From owner-svn-src-all@freebsd.org  Fri Jan 17 03:44:05 2020
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5D17D1FF404;
 Fri, 17 Jan 2020 03:44:05 +0000 (UTC)
 (envelope-from jeff@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47zRkY1YDBz40NC;
 Fri, 17 Jan 2020 03:44:05 +0000 (UTC)
 (envelope-from jeff@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 306EE273E;
 Fri, 17 Jan 2020 03:44:05 +0000 (UTC)
 (envelope-from jeff@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 00H3i5js072273;
 Fri, 17 Jan 2020 03:44:05 GMT (envelope-from jeff@FreeBSD.org)
Received: (from jeff@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 00H3i4ZG072271;
 Fri, 17 Jan 2020 03:44:04 GMT (envelope-from jeff@FreeBSD.org)
Message-Id: <202001170344.00H3i4ZG072271@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jeff set sender to
 jeff@FreeBSD.org using -f
From: Jeff Roberson <jeff@FreeBSD.org>
Date: Fri, 17 Jan 2020 03:44:04 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r356822 - head/sys/vm
X-SVN-Group: head
X-SVN-Commit-Author: jeff
X-SVN-Commit-Paths: head/sys/vm
X-SVN-Commit-Revision: 356822
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 03:44:05 -0000

Author: jeff
Date: Fri Jan 17 03:44:04 2020
New Revision: 356822
URL: https://svnweb.freebsd.org/changeset/base/356822

Log:
  Fix a long standing bug that was made worse in r355765.  When we are cowing a
  page that was previously mapped read-only it exists in pmap until pmap_enter()
  returns.  However, we held no reference to the original page after the copy
  was complete.  This allowed vm_object_scan_all_shadowed() to collapse an
  object that still had pages mapped.  To resolve this, add another page pointer
  to the faultstate so we can keep the page xbusy until we're done with
  pmap_enter().  Handle busy pages in scan_all_shadowed.  This is already done
  in vm_object_collapse_scan().
  
  Reviewed by:	kib, markj
  Differential Revision:	https://reviews.freebsd.org/D23155

Modified:
  head/sys/vm/vm_fault.c
  head/sys/vm/vm_object.c

Modified: head/sys/vm/vm_fault.c
==============================================================================
--- head/sys/vm/vm_fault.c	Fri Jan 17 01:20:48 2020	(r356821)
+++ head/sys/vm/vm_fault.c	Fri Jan 17 03:44:04 2020	(r356822)
@@ -121,6 +121,7 @@ __FBSDID("$FreeBSD$");
 
 struct faultstate {
 	vm_page_t m;
+	vm_page_t m_cow;
 	vm_object_t object;
 	vm_pindex_t pindex;
 	vm_page_t first_m;
@@ -208,6 +209,7 @@ static void
 fault_deallocate(struct faultstate *fs)
 {
 
+	fault_page_release(&fs->m_cow);
 	fault_page_release(&fs->m);
 	vm_object_pip_wakeup(fs->object);
 	if (fs->object != fs->first_object) {
@@ -818,7 +820,7 @@ RetryFault_oom:
 
 	fs.lookup_still_valid = true;
 
-	fs.m = fs.first_m = NULL;
+	fs.m_cow = fs.m = fs.first_m = NULL;
 
 	/*
 	 * Search for the page at object/offset.
@@ -1254,9 +1256,11 @@ readrest:
 					vm_page_unwire(fs.m, PQ_INACTIVE);
 				}
 				/*
-				 * We no longer need the old page or object.
+				 * Save the cow page to be released after
+				 * pmap_enter is complete.
 				 */
-				fault_page_release(&fs.m);
+				fs.m_cow = fs.m;
+				fs.m = NULL;
 			}
 			/*
 			 * fs.object != fs.first_object due to above 

Modified: head/sys/vm/vm_object.c
==============================================================================
--- head/sys/vm/vm_object.c	Fri Jan 17 01:20:48 2020	(r356821)
+++ head/sys/vm/vm_object.c	Fri Jan 17 03:44:04 2020	(r356822)
@@ -1605,6 +1605,14 @@ vm_object_scan_all_shadowed(vm_object_t object)
 			break;
 
 		/*
+		 * If the backing object page is busy a grandparent or older
+		 * page may still be undergoing CoW.  It is not safe to
+		 * collapse the backing object until it is quiesced.
+		 */
+		if (p != NULL && vm_page_busied(p))
+			return (false);
+
+		/*
 		 * See if the parent has the page or if the parent's object
 		 * pager has the page.  If the parent has the page but the page
 		 * is not valid, the parent's object pager must have the page.
@@ -1907,8 +1915,7 @@ vm_object_collapse(vm_object_t object)
 			 * If we do not entirely shadow the backing object,
 			 * there is nothing we can do so we give up.
 			 */
-			if (object->resident_page_count != object->size &&
-			    !vm_object_scan_all_shadowed(object)) {
+			if (!vm_object_scan_all_shadowed(object)) {
 				VM_OBJECT_WUNLOCK(backing_object);
 				break;
 			}