git: d0443e2b9832 - main - vm_fault: Fix a racy copy of page valid bits

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=d0443e2b9832f01319bcaaece8102d998bf81f01

commit d0443e2b9832f01319bcaaece8102d998bf81f01
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2022-06-14 20:36:54 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-06-14 22:18:09 +0000

    vm_fault: Fix a racy copy of page valid bits
    
    We do not hold the object lock or a page busy lock when copying src_m's
    validity state.  Prior to commit 45d72c7d7fca we marked dst_m as fully
    valid.
    
    Use the source object's read lock to ensure that valid bits are not
    concurrently cleared.
    
    Reviewed by:    alc, kib
    Fixes:          45d72c7d7fca ("vm_fault_copy_entry: accept invalid source pages.")
    MFC after:      2 weeks
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D35471
---
 sys/vm/vm_fault.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index cfdd39de3ac2..3aca14777830 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -2099,8 +2099,15 @@ again:
 				goto again;
 			}
 			pmap_copy_page(src_m, dst_m);
-			VM_OBJECT_RUNLOCK(object);
+
+			/*
+			 * The object lock does not guarantee that "src_m" will
+			 * transition from invalid to valid, but it does ensure
+			 * that "src_m" will not transition from valid to
+			 * invalid.
+			 */
 			dst_m->dirty = dst_m->valid = src_m->valid;
+			VM_OBJECT_RUNLOCK(object);
 		} else {
 			dst_m = src_m;
 			if (vm_page_busy_acquire(dst_m, VM_ALLOC_WAITFAIL) == 0)