On Thu, Jul 08, 2010 at 10:51:21AM +0300, Andriy Gapon wrote: > > Not an expert by any measure but the following looks suspicious: > m_copy/m_copym calls mb_dupcl for M_EXT case and M_RDONLY is _not_ checked nor > preserved in that case. > So we may get a writable M_EXT mbuf pointing to sf_buf wrapping a page of a > file. > But I am not sure if/how mbufs are re-used and if we can end up actually > writing > something to the resulting mbuf. >
My first catch was m_cat. With m_cat() changed as in the patch below, I only get added KASSERT in sbcompress() fired sometimes. Before, it reliably paniced on each run. diff --git a/sys/i386/i386/vm_machdep.c b/sys/i386/i386/vm_machdep.c index 6f86895..530f704 100644 --- a/sys/i386/i386/vm_machdep.c +++ b/sys/i386/i386/vm_machdep.c @@ -810,6 +810,12 @@ sf_buf_alloc(struct vm_page *m, int flags) nsfbufsused++; nsfbufspeak = imax(nsfbufspeak, nsfbufsused); } + if ((flags & SFB_RONLY) == 0) { + ptep = vtopte(sf->kva); + opte = *ptep; + if ((opte & PG_RW) == 0) + *ptep |= PG_RW | PG_A; + } #ifdef SMP goto shootdown; #else @@ -854,8 +860,9 @@ sf_buf_alloc(struct vm_page *m, int flags) PT_SET_MA(sf->kva, xpmap_ptom(VM_PAGE_TO_PHYS(m)) | pgeflag | PG_RW | PG_V | pmap_cache_bits(m->md.pat_mode, 0)); #else - *ptep = VM_PAGE_TO_PHYS(m) | pgeflag | PG_RW | PG_V | - pmap_cache_bits(m->md.pat_mode, 0); + *ptep = VM_PAGE_TO_PHYS(m) | pgeflag | + ((flags & SFB_RONLY) ? 0 : PG_RW) | PG_V | + pmap_cache_bits(m->md.pat_mode, 0); #endif /* diff --git a/sys/kern/uipc_mbuf.c b/sys/kern/uipc_mbuf.c index f41eb03..2af543d 100644 --- a/sys/kern/uipc_mbuf.c +++ b/sys/kern/uipc_mbuf.c @@ -911,7 +911,8 @@ m_cat(struct mbuf *m, struct mbuf *n) m = m->m_next; while (n) { if (m->m_flags & M_EXT || - m->m_data + m->m_len + n->m_len >= &m->m_dat[MLEN]) { + m->m_data + m->m_len + n->m_len >= &m->m_dat[MLEN] || + !M_WRITABLE(m)) { /* just join the two chains */ m->m_next = n; return; diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c index 2060a2e..95fae7e 100644 --- a/sys/kern/uipc_sockbuf.c +++ b/sys/kern/uipc_sockbuf.c @@ -776,6 +776,8 @@ sbcompress(struct sockbuf *sb, struct mbuf *m, struct mbuf *n) m->m_len <= MCLBYTES / 4 && /* XXX: Don't copy too much */ m->m_len <= M_TRAILINGSPACE(n) && n->m_type == m->m_type) { + KASSERT(n->m_ext.ext_type != EXT_SFBUF, + ("destroying file page %p", n)); bcopy(mtod(m, caddr_t), mtod(n, caddr_t) + n->m_len, (unsigned)m->m_len); n->m_len += m->m_len; diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c index 3165dab..df9cd69 100644 --- a/sys/kern/uipc_syscalls.c +++ b/sys/kern/uipc_syscalls.c @@ -2131,7 +2131,8 @@ retry_space: * as necessary, but this wait can be interrupted. */ if ((sf = sf_buf_alloc(pg, - (mnw ? SFB_NOWAIT : SFB_CATCH))) == NULL) { + (mnw ? SFB_NOWAIT : SFB_CATCH) | SFB_RONLY)) + == NULL) { mbstat.sf_allocfail++; vm_page_lock(pg); vm_page_unwire(pg, 0); @@ -2162,6 +2163,8 @@ retry_space: m_cat(m, m0); else m = m0; + KASSERT((m0->m_flags & M_RDONLY) != 0, + ("lost M_RDONLY")); /* Keep track of bits processed. */ loopbytes += xfsize; diff --git a/sys/sys/sf_buf.h b/sys/sys/sf_buf.h index af42065..fcb31f8 100644 --- a/sys/sys/sf_buf.h +++ b/sys/sys/sf_buf.h @@ -41,6 +41,7 @@ #define SFB_CPUPRIVATE 2 /* Create a CPU private mapping. */ #define SFB_DEFAULT 0 #define SFB_NOWAIT 4 /* Return NULL if all bufs are used. */ +#define SFB_RONLY 8 /* Map page read-only, if possible. */ struct vm_page;
pgpqi1VT7upfi.pgp
Description: PGP signature