From nobody Tue Dec 14 20:21:25 2021
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 5991418D2C33;
	Tue, 14 Dec 2021 20:21:26 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JD8sf0mhvz3JJZ;
	Tue, 14 Dec 2021 20:21:26 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EF0087084;
	Tue, 14 Dec 2021 20:21:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1BEKLPYv085889;
	Tue, 14 Dec 2021 20:21:25 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1BEKLPjq085888;
	Tue, 14 Dec 2021 20:21:25 GMT
	(envelope-from git)
Date: Tue, 14 Dec 2021 20:21:25 GMT
Message-Id: <202112142021.1BEKLPjq085888@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 88642d978a99 - main - vm_fault: Fix vm_fault_populate()'s handling of VM_FAULT_WIRE
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 88642d978a999aaa3752e86d2f54b1a6aba7fc85
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1639513286;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=/A8YSpVQw4E42j5h15WeeMm9JMwVPtqCsRh0BbktUIg=;
	b=XZscMk5kD7NVdaAWTkti27NduG45EUtZMZ9NgfyjmXUwuD02vlUqB3E5EEvcJ0JifL/yWo
	0gzy4dSQYBNRrtQE7bsxhATLdceNJJkfJ25yNvv7GlaFHt6C1Bkidv+w7yHwgZJ8C0AAI5
	0LJzuDHtPr72LW25bLeJE0Rsqf3FGXFK8iF3x45GINWJ0RrTOSjs5uKunL4HnvA1Sgog7d
	a6ZyLWbnCkBHf1bupAzMcyrpxF4BTvvwQ+MmDKIG0GY37nXeXu97mGl7ngsKAyCoCdtJTZ
	M9gGCzrfkH/z3ZusSN9kNH23BLezXsk8yo3ICR7ucoYEAaMZmYtAaD3TV6GP4g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639513286; a=rsa-sha256; cv=none;
	b=Lx9EEBx+GpKdSCuehPVT4seRkFB7bdu5dW0R47YrlQt9SF/Ik+/QciuegkFtgONfe9aHem
	HscL0OX0uPKPRKGKQLI5kuIJ0PL95RcQOe3pkZMMpmN0WAbrH8trf9I1os7d82SM3rijiC
	yqrx4T6xGH9FSDRp17cMfYaE9e9s03vto4hAacGaHWAq0v4HQC7BeFN60/JSSHd/d2UO1u
	Wz2pqBN4Y/5qXVeiXkbAcoEp20imLyJtqbAuq6R488fOGoD89GqddGe+qO8D014HFhyunp
	8Z8Pvo4qAgbQFm3u595AwstIfQbdNH8YfYQ31I0MH/RDejfebJkQZpimxYOFQg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=88642d978a999aaa3752e86d2f54b1a6aba7fc85

commit 88642d978a999aaa3752e86d2f54b1a6aba7fc85
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2021-12-14 20:10:46 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-12-14 20:10:46 +0000

    vm_fault: Fix vm_fault_populate()'s handling of VM_FAULT_WIRE
    
    vm_map_wire() works by calling vm_fault(VM_FAULT_WIRE) on each page in
    the rage.  (For largepage mappings, it calls vm_fault() once per large
    page.)
    
    A pager's populate method may return more than one page to be mapped.
    If VM_FAULT_WIRE is also specified, we'd wire each page in the run, not
    just the fault page.  Consider an object with two pages mapped in a
    vm_map_entry, and suppose vm_map_wire() is called on the entry.  Then,
    the first vm_fault() would allocate and wire both pages, and the second
    would encounter a valid page upon lookup and wire it again in the
    regular fault handler.  So the second page is wired twice and will be
    leaked when the object is destroyed.
    
    Fix the problem by modify vm_fault_populate() to wire only the fault
    page.  Also modify the error handler for pmap_enter(psind=1) to not test
    fs->wired, since it must be false.
    
    PR:             260347
    Reviewed by:    alc, kib
    MFC after:      2 weeks
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D33416
---
 sys/vm/vm_fault.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index a929351257ce..9270b89f7b8d 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -597,21 +597,23 @@ vm_fault_populate(struct faultstate *fs)
 		    (psind > 0 && rv == KERN_PROTECTION_FAILURE));
 		if (__predict_false(psind > 0 &&
 		    rv == KERN_PROTECTION_FAILURE)) {
+			MPASS(!fs->wired);
 			for (i = 0; i < npages; i++) {
 				rv = pmap_enter(fs->map->pmap, vaddr + ptoa(i),
-				    &m[i], fs->prot, fs->fault_type |
-				    (fs->wired ? PMAP_ENTER_WIRED : 0), 0);
+				    &m[i], fs->prot, fs->fault_type, 0);
 				MPASS(rv == KERN_SUCCESS);
 			}
 		}
 
 		VM_OBJECT_WLOCK(fs->first_object);
 		for (i = 0; i < npages; i++) {
-			if ((fs->fault_flags & VM_FAULT_WIRE) != 0)
+			if ((fs->fault_flags & VM_FAULT_WIRE) != 0 &&
+			    m[i].pindex == fs->first_pindex)
 				vm_page_wire(&m[i]);
 			else
 				vm_page_activate(&m[i]);
-			if (fs->m_hold != NULL && m[i].pindex == fs->first_pindex) {
+			if (fs->m_hold != NULL &&
+			    m[i].pindex == fs->first_pindex) {
 				(*fs->m_hold) = &m[i];
 				vm_page_wire(&m[i]);
 			}