RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-26 01:57:45 +00:00
Code Issues Activity Actions

Kernel: Extend the lifetime of Regions during page fault handling

Browse source 
Previously we had a race condition in the page fault handling: We were
relying on the affected Region staying alive while handling the page
fault, but this was not actually guaranteed, as an munmap from another
thread could result in the region being removed concurrently.

This commit closes that hole by extending the lifetime of the region
affected by the page fault until the handling of the page fault is
complete. This is achieved by maintaing a psuedo-reference count on the
region which counts the number of in-progress page faults being handled
on this region, and extending the lifetime of the region while this
counter is non zero.
Since both the increment of the counter by the page fault handler and
the spin loop waiting for it to reach 0 during Region destruction are
serialized using the appropriate AddressSpace spinlock, eventual
progress is guaranteed: As soon as the region is removed from the tree
no more page faults on the region can start.
And similarly correctness is ensured: The counter is incremented under
the same lock, so any page faults that are being handled will have
already incremented the counter before the region is deallocated.
This commit is contained in:
Idan Horowitz 2023-04-06 01:11:12 +03:00
parent 003989e1b0
commit 1c2dbed38a
4 changed files with 51 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Kernel/Memory/Region.h
View file

@ -207,6 +207,9 @@ public:
[[nodiscard]] bool mmapped_from_readable() const { return m_mmapped_from_readable; }
[[nodiscard]] bool mmapped_from_writable() const { return m_mmapped_from_writable; }
void start_handling_page_fault(Badge<MemoryManager>) { m_in_progress_page_faults++; };
void finish_handling_page_fault(Badge<MemoryManager>) { m_in_progress_page_faults--; };
private:
Region();
Region(NonnullLockRefPtr<VMObject>, size_t offset_in_vmobject, OwnPtr<KString>, Region::Access access, Cacheable, bool shared);
@ -234,6 +237,7 @@ private:
size_t m_offset_in_vmobject { 0 };
LockRefPtr<VMObject> m_vmobject;
OwnPtr<KString> m_name;
Atomic<u32> m_in_progress_page_faults;
u8 m_access { Region::None };
bool m_shared : 1 { false };
bool m_cacheable : 1 { false };