From 9ded9474d39c2793a4d78b3ec151edd247e26ac3 Mon Sep 17 00:00:00 2001 From: Konstantin Belousov Date: Tue, 5 Nov 2013 06:18:50 +0000 Subject: [PATCH] Do not coalesce if the swap object belongs to tmpfs vnode. The coalesce would extend the object to keep pages for the anonymous mapping created by the process. The pages has no relations to the tmpfs file content which could be written into the corresponding range, causing anonymous mapping and file content aliasing and subsequent corruption. Another lesser problem created by coalescing is over-accounting on the tmpfs node destruction, since the object size is substracted from the total count of the pages owned by the tmpfs mount. Reported and tested by: bdrewery Sponsored by: The FreeBSD Foundation MFC after: 1 week --- sys/vm/vm_object.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/vm/vm_object.c b/sys/vm/vm_object.c index 9dea3a1cbd9..8683e2f05ec 100644 --- a/sys/vm/vm_object.c +++ b/sys/vm/vm_object.c @@ -2099,8 +2099,9 @@ vm_object_coalesce(vm_object_t prev_object, vm_ooffset_t prev_offset, if (prev_object == NULL) return (TRUE); VM_OBJECT_WLOCK(prev_object); - if (prev_object->type != OBJT_DEFAULT && - prev_object->type != OBJT_SWAP) { + if ((prev_object->type != OBJT_DEFAULT && + prev_object->type != OBJT_SWAP) || + (prev_object->flags & OBJ_TMPFS) != 0) { VM_OBJECT_WUNLOCK(prev_object); return (FALSE); }