1 && (amap->am_flags & AMAP_SHARED) != 0) { + if (amap->am_ref == 2 && (amap->am_flags & AMAP_SHARED) != 0) { amap->am_flags &= ~AMAP_SHARED; } amap_adjref_anons(amap, offset, len, -1, all);