2 * SPDX-License-Identifier: (BSD-3-Clause AND MIT-CMU)
4 * Copyright (c) 1991, 1993
5 * The Regents of the University of California. All rights reserved.
7 * This code is derived from software contributed to Berkeley by
8 * The Mach Operating System project at Carnegie-Mellon University.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of the University nor the names of its contributors
19 * may be used to endorse or promote products derived from this software
20 * without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * from: @(#)vm_map.c 8.3 (Berkeley) 1/12/94
37 * Copyright (c) 1987, 1990 Carnegie-Mellon University.
38 * All rights reserved.
40 * Authors: Avadis Tevanian, Jr., Michael Wayne Young
42 * Permission to use, copy, modify and distribute this software and
43 * its documentation is hereby granted, provided that both the copyright
44 * notice and this permission notice appear in all copies of the
45 * software, derivative works or modified versions, and any portions
46 * thereof, and that both notices appear in supporting documentation.
48 * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
49 * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND
50 * FOR ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
52 * Carnegie Mellon requests users of this software to return to
54 * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU
55 * School of Computer Science
56 * Carnegie Mellon University
57 * Pittsburgh PA 15213-3890
59 * any improvements or extensions that they make and grant Carnegie the
60 * rights to redistribute these changes.
64 * Virtual memory mapping module.
67 #include <sys/cdefs.h>
68 __FBSDID("$FreeBSD$");
70 #include <sys/param.h>
71 #include <sys/systm.h>
72 #include <sys/kernel.h>
75 #include <sys/mutex.h>
77 #include <sys/vmmeter.h>
79 #include <sys/vnode.h>
80 #include <sys/racct.h>
81 #include <sys/resourcevar.h>
82 #include <sys/rwlock.h>
84 #include <sys/sysctl.h>
85 #include <sys/sysent.h>
89 #include <vm/vm_param.h>
91 #include <vm/vm_map.h>
92 #include <vm/vm_page.h>
93 #include <vm/vm_object.h>
94 #include <vm/vm_pager.h>
95 #include <vm/vm_kern.h>
96 #include <vm/vm_extern.h>
97 #include <vm/vnode_pager.h>
98 #include <vm/swap_pager.h>
102 * Virtual memory maps provide for the mapping, protection,
103 * and sharing of virtual memory objects. In addition,
104 * this module provides for an efficient virtual copy of
105 * memory from one map to another.
107 * Synchronization is required prior to most operations.
109 * Maps consist of an ordered doubly-linked list of simple
110 * entries; a self-adjusting binary search tree of these
111 * entries is used to speed up lookups.
113 * Since portions of maps are specified by start/end addresses,
114 * which may not align with existing map entries, all
115 * routines merely "clip" entries to these start/end values.
116 * [That is, an entry is split into two, bordering at a
117 * start or end value.] Note that these clippings may not
118 * always be necessary (as the two resulting entries are then
119 * not changed); however, the clipping is done for convenience.
121 * As mentioned above, virtual copy operations are performed
122 * by copying VM object references from one map to
123 * another, and then marking both regions as copy-on-write.
126 static struct mtx map_sleep_mtx;
127 static uma_zone_t mapentzone;
128 static uma_zone_t kmapentzone;
129 static uma_zone_t mapzone;
130 static uma_zone_t vmspace_zone;
131 static int vmspace_zinit(void *mem, int size, int flags);
132 static int vm_map_zinit(void *mem, int ize, int flags);
133 static void _vm_map_init(vm_map_t map, pmap_t pmap, vm_offset_t min,
135 static void vm_map_entry_deallocate(vm_map_entry_t entry, boolean_t system_map);
136 static void vm_map_entry_dispose(vm_map_t map, vm_map_entry_t entry);
137 static void vm_map_entry_unwire(vm_map_t map, vm_map_entry_t entry);
138 static int vm_map_growstack(vm_map_t map, vm_offset_t addr,
139 vm_map_entry_t gap_entry);
140 static void vm_map_pmap_enter(vm_map_t map, vm_offset_t addr, vm_prot_t prot,
141 vm_object_t object, vm_pindex_t pindex, vm_size_t size, int flags);
143 static void vm_map_zdtor(void *mem, int size, void *arg);
144 static void vmspace_zdtor(void *mem, int size, void *arg);
146 static int vm_map_stack_locked(vm_map_t map, vm_offset_t addrbos,
147 vm_size_t max_ssize, vm_size_t growsize, vm_prot_t prot, vm_prot_t max,
149 static void vm_map_wire_entry_failure(vm_map_t map, vm_map_entry_t entry,
150 vm_offset_t failed_addr);
152 #define ENTRY_CHARGED(e) ((e)->cred != NULL || \
153 ((e)->object.vm_object != NULL && (e)->object.vm_object->cred != NULL && \
154 !((e)->eflags & MAP_ENTRY_NEEDS_COPY)))
157 * PROC_VMSPACE_{UN,}LOCK() can be a noop as long as vmspaces are type
160 #define PROC_VMSPACE_LOCK(p) do { } while (0)
161 #define PROC_VMSPACE_UNLOCK(p) do { } while (0)
164 * VM_MAP_RANGE_CHECK: [ internal use only ]
166 * Asserts that the starting and ending region
167 * addresses fall within the valid range of the map.
169 #define VM_MAP_RANGE_CHECK(map, start, end) \
171 if (start < vm_map_min(map)) \
172 start = vm_map_min(map); \
173 if (end > vm_map_max(map)) \
174 end = vm_map_max(map); \
182 * Initialize the vm_map module. Must be called before
183 * any other vm_map routines.
185 * Map and entry structures are allocated from the general
186 * purpose memory pool with some exceptions:
188 * - The kernel map and kmem submap are allocated statically.
189 * - Kernel map entries are allocated out of a static pool.
191 * These restrictions are necessary since malloc() uses the
192 * maps and requires map entries.
198 mtx_init(&map_sleep_mtx, "vm map sleep mutex", NULL, MTX_DEF);
199 mapzone = uma_zcreate("MAP", sizeof(struct vm_map), NULL,
205 vm_map_zinit, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
206 uma_prealloc(mapzone, MAX_KMAP);
207 kmapentzone = uma_zcreate("KMAP ENTRY", sizeof(struct vm_map_entry),
208 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR,
209 UMA_ZONE_MTXCLASS | UMA_ZONE_VM);
210 mapentzone = uma_zcreate("MAP ENTRY", sizeof(struct vm_map_entry),
211 NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0);
212 vmspace_zone = uma_zcreate("VMSPACE", sizeof(struct vmspace), NULL,
218 vmspace_zinit, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
222 vmspace_zinit(void *mem, int size, int flags)
226 vm = (struct vmspace *)mem;
228 vm->vm_map.pmap = NULL;
229 (void)vm_map_zinit(&vm->vm_map, sizeof(vm->vm_map), flags);
230 PMAP_LOCK_INIT(vmspace_pmap(vm));
235 vm_map_zinit(void *mem, int size, int flags)
240 memset(map, 0, sizeof(*map));
241 mtx_init(&map->system_mtx, "vm map (system)", NULL, MTX_DEF | MTX_DUPOK);
242 sx_init(&map->lock, "vm map (user)");
248 vmspace_zdtor(void *mem, int size, void *arg)
252 vm = (struct vmspace *)mem;
254 vm_map_zdtor(&vm->vm_map, sizeof(vm->vm_map), arg);
257 vm_map_zdtor(void *mem, int size, void *arg)
262 KASSERT(map->nentries == 0,
263 ("map %p nentries == %d on free.",
264 map, map->nentries));
265 KASSERT(map->size == 0,
266 ("map %p size == %lu on free.",
267 map, (unsigned long)map->size));
269 #endif /* INVARIANTS */
272 * Allocate a vmspace structure, including a vm_map and pmap,
273 * and initialize those structures. The refcnt is set to 1.
275 * If 'pinit' is NULL then the embedded pmap is initialized via pmap_pinit().
278 vmspace_alloc(vm_offset_t min, vm_offset_t max, pmap_pinit_t pinit)
282 vm = uma_zalloc(vmspace_zone, M_WAITOK);
283 KASSERT(vm->vm_map.pmap == NULL, ("vm_map.pmap must be NULL"));
284 if (!pinit(vmspace_pmap(vm))) {
285 uma_zfree(vmspace_zone, vm);
288 CTR1(KTR_VM, "vmspace_alloc: %p", vm);
289 _vm_map_init(&vm->vm_map, vmspace_pmap(vm), min, max);
304 vmspace_container_reset(struct proc *p)
308 racct_set(p, RACCT_DATA, 0);
309 racct_set(p, RACCT_STACK, 0);
310 racct_set(p, RACCT_RSS, 0);
311 racct_set(p, RACCT_MEMLOCK, 0);
312 racct_set(p, RACCT_VMEM, 0);
318 vmspace_dofree(struct vmspace *vm)
321 CTR1(KTR_VM, "vmspace_free: %p", vm);
324 * Make sure any SysV shm is freed, it might not have been in
330 * Lock the map, to wait out all other references to it.
331 * Delete all of the mappings and pages they hold, then call
332 * the pmap module to reclaim anything left.
334 (void)vm_map_remove(&vm->vm_map, vm_map_min(&vm->vm_map),
335 vm_map_max(&vm->vm_map));
337 pmap_release(vmspace_pmap(vm));
338 vm->vm_map.pmap = NULL;
339 uma_zfree(vmspace_zone, vm);
343 vmspace_free(struct vmspace *vm)
346 WITNESS_WARN(WARN_GIANTOK | WARN_SLEEPOK, NULL,
347 "vmspace_free() called");
349 if (vm->vm_refcnt == 0)
350 panic("vmspace_free: attempt to free already freed vmspace");
352 if (atomic_fetchadd_int(&vm->vm_refcnt, -1) == 1)
357 vmspace_exitfree(struct proc *p)
361 PROC_VMSPACE_LOCK(p);
364 PROC_VMSPACE_UNLOCK(p);
365 KASSERT(vm == &vmspace0, ("vmspace_exitfree: wrong vmspace"));
370 vmspace_exit(struct thread *td)
377 * Release user portion of address space.
378 * This releases references to vnodes,
379 * which could cause I/O if the file has been unlinked.
380 * Need to do this early enough that we can still sleep.
382 * The last exiting process to reach this point releases as
383 * much of the environment as it can. vmspace_dofree() is the
384 * slower fallback in case another process had a temporary
385 * reference to the vmspace.
390 atomic_add_int(&vmspace0.vm_refcnt, 1);
391 refcnt = vm->vm_refcnt;
393 if (refcnt > 1 && p->p_vmspace != &vmspace0) {
394 /* Switch now since other proc might free vmspace */
395 PROC_VMSPACE_LOCK(p);
396 p->p_vmspace = &vmspace0;
397 PROC_VMSPACE_UNLOCK(p);
400 } while (!atomic_fcmpset_int(&vm->vm_refcnt, &refcnt, refcnt - 1));
402 if (p->p_vmspace != vm) {
403 /* vmspace not yet freed, switch back */
404 PROC_VMSPACE_LOCK(p);
406 PROC_VMSPACE_UNLOCK(p);
409 pmap_remove_pages(vmspace_pmap(vm));
410 /* Switch now since this proc will free vmspace */
411 PROC_VMSPACE_LOCK(p);
412 p->p_vmspace = &vmspace0;
413 PROC_VMSPACE_UNLOCK(p);
419 vmspace_container_reset(p);
423 /* Acquire reference to vmspace owned by another process. */
426 vmspace_acquire_ref(struct proc *p)
431 PROC_VMSPACE_LOCK(p);
434 PROC_VMSPACE_UNLOCK(p);
437 refcnt = vm->vm_refcnt;
439 if (refcnt <= 0) { /* Avoid 0->1 transition */
440 PROC_VMSPACE_UNLOCK(p);
443 } while (!atomic_fcmpset_int(&vm->vm_refcnt, &refcnt, refcnt + 1));
444 if (vm != p->p_vmspace) {
445 PROC_VMSPACE_UNLOCK(p);
449 PROC_VMSPACE_UNLOCK(p);
454 * Switch between vmspaces in an AIO kernel process.
456 * The AIO kernel processes switch to and from a user process's
457 * vmspace while performing an I/O operation on behalf of a user
458 * process. The new vmspace is either the vmspace of a user process
459 * obtained from an active AIO request or the initial vmspace of the
460 * AIO kernel process (when it is idling). Because user processes
461 * will block to drain any active AIO requests before proceeding in
462 * exit() or execve(), the vmspace reference count for these vmspaces
463 * can never be 0. This allows for a much simpler implementation than
464 * the loop in vmspace_acquire_ref() above. Similarly, AIO kernel
465 * processes hold an extra reference on their initial vmspace for the
466 * life of the process so that this guarantee is true for any vmspace
470 vmspace_switch_aio(struct vmspace *newvm)
472 struct vmspace *oldvm;
474 /* XXX: Need some way to assert that this is an aio daemon. */
476 KASSERT(newvm->vm_refcnt > 0,
477 ("vmspace_switch_aio: newvm unreferenced"));
479 oldvm = curproc->p_vmspace;
484 * Point to the new address space and refer to it.
486 curproc->p_vmspace = newvm;
487 atomic_add_int(&newvm->vm_refcnt, 1);
489 /* Activate the new mapping. */
490 pmap_activate(curthread);
492 /* Remove the daemon's reference to the old address space. */
493 KASSERT(oldvm->vm_refcnt > 1,
494 ("vmspace_switch_aio: oldvm dropping last reference"));
499 _vm_map_lock(vm_map_t map, const char *file, int line)
503 mtx_lock_flags_(&map->system_mtx, 0, file, line);
505 sx_xlock_(&map->lock, file, line);
510 vm_map_process_deferred(void)
513 vm_map_entry_t entry, next;
517 entry = td->td_map_def_user;
518 td->td_map_def_user = NULL;
519 while (entry != NULL) {
521 if ((entry->eflags & MAP_ENTRY_VN_WRITECNT) != 0) {
523 * Decrement the object's writemappings and
524 * possibly the vnode's v_writecount.
526 KASSERT((entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0,
527 ("Submap with writecount"));
528 object = entry->object.vm_object;
529 KASSERT(object != NULL, ("No object for writecount"));
530 vnode_pager_release_writecount(object, entry->start,
533 vm_map_entry_deallocate(entry, FALSE);
539 _vm_map_unlock(vm_map_t map, const char *file, int line)
543 mtx_unlock_flags_(&map->system_mtx, 0, file, line);
545 sx_xunlock_(&map->lock, file, line);
546 vm_map_process_deferred();
551 _vm_map_lock_read(vm_map_t map, const char *file, int line)
555 mtx_lock_flags_(&map->system_mtx, 0, file, line);
557 sx_slock_(&map->lock, file, line);
561 _vm_map_unlock_read(vm_map_t map, const char *file, int line)
565 mtx_unlock_flags_(&map->system_mtx, 0, file, line);
567 sx_sunlock_(&map->lock, file, line);
568 vm_map_process_deferred();
573 _vm_map_trylock(vm_map_t map, const char *file, int line)
577 error = map->system_map ?
578 !mtx_trylock_flags_(&map->system_mtx, 0, file, line) :
579 !sx_try_xlock_(&map->lock, file, line);
586 _vm_map_trylock_read(vm_map_t map, const char *file, int line)
590 error = map->system_map ?
591 !mtx_trylock_flags_(&map->system_mtx, 0, file, line) :
592 !sx_try_slock_(&map->lock, file, line);
597 * _vm_map_lock_upgrade: [ internal use only ]
599 * Tries to upgrade a read (shared) lock on the specified map to a write
600 * (exclusive) lock. Returns the value "0" if the upgrade succeeds and a
601 * non-zero value if the upgrade fails. If the upgrade fails, the map is
602 * returned without a read or write lock held.
604 * Requires that the map be read locked.
607 _vm_map_lock_upgrade(vm_map_t map, const char *file, int line)
609 unsigned int last_timestamp;
611 if (map->system_map) {
612 mtx_assert_(&map->system_mtx, MA_OWNED, file, line);
614 if (!sx_try_upgrade_(&map->lock, file, line)) {
615 last_timestamp = map->timestamp;
616 sx_sunlock_(&map->lock, file, line);
617 vm_map_process_deferred();
619 * If the map's timestamp does not change while the
620 * map is unlocked, then the upgrade succeeds.
622 sx_xlock_(&map->lock, file, line);
623 if (last_timestamp != map->timestamp) {
624 sx_xunlock_(&map->lock, file, line);
634 _vm_map_lock_downgrade(vm_map_t map, const char *file, int line)
637 if (map->system_map) {
638 mtx_assert_(&map->system_mtx, MA_OWNED, file, line);
640 sx_downgrade_(&map->lock, file, line);
646 * Returns a non-zero value if the caller holds a write (exclusive) lock
647 * on the specified map and the value "0" otherwise.
650 vm_map_locked(vm_map_t map)
654 return (mtx_owned(&map->system_mtx));
656 return (sx_xlocked(&map->lock));
661 _vm_map_assert_locked(vm_map_t map, const char *file, int line)
665 mtx_assert_(&map->system_mtx, MA_OWNED, file, line);
667 sx_assert_(&map->lock, SA_XLOCKED, file, line);
670 #define VM_MAP_ASSERT_LOCKED(map) \
671 _vm_map_assert_locked(map, LOCK_FILE, LOCK_LINE)
674 _vm_map_assert_consistent(vm_map_t map)
676 vm_map_entry_t entry;
677 vm_map_entry_t child;
678 vm_size_t max_left, max_right;
680 for (entry = map->header.next; entry != &map->header;
681 entry = entry->next) {
682 KASSERT(entry->prev->end <= entry->start,
683 ("map %p prev->end = %jx, start = %jx", map,
684 (uintmax_t)entry->prev->end, (uintmax_t)entry->start));
685 KASSERT(entry->start < entry->end,
686 ("map %p start = %jx, end = %jx", map,
687 (uintmax_t)entry->start, (uintmax_t)entry->end));
688 KASSERT(entry->end <= entry->next->start,
689 ("map %p end = %jx, next->start = %jx", map,
690 (uintmax_t)entry->end, (uintmax_t)entry->next->start));
691 KASSERT(entry->left == NULL ||
692 entry->left->start < entry->start,
693 ("map %p left->start = %jx, start = %jx", map,
694 (uintmax_t)entry->left->start, (uintmax_t)entry->start));
695 KASSERT(entry->right == NULL ||
696 entry->start < entry->right->start,
697 ("map %p start = %jx, right->start = %jx", map,
698 (uintmax_t)entry->start, (uintmax_t)entry->right->start));
700 max_left = (child != NULL) ? child->max_free :
701 entry->start - entry->prev->end;
702 child = entry->right;
703 max_right = (child != NULL) ? child->max_free :
704 entry->next->start - entry->end;
705 KASSERT(entry->max_free == MAX(max_left, max_right),
706 ("map %p max = %jx, max_left = %jx, max_right = %jx", map,
707 (uintmax_t)entry->max_free,
708 (uintmax_t)max_left, (uintmax_t)max_right));
712 #define VM_MAP_ASSERT_CONSISTENT(map) \
713 _vm_map_assert_consistent(map)
715 #define VM_MAP_ASSERT_LOCKED(map)
716 #define VM_MAP_ASSERT_CONSISTENT(map)
720 * _vm_map_unlock_and_wait:
722 * Atomically releases the lock on the specified map and puts the calling
723 * thread to sleep. The calling thread will remain asleep until either
724 * vm_map_wakeup() is performed on the map or the specified timeout is
727 * WARNING! This function does not perform deferred deallocations of
728 * objects and map entries. Therefore, the calling thread is expected to
729 * reacquire the map lock after reawakening and later perform an ordinary
730 * unlock operation, such as vm_map_unlock(), before completing its
731 * operation on the map.
734 _vm_map_unlock_and_wait(vm_map_t map, int timo, const char *file, int line)
737 mtx_lock(&map_sleep_mtx);
739 mtx_unlock_flags_(&map->system_mtx, 0, file, line);
741 sx_xunlock_(&map->lock, file, line);
742 return (msleep(&map->root, &map_sleep_mtx, PDROP | PVM, "vmmaps",
749 * Awaken any threads that have slept on the map using
750 * vm_map_unlock_and_wait().
753 vm_map_wakeup(vm_map_t map)
757 * Acquire and release map_sleep_mtx to prevent a wakeup()
758 * from being performed (and lost) between the map unlock
759 * and the msleep() in _vm_map_unlock_and_wait().
761 mtx_lock(&map_sleep_mtx);
762 mtx_unlock(&map_sleep_mtx);
767 vm_map_busy(vm_map_t map)
770 VM_MAP_ASSERT_LOCKED(map);
775 vm_map_unbusy(vm_map_t map)
778 VM_MAP_ASSERT_LOCKED(map);
779 KASSERT(map->busy, ("vm_map_unbusy: not busy"));
780 if (--map->busy == 0 && (map->flags & MAP_BUSY_WAKEUP)) {
781 vm_map_modflags(map, 0, MAP_BUSY_WAKEUP);
787 vm_map_wait_busy(vm_map_t map)
790 VM_MAP_ASSERT_LOCKED(map);
792 vm_map_modflags(map, MAP_BUSY_WAKEUP, 0);
794 msleep(&map->busy, &map->system_mtx, 0, "mbusy", 0);
796 sx_sleep(&map->busy, &map->lock, 0, "mbusy", 0);
802 vmspace_resident_count(struct vmspace *vmspace)
804 return pmap_resident_count(vmspace_pmap(vmspace));
810 * Creates and returns a new empty VM map with
811 * the given physical map structure, and having
812 * the given lower and upper address bounds.
815 vm_map_create(pmap_t pmap, vm_offset_t min, vm_offset_t max)
819 result = uma_zalloc(mapzone, M_WAITOK);
820 CTR1(KTR_VM, "vm_map_create: %p", result);
821 _vm_map_init(result, pmap, min, max);
826 * Initialize an existing vm_map structure
827 * such as that in the vmspace structure.
830 _vm_map_init(vm_map_t map, pmap_t pmap, vm_offset_t min, vm_offset_t max)
833 map->header.next = map->header.prev = &map->header;
834 map->header.eflags = MAP_ENTRY_HEADER;
835 map->needs_wakeup = FALSE;
838 map->header.end = min;
839 map->header.start = max;
848 vm_map_init(vm_map_t map, pmap_t pmap, vm_offset_t min, vm_offset_t max)
851 _vm_map_init(map, pmap, min, max);
852 mtx_init(&map->system_mtx, "system map", NULL, MTX_DEF | MTX_DUPOK);
853 sx_init(&map->lock, "user map");
857 * vm_map_entry_dispose: [ internal use only ]
859 * Inverse of vm_map_entry_create.
862 vm_map_entry_dispose(vm_map_t map, vm_map_entry_t entry)
864 uma_zfree(map->system_map ? kmapentzone : mapentzone, entry);
868 * vm_map_entry_create: [ internal use only ]
870 * Allocates a VM map entry for insertion.
871 * No entry fields are filled in.
873 static vm_map_entry_t
874 vm_map_entry_create(vm_map_t map)
876 vm_map_entry_t new_entry;
879 new_entry = uma_zalloc(kmapentzone, M_NOWAIT);
881 new_entry = uma_zalloc(mapentzone, M_WAITOK);
882 if (new_entry == NULL)
883 panic("vm_map_entry_create: kernel resources exhausted");
888 * vm_map_entry_set_behavior:
890 * Set the expected access behavior, either normal, random, or
894 vm_map_entry_set_behavior(vm_map_entry_t entry, u_char behavior)
896 entry->eflags = (entry->eflags & ~MAP_ENTRY_BEHAV_MASK) |
897 (behavior & MAP_ENTRY_BEHAV_MASK);
901 * vm_map_entry_set_max_free:
903 * Set the max_free field in a vm_map_entry.
906 vm_map_entry_set_max_free(vm_map_entry_t entry)
908 vm_map_entry_t child;
909 vm_size_t max_left, max_right;
912 max_left = (child != NULL) ? child->max_free :
913 entry->start - entry->prev->end;
914 child = entry->right;
915 max_right = (child != NULL) ? child->max_free :
916 entry->next->start - entry->end;
917 entry->max_free = MAX(max_left, max_right);
920 #define SPLAY_LEFT_STEP(root, y, rlist, test) do { \
922 if (y != NULL && (test)) { \
923 /* Rotate right and make y root. */ \
924 root->left = y->right; \
926 vm_map_entry_set_max_free(root); \
930 /* Put root on rlist. */ \
931 root->left = rlist; \
936 #define SPLAY_RIGHT_STEP(root, y, llist, test) do { \
938 if (y != NULL && (test)) { \
939 /* Rotate left and make y root. */ \
940 root->right = y->left; \
942 vm_map_entry_set_max_free(root); \
946 /* Put root on llist. */ \
947 root->right = llist; \
953 * Walk down the tree until we find addr or a NULL pointer where addr would go,
954 * breaking off left and right subtrees of nodes less than, or greater than
955 * addr. Treat pointers to nodes with max_free < length as NULL pointers.
956 * llist and rlist are the two sides in reverse order (bottom-up), with llist
957 * linked by the right pointer and rlist linked by the left pointer in the
960 static vm_map_entry_t
961 vm_map_splay_split(vm_offset_t addr, vm_size_t length,
962 vm_map_entry_t root, vm_map_entry_t *out_llist, vm_map_entry_t *out_rlist)
964 vm_map_entry_t llist, rlist;
969 while (root != NULL && root->max_free >= length) {
970 if (addr < root->start) {
971 SPLAY_LEFT_STEP(root, y, rlist,
972 y->max_free >= length && addr < y->start);
973 } else if (addr >= root->end) {
974 SPLAY_RIGHT_STEP(root, y, llist,
975 y->max_free >= length && addr >= y->end);
985 vm_map_splay_findnext(vm_map_entry_t root, vm_map_entry_t *iolist)
987 vm_map_entry_t rlist, y;
992 SPLAY_LEFT_STEP(root, y, rlist, true);
997 vm_map_splay_findprev(vm_map_entry_t root, vm_map_entry_t *iolist)
999 vm_map_entry_t llist, y;
1003 while (root != NULL)
1004 SPLAY_RIGHT_STEP(root, y, llist, true);
1009 * Walk back up the two spines, flip the pointers and set max_free. The
1010 * subtrees of the root go at the bottom of llist and rlist.
1012 static vm_map_entry_t
1013 vm_map_splay_merge(vm_map_entry_t root,
1014 vm_map_entry_t llist, vm_map_entry_t rlist,
1015 vm_map_entry_t ltree, vm_map_entry_t rtree)
1019 while (llist != NULL) {
1021 llist->right = ltree;
1022 vm_map_entry_set_max_free(llist);
1026 while (rlist != NULL) {
1028 rlist->left = rtree;
1029 vm_map_entry_set_max_free(rlist);
1035 * Final assembly: add ltree and rtree as subtrees of root.
1038 root->right = rtree;
1039 vm_map_entry_set_max_free(root);
1045 * vm_map_entry_splay:
1047 * The Sleator and Tarjan top-down splay algorithm with the
1048 * following variation. Max_free must be computed bottom-up, so
1049 * on the downward pass, maintain the left and right spines in
1050 * reverse order. Then, make a second pass up each side to fix
1051 * the pointers and compute max_free. The time bound is O(log n)
1054 * The new root is the vm_map_entry containing "addr", or else an
1055 * adjacent entry (lower if possible) if addr is not in the tree.
1057 * The map must be locked, and leaves it so.
1059 * Returns: the new root.
1061 static vm_map_entry_t
1062 vm_map_entry_splay(vm_offset_t addr, vm_map_entry_t root)
1064 vm_map_entry_t llist, rlist;
1066 root = vm_map_splay_split(addr, 0, root, &llist, &rlist);
1069 } else if (llist != NULL) {
1071 * Recover the greatest node in the left
1072 * subtree and make it the root.
1075 llist = root->right;
1077 } else if (rlist != NULL) {
1079 * Recover the least node in the right
1080 * subtree and make it the root.
1086 /* There is no root. */
1089 return (vm_map_splay_merge(root, llist, rlist,
1090 root->left, root->right));
1094 * vm_map_entry_{un,}link:
1096 * Insert/remove entries from maps.
1099 vm_map_entry_link(vm_map_t map,
1100 vm_map_entry_t entry)
1102 vm_map_entry_t llist, rlist, root;
1105 "vm_map_entry_link: map %p, nentries %d, entry %p", map,
1106 map->nentries, entry);
1107 VM_MAP_ASSERT_LOCKED(map);
1110 root = vm_map_splay_split(entry->start, 0, root, &llist, &rlist);
1111 KASSERT(root == NULL,
1112 ("vm_map_entry_link: link object already mapped"));
1113 entry->prev = (llist == NULL) ? &map->header : llist;
1114 entry->next = (rlist == NULL) ? &map->header : rlist;
1115 entry->prev->next = entry->next->prev = entry;
1116 root = vm_map_splay_merge(entry, llist, rlist, NULL, NULL);
1118 VM_MAP_ASSERT_CONSISTENT(map);
1121 enum unlink_merge_type {
1128 vm_map_entry_unlink(vm_map_t map,
1129 vm_map_entry_t entry,
1130 enum unlink_merge_type op)
1132 vm_map_entry_t llist, rlist, root, y;
1134 VM_MAP_ASSERT_LOCKED(map);
1135 llist = entry->prev;
1136 rlist = entry->next;
1137 llist->next = rlist;
1138 rlist->prev = llist;
1140 root = vm_map_splay_split(entry->start, 0, root, &llist, &rlist);
1141 KASSERT(root != NULL,
1142 ("vm_map_entry_unlink: unlink object not mapped"));
1145 case UNLINK_MERGE_PREV:
1146 vm_map_splay_findprev(root, &llist);
1147 llist->end = root->end;
1150 llist = root->right;
1153 case UNLINK_MERGE_NEXT:
1154 vm_map_splay_findnext(root, &rlist);
1155 rlist->start = root->start;
1156 rlist->offset = root->offset;
1162 case UNLINK_MERGE_NONE:
1163 vm_map_splay_findprev(root, &llist);
1164 vm_map_splay_findnext(root, &rlist);
1165 if (llist != NULL) {
1167 llist = root->right;
1169 } else if (rlist != NULL) {
1178 root = vm_map_splay_merge(root, llist, rlist,
1179 root->left, root->right);
1181 VM_MAP_ASSERT_CONSISTENT(map);
1183 CTR3(KTR_VM, "vm_map_entry_unlink: map %p, nentries %d, entry %p", map,
1184 map->nentries, entry);
1188 * vm_map_entry_resize_free:
1190 * Recompute the amount of free space following a modified vm_map_entry
1191 * and propagate those values up the tree. Call this function after
1192 * resizing a map entry in-place by changing the end value, without a
1193 * call to vm_map_entry_link() or _unlink().
1195 * The map must be locked, and leaves it so.
1198 vm_map_entry_resize_free(vm_map_t map, vm_map_entry_t entry)
1200 vm_map_entry_t llist, rlist, root;
1202 VM_MAP_ASSERT_LOCKED(map);
1204 root = vm_map_splay_split(entry->start, 0, root, &llist, &rlist);
1205 KASSERT(root != NULL,
1206 ("vm_map_entry_resize_free: resize_free object not mapped"));
1207 vm_map_splay_findnext(root, &rlist);
1209 map->root = vm_map_splay_merge(root, llist, rlist,
1210 root->left, root->right);
1211 VM_MAP_ASSERT_CONSISTENT(map);
1212 CTR3(KTR_VM, "vm_map_entry_resize_free: map %p, nentries %d, entry %p", map,
1213 map->nentries, entry);
1217 * vm_map_lookup_entry: [ internal use only ]
1219 * Finds the map entry containing (or
1220 * immediately preceding) the specified address
1221 * in the given map; the entry is returned
1222 * in the "entry" parameter. The boolean
1223 * result indicates whether the address is
1224 * actually contained in the map.
1227 vm_map_lookup_entry(
1229 vm_offset_t address,
1230 vm_map_entry_t *entry) /* OUT */
1232 vm_map_entry_t cur, lbound;
1236 * If the map is empty, then the map entry immediately preceding
1237 * "address" is the map's header.
1241 *entry = &map->header;
1244 if (address >= cur->start && cur->end > address) {
1248 if ((locked = vm_map_locked(map)) ||
1249 sx_try_upgrade(&map->lock)) {
1251 * Splay requires a write lock on the map. However, it only
1252 * restructures the binary search tree; it does not otherwise
1253 * change the map. Thus, the map's timestamp need not change
1254 * on a temporary upgrade.
1256 map->root = cur = vm_map_entry_splay(address, cur);
1257 VM_MAP_ASSERT_CONSISTENT(map);
1259 sx_downgrade(&map->lock);
1262 * If "address" is contained within a map entry, the new root
1263 * is that map entry. Otherwise, the new root is a map entry
1264 * immediately before or after "address".
1266 if (address < cur->start) {
1267 *entry = &map->header;
1271 return (address < cur->end);
1274 * Since the map is only locked for read access, perform a
1275 * standard binary search tree lookup for "address".
1277 lbound = &map->header;
1279 if (address < cur->start) {
1281 } else if (cur->end <= address) {
1288 } while (cur != NULL);
1296 * Inserts the given whole VM object into the target
1297 * map at the specified address range. The object's
1298 * size should match that of the address range.
1300 * Requires that the map be locked, and leaves it so.
1302 * If object is non-NULL, ref count must be bumped by caller
1303 * prior to making call to account for the new entry.
1306 vm_map_insert(vm_map_t map, vm_object_t object, vm_ooffset_t offset,
1307 vm_offset_t start, vm_offset_t end, vm_prot_t prot, vm_prot_t max, int cow)
1309 vm_map_entry_t new_entry, prev_entry, temp_entry;
1311 vm_eflags_t protoeflags;
1312 vm_inherit_t inheritance;
1314 VM_MAP_ASSERT_LOCKED(map);
1315 KASSERT(object != kernel_object ||
1316 (cow & MAP_COPY_ON_WRITE) == 0,
1317 ("vm_map_insert: kernel object and COW"));
1318 KASSERT(object == NULL || (cow & MAP_NOFAULT) == 0,
1319 ("vm_map_insert: paradoxical MAP_NOFAULT request"));
1320 KASSERT((prot & ~max) == 0,
1321 ("prot %#x is not subset of max_prot %#x", prot, max));
1324 * Check that the start and end points are not bogus.
1326 if (start < vm_map_min(map) || end > vm_map_max(map) ||
1328 return (KERN_INVALID_ADDRESS);
1331 * Find the entry prior to the proposed starting address; if it's part
1332 * of an existing entry, this range is bogus.
1334 if (vm_map_lookup_entry(map, start, &temp_entry))
1335 return (KERN_NO_SPACE);
1337 prev_entry = temp_entry;
1340 * Assert that the next entry doesn't overlap the end point.
1342 if (prev_entry->next->start < end)
1343 return (KERN_NO_SPACE);
1345 if ((cow & MAP_CREATE_GUARD) != 0 && (object != NULL ||
1346 max != VM_PROT_NONE))
1347 return (KERN_INVALID_ARGUMENT);
1350 if (cow & MAP_COPY_ON_WRITE)
1351 protoeflags |= MAP_ENTRY_COW | MAP_ENTRY_NEEDS_COPY;
1352 if (cow & MAP_NOFAULT)
1353 protoeflags |= MAP_ENTRY_NOFAULT;
1354 if (cow & MAP_DISABLE_SYNCER)
1355 protoeflags |= MAP_ENTRY_NOSYNC;
1356 if (cow & MAP_DISABLE_COREDUMP)
1357 protoeflags |= MAP_ENTRY_NOCOREDUMP;
1358 if (cow & MAP_STACK_GROWS_DOWN)
1359 protoeflags |= MAP_ENTRY_GROWS_DOWN;
1360 if (cow & MAP_STACK_GROWS_UP)
1361 protoeflags |= MAP_ENTRY_GROWS_UP;
1362 if (cow & MAP_VN_WRITECOUNT)
1363 protoeflags |= MAP_ENTRY_VN_WRITECNT;
1364 if ((cow & MAP_CREATE_GUARD) != 0)
1365 protoeflags |= MAP_ENTRY_GUARD;
1366 if ((cow & MAP_CREATE_STACK_GAP_DN) != 0)
1367 protoeflags |= MAP_ENTRY_STACK_GAP_DN;
1368 if ((cow & MAP_CREATE_STACK_GAP_UP) != 0)
1369 protoeflags |= MAP_ENTRY_STACK_GAP_UP;
1370 if (cow & MAP_INHERIT_SHARE)
1371 inheritance = VM_INHERIT_SHARE;
1373 inheritance = VM_INHERIT_DEFAULT;
1376 if ((cow & (MAP_ACC_NO_CHARGE | MAP_NOFAULT | MAP_CREATE_GUARD)) != 0)
1378 if ((cow & MAP_ACC_CHARGED) || ((prot & VM_PROT_WRITE) &&
1379 ((protoeflags & MAP_ENTRY_NEEDS_COPY) || object == NULL))) {
1380 if (!(cow & MAP_ACC_CHARGED) && !swap_reserve(end - start))
1381 return (KERN_RESOURCE_SHORTAGE);
1382 KASSERT(object == NULL ||
1383 (protoeflags & MAP_ENTRY_NEEDS_COPY) != 0 ||
1384 object->cred == NULL,
1385 ("overcommit: vm_map_insert o %p", object));
1386 cred = curthread->td_ucred;
1390 /* Expand the kernel pmap, if necessary. */
1391 if (map == kernel_map && end > kernel_vm_end)
1392 pmap_growkernel(end);
1393 if (object != NULL) {
1395 * OBJ_ONEMAPPING must be cleared unless this mapping
1396 * is trivially proven to be the only mapping for any
1397 * of the object's pages. (Object granularity
1398 * reference counting is insufficient to recognize
1399 * aliases with precision.)
1401 VM_OBJECT_WLOCK(object);
1402 if (object->ref_count > 1 || object->shadow_count != 0)
1403 vm_object_clear_flag(object, OBJ_ONEMAPPING);
1404 VM_OBJECT_WUNLOCK(object);
1405 } else if ((prev_entry->eflags & ~MAP_ENTRY_USER_WIRED) ==
1407 (cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) == 0 &&
1408 prev_entry->end == start && (prev_entry->cred == cred ||
1409 (prev_entry->object.vm_object != NULL &&
1410 prev_entry->object.vm_object->cred == cred)) &&
1411 vm_object_coalesce(prev_entry->object.vm_object,
1413 (vm_size_t)(prev_entry->end - prev_entry->start),
1414 (vm_size_t)(end - prev_entry->end), cred != NULL &&
1415 (protoeflags & MAP_ENTRY_NEEDS_COPY) == 0)) {
1417 * We were able to extend the object. Determine if we
1418 * can extend the previous map entry to include the
1419 * new range as well.
1421 if (prev_entry->inheritance == inheritance &&
1422 prev_entry->protection == prot &&
1423 prev_entry->max_protection == max &&
1424 prev_entry->wired_count == 0) {
1425 KASSERT((prev_entry->eflags & MAP_ENTRY_USER_WIRED) ==
1426 0, ("prev_entry %p has incoherent wiring",
1428 if ((prev_entry->eflags & MAP_ENTRY_GUARD) == 0)
1429 map->size += end - prev_entry->end;
1430 prev_entry->end = end;
1431 vm_map_entry_resize_free(map, prev_entry);
1432 vm_map_simplify_entry(map, prev_entry);
1433 return (KERN_SUCCESS);
1437 * If we can extend the object but cannot extend the
1438 * map entry, we have to create a new map entry. We
1439 * must bump the ref count on the extended object to
1440 * account for it. object may be NULL.
1442 object = prev_entry->object.vm_object;
1443 offset = prev_entry->offset +
1444 (prev_entry->end - prev_entry->start);
1445 vm_object_reference(object);
1446 if (cred != NULL && object != NULL && object->cred != NULL &&
1447 !(prev_entry->eflags & MAP_ENTRY_NEEDS_COPY)) {
1448 /* Object already accounts for this uid. */
1456 * Create a new entry
1458 new_entry = vm_map_entry_create(map);
1459 new_entry->start = start;
1460 new_entry->end = end;
1461 new_entry->cred = NULL;
1463 new_entry->eflags = protoeflags;
1464 new_entry->object.vm_object = object;
1465 new_entry->offset = offset;
1467 new_entry->inheritance = inheritance;
1468 new_entry->protection = prot;
1469 new_entry->max_protection = max;
1470 new_entry->wired_count = 0;
1471 new_entry->wiring_thread = NULL;
1472 new_entry->read_ahead = VM_FAULT_READ_AHEAD_INIT;
1473 new_entry->next_read = start;
1475 KASSERT(cred == NULL || !ENTRY_CHARGED(new_entry),
1476 ("overcommit: vm_map_insert leaks vm_map %p", new_entry));
1477 new_entry->cred = cred;
1480 * Insert the new entry into the list
1482 vm_map_entry_link(map, new_entry);
1483 if ((new_entry->eflags & MAP_ENTRY_GUARD) == 0)
1484 map->size += new_entry->end - new_entry->start;
1487 * Try to coalesce the new entry with both the previous and next
1488 * entries in the list. Previously, we only attempted to coalesce
1489 * with the previous entry when object is NULL. Here, we handle the
1490 * other cases, which are less common.
1492 vm_map_simplify_entry(map, new_entry);
1494 if ((cow & (MAP_PREFAULT | MAP_PREFAULT_PARTIAL)) != 0) {
1495 vm_map_pmap_enter(map, start, prot, object, OFF_TO_IDX(offset),
1496 end - start, cow & MAP_PREFAULT_PARTIAL);
1499 return (KERN_SUCCESS);
1505 * Find the first fit (lowest VM address) for "length" free bytes
1506 * beginning at address >= start in the given map.
1508 * In a vm_map_entry, "max_free" is the maximum amount of
1509 * contiguous free space between an entry in its subtree and a
1510 * neighbor of that entry. This allows finding a free region in
1511 * one path down the tree, so O(log n) amortized with splay
1514 * The map must be locked, and leaves it so.
1516 * Returns: starting address if sufficient space,
1517 * vm_map_max(map)-length+1 if insufficient space.
1520 vm_map_findspace(vm_map_t map, vm_offset_t start, vm_size_t length)
1522 vm_map_entry_t llist, rlist, root, y;
1523 vm_size_t left_length;
1526 * Request must fit within min/max VM address and must avoid
1529 start = MAX(start, vm_map_min(map));
1530 if (start + length > vm_map_max(map) || start + length < start)
1531 return (vm_map_max(map) - length + 1);
1533 /* Empty tree means wide open address space. */
1534 if (map->root == NULL)
1538 * After splay, if start comes before root node, then there
1539 * must be a gap from start to the root.
1541 root = vm_map_splay_split(start, length, map->root,
1545 else if (rlist != NULL) {
1551 llist = root->right;
1554 map->root = vm_map_splay_merge(root, llist, rlist,
1555 root->left, root->right);
1556 VM_MAP_ASSERT_CONSISTENT(map);
1557 if (start + length <= root->start)
1561 * Root is the last node that might begin its gap before
1562 * start, and this is the last comparison where address
1563 * wrap might be a problem.
1565 if (root->right == NULL &&
1566 start + length <= vm_map_max(map))
1569 /* With max_free, can immediately tell if no solution. */
1570 if (root->right == NULL || length > root->right->max_free)
1571 return (vm_map_max(map) - length + 1);
1574 * Splay for the least large-enough gap in the right subtree.
1578 for (left_length = 0; ;
1579 left_length = root->left != NULL ?
1580 root->left->max_free : root->start - llist->end) {
1581 if (length <= left_length)
1582 SPLAY_LEFT_STEP(root, y, rlist,
1583 length <= (y->left != NULL ?
1584 y->left->max_free : y->start - llist->end));
1586 SPLAY_RIGHT_STEP(root, y, llist,
1587 length > (y->left != NULL ?
1588 y->left->max_free : y->start - root->end));
1593 llist = root->right;
1594 if ((y = rlist) == NULL)
1599 root->right = y->right;
1601 root = vm_map_splay_merge(root, llist, rlist,
1602 root->left, root->right);
1604 y->right = root->right;
1605 vm_map_entry_set_max_free(y);
1607 vm_map_entry_set_max_free(root);
1610 VM_MAP_ASSERT_CONSISTENT(map);
1615 vm_map_fixed(vm_map_t map, vm_object_t object, vm_ooffset_t offset,
1616 vm_offset_t start, vm_size_t length, vm_prot_t prot,
1617 vm_prot_t max, int cow)
1622 end = start + length;
1623 KASSERT((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) == 0 ||
1625 ("vm_map_fixed: non-NULL backing object for stack"));
1627 VM_MAP_RANGE_CHECK(map, start, end);
1628 if ((cow & MAP_CHECK_EXCL) == 0)
1629 vm_map_delete(map, start, end);
1630 if ((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) != 0) {
1631 result = vm_map_stack_locked(map, start, length, sgrowsiz,
1634 result = vm_map_insert(map, object, offset, start, end,
1641 static const int aslr_pages_rnd_64[2] = {0x1000, 0x10};
1642 static const int aslr_pages_rnd_32[2] = {0x100, 0x4};
1644 static int cluster_anon = 1;
1645 SYSCTL_INT(_vm, OID_AUTO, cluster_anon, CTLFLAG_RW,
1647 "Cluster anonymous mappings: 0 = no, 1 = yes if no hint, 2 = always");
1650 clustering_anon_allowed(vm_offset_t addr)
1653 switch (cluster_anon) {
1664 static long aslr_restarts;
1665 SYSCTL_LONG(_vm, OID_AUTO, aslr_restarts, CTLFLAG_RD,
1667 "Number of aslr failures");
1669 #define MAP_32BIT_MAX_ADDR ((vm_offset_t)1 << 31)
1672 * Searches for the specified amount of free space in the given map with the
1673 * specified alignment. Performs an address-ordered, first-fit search from
1674 * the given address "*addr", with an optional upper bound "max_addr". If the
1675 * parameter "alignment" is zero, then the alignment is computed from the
1676 * given (object, offset) pair so as to enable the greatest possible use of
1677 * superpage mappings. Returns KERN_SUCCESS and the address of the free space
1678 * in "*addr" if successful. Otherwise, returns KERN_NO_SPACE.
1680 * The map must be locked. Initially, there must be at least "length" bytes
1681 * of free space at the given address.
1684 vm_map_alignspace(vm_map_t map, vm_object_t object, vm_ooffset_t offset,
1685 vm_offset_t *addr, vm_size_t length, vm_offset_t max_addr,
1686 vm_offset_t alignment)
1688 vm_offset_t aligned_addr, free_addr;
1690 VM_MAP_ASSERT_LOCKED(map);
1692 KASSERT(free_addr == vm_map_findspace(map, free_addr, length),
1693 ("caller failed to provide space %d at address %p",
1694 (int)length, (void*)free_addr));
1697 * At the start of every iteration, the free space at address
1698 * "*addr" is at least "length" bytes.
1701 pmap_align_superpage(object, offset, addr, length);
1702 else if ((*addr & (alignment - 1)) != 0) {
1703 *addr &= ~(alignment - 1);
1706 aligned_addr = *addr;
1707 if (aligned_addr == free_addr) {
1709 * Alignment did not change "*addr", so "*addr" must
1710 * still provide sufficient free space.
1712 return (KERN_SUCCESS);
1716 * Test for address wrap on "*addr". A wrapped "*addr" could
1717 * be a valid address, in which case vm_map_findspace() cannot
1718 * be relied upon to fail.
1720 if (aligned_addr < free_addr)
1721 return (KERN_NO_SPACE);
1722 *addr = vm_map_findspace(map, aligned_addr, length);
1723 if (*addr + length > vm_map_max(map) ||
1724 (max_addr != 0 && *addr + length > max_addr))
1725 return (KERN_NO_SPACE);
1727 if (free_addr == aligned_addr) {
1729 * If a successful call to vm_map_findspace() did not
1730 * change "*addr", then "*addr" must still be aligned
1731 * and provide sufficient free space.
1733 return (KERN_SUCCESS);
1739 * vm_map_find finds an unallocated region in the target address
1740 * map with the given length. The search is defined to be
1741 * first-fit from the specified address; the region found is
1742 * returned in the same parameter.
1744 * If object is non-NULL, ref count must be bumped by caller
1745 * prior to making call to account for the new entry.
1748 vm_map_find(vm_map_t map, vm_object_t object, vm_ooffset_t offset,
1749 vm_offset_t *addr, /* IN/OUT */
1750 vm_size_t length, vm_offset_t max_addr, int find_space,
1751 vm_prot_t prot, vm_prot_t max, int cow)
1753 vm_offset_t alignment, curr_min_addr, min_addr;
1754 int gap, pidx, rv, try;
1755 bool cluster, en_aslr, update_anon;
1757 KASSERT((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) == 0 ||
1759 ("vm_map_find: non-NULL backing object for stack"));
1760 MPASS((cow & MAP_REMAP) == 0 || (find_space == VMFS_NO_SPACE &&
1761 (cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) == 0));
1762 if (find_space == VMFS_OPTIMAL_SPACE && (object == NULL ||
1763 (object->flags & OBJ_COLORED) == 0))
1764 find_space = VMFS_ANY_SPACE;
1765 if (find_space >> 8 != 0) {
1766 KASSERT((find_space & 0xff) == 0, ("bad VMFS flags"));
1767 alignment = (vm_offset_t)1 << (find_space >> 8);
1770 en_aslr = (map->flags & MAP_ASLR) != 0;
1771 update_anon = cluster = clustering_anon_allowed(*addr) &&
1772 (map->flags & MAP_IS_SUB_MAP) == 0 && max_addr == 0 &&
1773 find_space != VMFS_NO_SPACE && object == NULL &&
1774 (cow & (MAP_INHERIT_SHARE | MAP_STACK_GROWS_UP |
1775 MAP_STACK_GROWS_DOWN)) == 0 && prot != PROT_NONE;
1776 curr_min_addr = min_addr = *addr;
1777 if (en_aslr && min_addr == 0 && !cluster &&
1778 find_space != VMFS_NO_SPACE &&
1779 (map->flags & MAP_ASLR_IGNSTART) != 0)
1780 curr_min_addr = min_addr = vm_map_min(map);
1784 curr_min_addr = map->anon_loc;
1785 if (curr_min_addr == 0)
1788 if (find_space != VMFS_NO_SPACE) {
1789 KASSERT(find_space == VMFS_ANY_SPACE ||
1790 find_space == VMFS_OPTIMAL_SPACE ||
1791 find_space == VMFS_SUPER_SPACE ||
1792 alignment != 0, ("unexpected VMFS flag"));
1795 * When creating an anonymous mapping, try clustering
1796 * with an existing anonymous mapping first.
1798 * We make up to two attempts to find address space
1799 * for a given find_space value. The first attempt may
1800 * apply randomization or may cluster with an existing
1801 * anonymous mapping. If this first attempt fails,
1802 * perform a first-fit search of the available address
1805 * If all tries failed, and find_space is
1806 * VMFS_OPTIMAL_SPACE, fallback to VMFS_ANY_SPACE.
1807 * Again enable clustering and randomization.
1814 * Second try: we failed either to find a
1815 * suitable region for randomizing the
1816 * allocation, or to cluster with an existing
1817 * mapping. Retry with free run.
1819 curr_min_addr = (map->flags & MAP_ASLR_IGNSTART) != 0 ?
1820 vm_map_min(map) : min_addr;
1821 atomic_add_long(&aslr_restarts, 1);
1824 if (try == 1 && en_aslr && !cluster) {
1826 * Find space for allocation, including
1827 * gap needed for later randomization.
1829 pidx = MAXPAGESIZES > 1 && pagesizes[1] != 0 &&
1830 (find_space == VMFS_SUPER_SPACE || find_space ==
1831 VMFS_OPTIMAL_SPACE) ? 1 : 0;
1832 gap = vm_map_max(map) > MAP_32BIT_MAX_ADDR &&
1833 (max_addr == 0 || max_addr > MAP_32BIT_MAX_ADDR) ?
1834 aslr_pages_rnd_64[pidx] : aslr_pages_rnd_32[pidx];
1835 *addr = vm_map_findspace(map, curr_min_addr,
1836 length + gap * pagesizes[pidx]);
1837 if (*addr + length + gap * pagesizes[pidx] >
1840 /* And randomize the start address. */
1841 *addr += (arc4random() % gap) * pagesizes[pidx];
1842 if (max_addr != 0 && *addr + length > max_addr)
1845 *addr = vm_map_findspace(map, curr_min_addr, length);
1846 if (*addr + length > vm_map_max(map) ||
1847 (max_addr != 0 && *addr + length > max_addr)) {
1858 if (find_space != VMFS_ANY_SPACE &&
1859 (rv = vm_map_alignspace(map, object, offset, addr, length,
1860 max_addr, alignment)) != KERN_SUCCESS) {
1861 if (find_space == VMFS_OPTIMAL_SPACE) {
1862 find_space = VMFS_ANY_SPACE;
1863 curr_min_addr = min_addr;
1864 cluster = update_anon;
1870 } else if ((cow & MAP_REMAP) != 0) {
1871 if (*addr < vm_map_min(map) ||
1872 *addr + length > vm_map_max(map) ||
1873 *addr + length <= length) {
1874 rv = KERN_INVALID_ADDRESS;
1877 vm_map_delete(map, *addr, *addr + length);
1879 if ((cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP)) != 0) {
1880 rv = vm_map_stack_locked(map, *addr, length, sgrowsiz, prot,
1883 rv = vm_map_insert(map, object, offset, *addr, *addr + length,
1886 if (rv == KERN_SUCCESS && update_anon)
1887 map->anon_loc = *addr + length;
1894 * vm_map_find_min() is a variant of vm_map_find() that takes an
1895 * additional parameter (min_addr) and treats the given address
1896 * (*addr) differently. Specifically, it treats *addr as a hint
1897 * and not as the minimum address where the mapping is created.
1899 * This function works in two phases. First, it tries to
1900 * allocate above the hint. If that fails and the hint is
1901 * greater than min_addr, it performs a second pass, replacing
1902 * the hint with min_addr as the minimum address for the
1906 vm_map_find_min(vm_map_t map, vm_object_t object, vm_ooffset_t offset,
1907 vm_offset_t *addr, vm_size_t length, vm_offset_t min_addr,
1908 vm_offset_t max_addr, int find_space, vm_prot_t prot, vm_prot_t max,
1916 rv = vm_map_find(map, object, offset, addr, length, max_addr,
1917 find_space, prot, max, cow);
1918 if (rv == KERN_SUCCESS || min_addr >= hint)
1920 *addr = hint = min_addr;
1925 * A map entry with any of the following flags set must not be merged with
1928 #define MAP_ENTRY_NOMERGE_MASK (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP | \
1929 MAP_ENTRY_IN_TRANSITION | MAP_ENTRY_IS_SUB_MAP)
1932 vm_map_mergeable_neighbors(vm_map_entry_t prev, vm_map_entry_t entry)
1935 KASSERT((prev->eflags & MAP_ENTRY_NOMERGE_MASK) == 0 ||
1936 (entry->eflags & MAP_ENTRY_NOMERGE_MASK) == 0,
1937 ("vm_map_mergeable_neighbors: neither %p nor %p are mergeable",
1939 return (prev->end == entry->start &&
1940 prev->object.vm_object == entry->object.vm_object &&
1941 (prev->object.vm_object == NULL ||
1942 prev->offset + (prev->end - prev->start) == entry->offset) &&
1943 prev->eflags == entry->eflags &&
1944 prev->protection == entry->protection &&
1945 prev->max_protection == entry->max_protection &&
1946 prev->inheritance == entry->inheritance &&
1947 prev->wired_count == entry->wired_count &&
1948 prev->cred == entry->cred);
1952 vm_map_merged_neighbor_dispose(vm_map_t map, vm_map_entry_t entry)
1956 * If the backing object is a vnode object, vm_object_deallocate()
1957 * calls vrele(). However, vrele() does not lock the vnode because
1958 * the vnode has additional references. Thus, the map lock can be
1959 * kept without causing a lock-order reversal with the vnode lock.
1961 * Since we count the number of virtual page mappings in
1962 * object->un_pager.vnp.writemappings, the writemappings value
1963 * should not be adjusted when the entry is disposed of.
1965 if (entry->object.vm_object != NULL)
1966 vm_object_deallocate(entry->object.vm_object);
1967 if (entry->cred != NULL)
1968 crfree(entry->cred);
1969 vm_map_entry_dispose(map, entry);
1973 * vm_map_simplify_entry:
1975 * Simplify the given map entry by merging with either neighbor. This
1976 * routine also has the ability to merge with both neighbors.
1978 * The map must be locked.
1980 * This routine guarantees that the passed entry remains valid (though
1981 * possibly extended). When merging, this routine may delete one or
1985 vm_map_simplify_entry(vm_map_t map, vm_map_entry_t entry)
1987 vm_map_entry_t next, prev;
1989 if ((entry->eflags & MAP_ENTRY_NOMERGE_MASK) != 0)
1992 if (vm_map_mergeable_neighbors(prev, entry)) {
1993 vm_map_entry_unlink(map, prev, UNLINK_MERGE_NEXT);
1994 vm_map_merged_neighbor_dispose(map, prev);
1997 if (vm_map_mergeable_neighbors(entry, next)) {
1998 vm_map_entry_unlink(map, next, UNLINK_MERGE_PREV);
1999 vm_map_merged_neighbor_dispose(map, next);
2004 * vm_map_clip_start: [ internal use only ]
2006 * Asserts that the given entry begins at or after
2007 * the specified address; if necessary,
2008 * it splits the entry into two.
2010 #define vm_map_clip_start(map, entry, startaddr) \
2012 if (startaddr > entry->start) \
2013 _vm_map_clip_start(map, entry, startaddr); \
2017 * This routine is called only when it is known that
2018 * the entry must be split.
2021 _vm_map_clip_start(vm_map_t map, vm_map_entry_t entry, vm_offset_t start)
2023 vm_map_entry_t new_entry;
2025 VM_MAP_ASSERT_LOCKED(map);
2026 KASSERT(entry->end > start && entry->start < start,
2027 ("_vm_map_clip_start: invalid clip of entry %p", entry));
2030 * Split off the front portion -- note that we must insert the new
2031 * entry BEFORE this one, so that this entry has the specified
2034 vm_map_simplify_entry(map, entry);
2037 * If there is no object backing this entry, we might as well create
2038 * one now. If we defer it, an object can get created after the map
2039 * is clipped, and individual objects will be created for the split-up
2040 * map. This is a bit of a hack, but is also about the best place to
2041 * put this improvement.
2043 if (entry->object.vm_object == NULL && !map->system_map &&
2044 (entry->eflags & MAP_ENTRY_GUARD) == 0) {
2046 object = vm_object_allocate(OBJT_DEFAULT,
2047 atop(entry->end - entry->start));
2048 entry->object.vm_object = object;
2050 if (entry->cred != NULL) {
2051 object->cred = entry->cred;
2052 object->charge = entry->end - entry->start;
2055 } else if (entry->object.vm_object != NULL &&
2056 ((entry->eflags & MAP_ENTRY_NEEDS_COPY) == 0) &&
2057 entry->cred != NULL) {
2058 VM_OBJECT_WLOCK(entry->object.vm_object);
2059 KASSERT(entry->object.vm_object->cred == NULL,
2060 ("OVERCOMMIT: vm_entry_clip_start: both cred e %p", entry));
2061 entry->object.vm_object->cred = entry->cred;
2062 entry->object.vm_object->charge = entry->end - entry->start;
2063 VM_OBJECT_WUNLOCK(entry->object.vm_object);
2067 new_entry = vm_map_entry_create(map);
2068 *new_entry = *entry;
2070 new_entry->end = start;
2071 entry->offset += (start - entry->start);
2072 entry->start = start;
2073 if (new_entry->cred != NULL)
2074 crhold(entry->cred);
2076 vm_map_entry_link(map, new_entry);
2078 if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0) {
2079 vm_object_reference(new_entry->object.vm_object);
2081 * The object->un_pager.vnp.writemappings for the
2082 * object of MAP_ENTRY_VN_WRITECNT type entry shall be
2083 * kept as is here. The virtual pages are
2084 * re-distributed among the clipped entries, so the sum is
2091 * vm_map_clip_end: [ internal use only ]
2093 * Asserts that the given entry ends at or before
2094 * the specified address; if necessary,
2095 * it splits the entry into two.
2097 #define vm_map_clip_end(map, entry, endaddr) \
2099 if ((endaddr) < (entry->end)) \
2100 _vm_map_clip_end((map), (entry), (endaddr)); \
2104 * This routine is called only when it is known that
2105 * the entry must be split.
2108 _vm_map_clip_end(vm_map_t map, vm_map_entry_t entry, vm_offset_t end)
2110 vm_map_entry_t new_entry;
2112 VM_MAP_ASSERT_LOCKED(map);
2113 KASSERT(entry->start < end && entry->end > end,
2114 ("_vm_map_clip_end: invalid clip of entry %p", entry));
2117 * If there is no object backing this entry, we might as well create
2118 * one now. If we defer it, an object can get created after the map
2119 * is clipped, and individual objects will be created for the split-up
2120 * map. This is a bit of a hack, but is also about the best place to
2121 * put this improvement.
2123 if (entry->object.vm_object == NULL && !map->system_map &&
2124 (entry->eflags & MAP_ENTRY_GUARD) == 0) {
2126 object = vm_object_allocate(OBJT_DEFAULT,
2127 atop(entry->end - entry->start));
2128 entry->object.vm_object = object;
2130 if (entry->cred != NULL) {
2131 object->cred = entry->cred;
2132 object->charge = entry->end - entry->start;
2135 } else if (entry->object.vm_object != NULL &&
2136 ((entry->eflags & MAP_ENTRY_NEEDS_COPY) == 0) &&
2137 entry->cred != NULL) {
2138 VM_OBJECT_WLOCK(entry->object.vm_object);
2139 KASSERT(entry->object.vm_object->cred == NULL,
2140 ("OVERCOMMIT: vm_entry_clip_end: both cred e %p", entry));
2141 entry->object.vm_object->cred = entry->cred;
2142 entry->object.vm_object->charge = entry->end - entry->start;
2143 VM_OBJECT_WUNLOCK(entry->object.vm_object);
2148 * Create a new entry and insert it AFTER the specified entry
2150 new_entry = vm_map_entry_create(map);
2151 *new_entry = *entry;
2153 new_entry->start = entry->end = end;
2154 new_entry->offset += (end - entry->start);
2155 if (new_entry->cred != NULL)
2156 crhold(entry->cred);
2158 vm_map_entry_link(map, new_entry);
2160 if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0) {
2161 vm_object_reference(new_entry->object.vm_object);
2166 * vm_map_submap: [ kernel use only ]
2168 * Mark the given range as handled by a subordinate map.
2170 * This range must have been created with vm_map_find,
2171 * and no other operations may have been performed on this
2172 * range prior to calling vm_map_submap.
2174 * Only a limited number of operations can be performed
2175 * within this rage after calling vm_map_submap:
2177 * [Don't try vm_map_copy!]
2179 * To remove a submapping, one must first remove the
2180 * range from the superior map, and then destroy the
2181 * submap (if desired). [Better yet, don't try it.]
2190 vm_map_entry_t entry;
2193 result = KERN_INVALID_ARGUMENT;
2195 vm_map_lock(submap);
2196 submap->flags |= MAP_IS_SUB_MAP;
2197 vm_map_unlock(submap);
2201 VM_MAP_RANGE_CHECK(map, start, end);
2203 if (vm_map_lookup_entry(map, start, &entry)) {
2204 vm_map_clip_start(map, entry, start);
2206 entry = entry->next;
2208 vm_map_clip_end(map, entry, end);
2210 if ((entry->start == start) && (entry->end == end) &&
2211 ((entry->eflags & MAP_ENTRY_COW) == 0) &&
2212 (entry->object.vm_object == NULL)) {
2213 entry->object.sub_map = submap;
2214 entry->eflags |= MAP_ENTRY_IS_SUB_MAP;
2215 result = KERN_SUCCESS;
2219 if (result != KERN_SUCCESS) {
2220 vm_map_lock(submap);
2221 submap->flags &= ~MAP_IS_SUB_MAP;
2222 vm_map_unlock(submap);
2228 * The maximum number of pages to map if MAP_PREFAULT_PARTIAL is specified
2230 #define MAX_INIT_PT 96
2233 * vm_map_pmap_enter:
2235 * Preload the specified map's pmap with mappings to the specified
2236 * object's memory-resident pages. No further physical pages are
2237 * allocated, and no further virtual pages are retrieved from secondary
2238 * storage. If the specified flags include MAP_PREFAULT_PARTIAL, then a
2239 * limited number of page mappings are created at the low-end of the
2240 * specified address range. (For this purpose, a superpage mapping
2241 * counts as one page mapping.) Otherwise, all resident pages within
2242 * the specified address range are mapped.
2245 vm_map_pmap_enter(vm_map_t map, vm_offset_t addr, vm_prot_t prot,
2246 vm_object_t object, vm_pindex_t pindex, vm_size_t size, int flags)
2249 vm_page_t p, p_start;
2250 vm_pindex_t mask, psize, threshold, tmpidx;
2252 if ((prot & (VM_PROT_READ | VM_PROT_EXECUTE)) == 0 || object == NULL)
2254 VM_OBJECT_RLOCK(object);
2255 if (object->type == OBJT_DEVICE || object->type == OBJT_SG) {
2256 VM_OBJECT_RUNLOCK(object);
2257 VM_OBJECT_WLOCK(object);
2258 if (object->type == OBJT_DEVICE || object->type == OBJT_SG) {
2259 pmap_object_init_pt(map->pmap, addr, object, pindex,
2261 VM_OBJECT_WUNLOCK(object);
2264 VM_OBJECT_LOCK_DOWNGRADE(object);
2268 if (psize + pindex > object->size) {
2269 if (object->size < pindex) {
2270 VM_OBJECT_RUNLOCK(object);
2273 psize = object->size - pindex;
2278 threshold = MAX_INIT_PT;
2280 p = vm_page_find_least(object, pindex);
2282 * Assert: the variable p is either (1) the page with the
2283 * least pindex greater than or equal to the parameter pindex
2287 p != NULL && (tmpidx = p->pindex - pindex) < psize;
2288 p = TAILQ_NEXT(p, listq)) {
2290 * don't allow an madvise to blow away our really
2291 * free pages allocating pv entries.
2293 if (((flags & MAP_PREFAULT_MADVISE) != 0 &&
2294 vm_page_count_severe()) ||
2295 ((flags & MAP_PREFAULT_PARTIAL) != 0 &&
2296 tmpidx >= threshold)) {
2300 if (p->valid == VM_PAGE_BITS_ALL) {
2301 if (p_start == NULL) {
2302 start = addr + ptoa(tmpidx);
2305 /* Jump ahead if a superpage mapping is possible. */
2306 if (p->psind > 0 && ((addr + ptoa(tmpidx)) &
2307 (pagesizes[p->psind] - 1)) == 0) {
2308 mask = atop(pagesizes[p->psind]) - 1;
2309 if (tmpidx + mask < psize &&
2310 vm_page_ps_test(p, PS_ALL_VALID, NULL)) {
2315 } else if (p_start != NULL) {
2316 pmap_enter_object(map->pmap, start, addr +
2317 ptoa(tmpidx), p_start, prot);
2321 if (p_start != NULL)
2322 pmap_enter_object(map->pmap, start, addr + ptoa(psize),
2324 VM_OBJECT_RUNLOCK(object);
2330 * Sets the protection of the specified address
2331 * region in the target map. If "set_max" is
2332 * specified, the maximum protection is to be set;
2333 * otherwise, only the current protection is affected.
2336 vm_map_protect(vm_map_t map, vm_offset_t start, vm_offset_t end,
2337 vm_prot_t new_prot, boolean_t set_max)
2339 vm_map_entry_t current, entry;
2345 return (KERN_SUCCESS);
2350 * Ensure that we are not concurrently wiring pages. vm_map_wire() may
2351 * need to fault pages into the map and will drop the map lock while
2352 * doing so, and the VM object may end up in an inconsistent state if we
2353 * update the protection on the map entry in between faults.
2355 vm_map_wait_busy(map);
2357 VM_MAP_RANGE_CHECK(map, start, end);
2359 if (vm_map_lookup_entry(map, start, &entry)) {
2360 vm_map_clip_start(map, entry, start);
2362 entry = entry->next;
2366 * Make a first pass to check for protection violations.
2368 for (current = entry; current->start < end; current = current->next) {
2369 if ((current->eflags & MAP_ENTRY_GUARD) != 0)
2371 if (current->eflags & MAP_ENTRY_IS_SUB_MAP) {
2373 return (KERN_INVALID_ARGUMENT);
2375 if ((new_prot & current->max_protection) != new_prot) {
2377 return (KERN_PROTECTION_FAILURE);
2382 * Do an accounting pass for private read-only mappings that
2383 * now will do cow due to allowed write (e.g. debugger sets
2384 * breakpoint on text segment)
2386 for (current = entry; current->start < end; current = current->next) {
2388 vm_map_clip_end(map, current, end);
2391 ((new_prot & ~(current->protection)) & VM_PROT_WRITE) == 0 ||
2392 ENTRY_CHARGED(current) ||
2393 (current->eflags & MAP_ENTRY_GUARD) != 0) {
2397 cred = curthread->td_ucred;
2398 obj = current->object.vm_object;
2400 if (obj == NULL || (current->eflags & MAP_ENTRY_NEEDS_COPY)) {
2401 if (!swap_reserve(current->end - current->start)) {
2403 return (KERN_RESOURCE_SHORTAGE);
2406 current->cred = cred;
2410 VM_OBJECT_WLOCK(obj);
2411 if (obj->type != OBJT_DEFAULT && obj->type != OBJT_SWAP) {
2412 VM_OBJECT_WUNLOCK(obj);
2417 * Charge for the whole object allocation now, since
2418 * we cannot distinguish between non-charged and
2419 * charged clipped mapping of the same object later.
2421 KASSERT(obj->charge == 0,
2422 ("vm_map_protect: object %p overcharged (entry %p)",
2424 if (!swap_reserve(ptoa(obj->size))) {
2425 VM_OBJECT_WUNLOCK(obj);
2427 return (KERN_RESOURCE_SHORTAGE);
2432 obj->charge = ptoa(obj->size);
2433 VM_OBJECT_WUNLOCK(obj);
2437 * Go back and fix up protections. [Note that clipping is not
2438 * necessary the second time.]
2440 for (current = entry; current->start < end; current = current->next) {
2441 if ((current->eflags & MAP_ENTRY_GUARD) != 0)
2444 old_prot = current->protection;
2447 current->protection =
2448 (current->max_protection = new_prot) &
2451 current->protection = new_prot;
2454 * For user wired map entries, the normal lazy evaluation of
2455 * write access upgrades through soft page faults is
2456 * undesirable. Instead, immediately copy any pages that are
2457 * copy-on-write and enable write access in the physical map.
2459 if ((current->eflags & MAP_ENTRY_USER_WIRED) != 0 &&
2460 (current->protection & VM_PROT_WRITE) != 0 &&
2461 (old_prot & VM_PROT_WRITE) == 0)
2462 vm_fault_copy_entry(map, map, current, current, NULL);
2465 * When restricting access, update the physical map. Worry
2466 * about copy-on-write here.
2468 if ((old_prot & ~current->protection) != 0) {
2469 #define MASK(entry) (((entry)->eflags & MAP_ENTRY_COW) ? ~VM_PROT_WRITE : \
2471 pmap_protect(map->pmap, current->start,
2473 current->protection & MASK(current));
2476 vm_map_simplify_entry(map, current);
2479 return (KERN_SUCCESS);
2485 * This routine traverses a processes map handling the madvise
2486 * system call. Advisories are classified as either those effecting
2487 * the vm_map_entry structure, or those effecting the underlying
2497 vm_map_entry_t current, entry;
2501 * Some madvise calls directly modify the vm_map_entry, in which case
2502 * we need to use an exclusive lock on the map and we need to perform
2503 * various clipping operations. Otherwise we only need a read-lock
2508 case MADV_SEQUENTIAL:
2525 vm_map_lock_read(map);
2532 * Locate starting entry and clip if necessary.
2534 VM_MAP_RANGE_CHECK(map, start, end);
2536 if (vm_map_lookup_entry(map, start, &entry)) {
2538 vm_map_clip_start(map, entry, start);
2540 entry = entry->next;
2545 * madvise behaviors that are implemented in the vm_map_entry.
2547 * We clip the vm_map_entry so that behavioral changes are
2548 * limited to the specified address range.
2550 for (current = entry; current->start < end;
2551 current = current->next) {
2552 if (current->eflags & MAP_ENTRY_IS_SUB_MAP)
2555 vm_map_clip_end(map, current, end);
2559 vm_map_entry_set_behavior(current, MAP_ENTRY_BEHAV_NORMAL);
2561 case MADV_SEQUENTIAL:
2562 vm_map_entry_set_behavior(current, MAP_ENTRY_BEHAV_SEQUENTIAL);
2565 vm_map_entry_set_behavior(current, MAP_ENTRY_BEHAV_RANDOM);
2568 current->eflags |= MAP_ENTRY_NOSYNC;
2571 current->eflags &= ~MAP_ENTRY_NOSYNC;
2574 current->eflags |= MAP_ENTRY_NOCOREDUMP;
2577 current->eflags &= ~MAP_ENTRY_NOCOREDUMP;
2582 vm_map_simplify_entry(map, current);
2586 vm_pindex_t pstart, pend;
2589 * madvise behaviors that are implemented in the underlying
2592 * Since we don't clip the vm_map_entry, we have to clip
2593 * the vm_object pindex and count.
2595 for (current = entry; current->start < end;
2596 current = current->next) {
2597 vm_offset_t useEnd, useStart;
2599 if (current->eflags & MAP_ENTRY_IS_SUB_MAP)
2602 pstart = OFF_TO_IDX(current->offset);
2603 pend = pstart + atop(current->end - current->start);
2604 useStart = current->start;
2605 useEnd = current->end;
2607 if (current->start < start) {
2608 pstart += atop(start - current->start);
2611 if (current->end > end) {
2612 pend -= atop(current->end - end);
2620 * Perform the pmap_advise() before clearing
2621 * PGA_REFERENCED in vm_page_advise(). Otherwise, a
2622 * concurrent pmap operation, such as pmap_remove(),
2623 * could clear a reference in the pmap and set
2624 * PGA_REFERENCED on the page before the pmap_advise()
2625 * had completed. Consequently, the page would appear
2626 * referenced based upon an old reference that
2627 * occurred before this pmap_advise() ran.
2629 if (behav == MADV_DONTNEED || behav == MADV_FREE)
2630 pmap_advise(map->pmap, useStart, useEnd,
2633 vm_object_madvise(current->object.vm_object, pstart,
2637 * Pre-populate paging structures in the
2638 * WILLNEED case. For wired entries, the
2639 * paging structures are already populated.
2641 if (behav == MADV_WILLNEED &&
2642 current->wired_count == 0) {
2643 vm_map_pmap_enter(map,
2645 current->protection,
2646 current->object.vm_object,
2648 ptoa(pend - pstart),
2649 MAP_PREFAULT_MADVISE
2653 vm_map_unlock_read(map);
2662 * Sets the inheritance of the specified address
2663 * range in the target map. Inheritance
2664 * affects how the map will be shared with
2665 * child maps at the time of vmspace_fork.
2668 vm_map_inherit(vm_map_t map, vm_offset_t start, vm_offset_t end,
2669 vm_inherit_t new_inheritance)
2671 vm_map_entry_t entry;
2672 vm_map_entry_t temp_entry;
2674 switch (new_inheritance) {
2675 case VM_INHERIT_NONE:
2676 case VM_INHERIT_COPY:
2677 case VM_INHERIT_SHARE:
2678 case VM_INHERIT_ZERO:
2681 return (KERN_INVALID_ARGUMENT);
2684 return (KERN_SUCCESS);
2686 VM_MAP_RANGE_CHECK(map, start, end);
2687 if (vm_map_lookup_entry(map, start, &temp_entry)) {
2689 vm_map_clip_start(map, entry, start);
2691 entry = temp_entry->next;
2692 while (entry->start < end) {
2693 vm_map_clip_end(map, entry, end);
2694 if ((entry->eflags & MAP_ENTRY_GUARD) == 0 ||
2695 new_inheritance != VM_INHERIT_ZERO)
2696 entry->inheritance = new_inheritance;
2697 vm_map_simplify_entry(map, entry);
2698 entry = entry->next;
2701 return (KERN_SUCCESS);
2707 * Implements both kernel and user unwiring.
2710 vm_map_unwire(vm_map_t map, vm_offset_t start, vm_offset_t end,
2713 vm_map_entry_t entry, first_entry, tmp_entry;
2714 vm_offset_t saved_start;
2715 unsigned int last_timestamp;
2717 boolean_t need_wakeup, result, user_unwire;
2720 return (KERN_SUCCESS);
2721 user_unwire = (flags & VM_MAP_WIRE_USER) ? TRUE : FALSE;
2723 VM_MAP_RANGE_CHECK(map, start, end);
2724 if (!vm_map_lookup_entry(map, start, &first_entry)) {
2725 if (flags & VM_MAP_WIRE_HOLESOK)
2726 first_entry = first_entry->next;
2729 return (KERN_INVALID_ADDRESS);
2732 last_timestamp = map->timestamp;
2733 entry = first_entry;
2734 while (entry->start < end) {
2735 if (entry->eflags & MAP_ENTRY_IN_TRANSITION) {
2737 * We have not yet clipped the entry.
2739 saved_start = (start >= entry->start) ? start :
2741 entry->eflags |= MAP_ENTRY_NEEDS_WAKEUP;
2742 if (vm_map_unlock_and_wait(map, 0)) {
2744 * Allow interruption of user unwiring?
2748 if (last_timestamp+1 != map->timestamp) {
2750 * Look again for the entry because the map was
2751 * modified while it was unlocked.
2752 * Specifically, the entry may have been
2753 * clipped, merged, or deleted.
2755 if (!vm_map_lookup_entry(map, saved_start,
2757 if (flags & VM_MAP_WIRE_HOLESOK)
2758 tmp_entry = tmp_entry->next;
2760 if (saved_start == start) {
2762 * First_entry has been deleted.
2765 return (KERN_INVALID_ADDRESS);
2768 rv = KERN_INVALID_ADDRESS;
2772 if (entry == first_entry)
2773 first_entry = tmp_entry;
2778 last_timestamp = map->timestamp;
2781 vm_map_clip_start(map, entry, start);
2782 vm_map_clip_end(map, entry, end);
2784 * Mark the entry in case the map lock is released. (See
2787 KASSERT((entry->eflags & MAP_ENTRY_IN_TRANSITION) == 0 &&
2788 entry->wiring_thread == NULL,
2789 ("owned map entry %p", entry));
2790 entry->eflags |= MAP_ENTRY_IN_TRANSITION;
2791 entry->wiring_thread = curthread;
2793 * Check the map for holes in the specified region.
2794 * If VM_MAP_WIRE_HOLESOK was specified, skip this check.
2796 if (((flags & VM_MAP_WIRE_HOLESOK) == 0) &&
2797 (entry->end < end && entry->next->start > entry->end)) {
2799 rv = KERN_INVALID_ADDRESS;
2803 * If system unwiring, require that the entry is system wired.
2806 vm_map_entry_system_wired_count(entry) == 0) {
2808 rv = KERN_INVALID_ARGUMENT;
2811 entry = entry->next;
2815 need_wakeup = FALSE;
2816 if (first_entry == NULL) {
2817 result = vm_map_lookup_entry(map, start, &first_entry);
2818 if (!result && (flags & VM_MAP_WIRE_HOLESOK))
2819 first_entry = first_entry->next;
2821 KASSERT(result, ("vm_map_unwire: lookup failed"));
2823 for (entry = first_entry; entry->start < end; entry = entry->next) {
2825 * If VM_MAP_WIRE_HOLESOK was specified, an empty
2826 * space in the unwired region could have been mapped
2827 * while the map lock was dropped for draining
2828 * MAP_ENTRY_IN_TRANSITION. Moreover, another thread
2829 * could be simultaneously wiring this new mapping
2830 * entry. Detect these cases and skip any entries
2831 * marked as in transition by us.
2833 if ((entry->eflags & MAP_ENTRY_IN_TRANSITION) == 0 ||
2834 entry->wiring_thread != curthread) {
2835 KASSERT((flags & VM_MAP_WIRE_HOLESOK) != 0,
2836 ("vm_map_unwire: !HOLESOK and new/changed entry"));
2840 if (rv == KERN_SUCCESS && (!user_unwire ||
2841 (entry->eflags & MAP_ENTRY_USER_WIRED))) {
2843 entry->eflags &= ~MAP_ENTRY_USER_WIRED;
2844 if (entry->wired_count == 1)
2845 vm_map_entry_unwire(map, entry);
2847 entry->wired_count--;
2849 KASSERT((entry->eflags & MAP_ENTRY_IN_TRANSITION) != 0,
2850 ("vm_map_unwire: in-transition flag missing %p", entry));
2851 KASSERT(entry->wiring_thread == curthread,
2852 ("vm_map_unwire: alien wire %p", entry));
2853 entry->eflags &= ~MAP_ENTRY_IN_TRANSITION;
2854 entry->wiring_thread = NULL;
2855 if (entry->eflags & MAP_ENTRY_NEEDS_WAKEUP) {
2856 entry->eflags &= ~MAP_ENTRY_NEEDS_WAKEUP;
2859 vm_map_simplify_entry(map, entry);
2868 * vm_map_wire_entry_failure:
2870 * Handle a wiring failure on the given entry.
2872 * The map should be locked.
2875 vm_map_wire_entry_failure(vm_map_t map, vm_map_entry_t entry,
2876 vm_offset_t failed_addr)
2879 VM_MAP_ASSERT_LOCKED(map);
2880 KASSERT((entry->eflags & MAP_ENTRY_IN_TRANSITION) != 0 &&
2881 entry->wired_count == 1,
2882 ("vm_map_wire_entry_failure: entry %p isn't being wired", entry));
2883 KASSERT(failed_addr < entry->end,
2884 ("vm_map_wire_entry_failure: entry %p was fully wired", entry));
2887 * If any pages at the start of this entry were successfully wired,
2890 if (failed_addr > entry->start) {
2891 pmap_unwire(map->pmap, entry->start, failed_addr);
2892 vm_object_unwire(entry->object.vm_object, entry->offset,
2893 failed_addr - entry->start, PQ_ACTIVE);
2897 * Assign an out-of-range value to represent the failure to wire this
2900 entry->wired_count = -1;
2906 * Implements both kernel and user wiring.
2909 vm_map_wire(vm_map_t map, vm_offset_t start, vm_offset_t end,
2912 vm_map_entry_t entry, first_entry, tmp_entry;
2913 vm_offset_t faddr, saved_end, saved_start;
2914 unsigned int last_timestamp;
2916 boolean_t need_wakeup, result, user_wire;
2920 return (KERN_SUCCESS);
2922 if (flags & VM_MAP_WIRE_WRITE)
2923 prot |= VM_PROT_WRITE;
2924 user_wire = (flags & VM_MAP_WIRE_USER) ? TRUE : FALSE;
2926 VM_MAP_RANGE_CHECK(map, start, end);
2927 if (!vm_map_lookup_entry(map, start, &first_entry)) {
2928 if (flags & VM_MAP_WIRE_HOLESOK)
2929 first_entry = first_entry->next;
2932 return (KERN_INVALID_ADDRESS);
2935 last_timestamp = map->timestamp;
2936 entry = first_entry;
2937 while (entry->start < end) {
2938 if (entry->eflags & MAP_ENTRY_IN_TRANSITION) {
2940 * We have not yet clipped the entry.
2942 saved_start = (start >= entry->start) ? start :
2944 entry->eflags |= MAP_ENTRY_NEEDS_WAKEUP;
2945 if (vm_map_unlock_and_wait(map, 0)) {
2947 * Allow interruption of user wiring?
2951 if (last_timestamp + 1 != map->timestamp) {
2953 * Look again for the entry because the map was
2954 * modified while it was unlocked.
2955 * Specifically, the entry may have been
2956 * clipped, merged, or deleted.
2958 if (!vm_map_lookup_entry(map, saved_start,
2960 if (flags & VM_MAP_WIRE_HOLESOK)
2961 tmp_entry = tmp_entry->next;
2963 if (saved_start == start) {
2965 * first_entry has been deleted.
2968 return (KERN_INVALID_ADDRESS);
2971 rv = KERN_INVALID_ADDRESS;
2975 if (entry == first_entry)
2976 first_entry = tmp_entry;
2981 last_timestamp = map->timestamp;
2984 vm_map_clip_start(map, entry, start);
2985 vm_map_clip_end(map, entry, end);
2987 * Mark the entry in case the map lock is released. (See
2990 KASSERT((entry->eflags & MAP_ENTRY_IN_TRANSITION) == 0 &&
2991 entry->wiring_thread == NULL,
2992 ("owned map entry %p", entry));
2993 entry->eflags |= MAP_ENTRY_IN_TRANSITION;
2994 entry->wiring_thread = curthread;
2995 if ((entry->protection & (VM_PROT_READ | VM_PROT_EXECUTE)) == 0
2996 || (entry->protection & prot) != prot) {
2997 entry->eflags |= MAP_ENTRY_WIRE_SKIPPED;
2998 if ((flags & VM_MAP_WIRE_HOLESOK) == 0) {
3000 rv = KERN_INVALID_ADDRESS;
3005 if (entry->wired_count == 0) {
3006 entry->wired_count++;
3007 saved_start = entry->start;
3008 saved_end = entry->end;
3011 * Release the map lock, relying on the in-transition
3012 * mark. Mark the map busy for fork.
3017 faddr = saved_start;
3020 * Simulate a fault to get the page and enter
3021 * it into the physical map.
3023 if ((rv = vm_fault(map, faddr, VM_PROT_NONE,
3024 VM_FAULT_WIRE)) != KERN_SUCCESS)
3026 } while ((faddr += PAGE_SIZE) < saved_end);
3029 if (last_timestamp + 1 != map->timestamp) {
3031 * Look again for the entry because the map was
3032 * modified while it was unlocked. The entry
3033 * may have been clipped, but NOT merged or
3036 result = vm_map_lookup_entry(map, saved_start,
3038 KASSERT(result, ("vm_map_wire: lookup failed"));
3039 if (entry == first_entry)
3040 first_entry = tmp_entry;
3044 while (entry->end < saved_end) {
3046 * In case of failure, handle entries
3047 * that were not fully wired here;
3048 * fully wired entries are handled
3051 if (rv != KERN_SUCCESS &&
3053 vm_map_wire_entry_failure(map,
3055 entry = entry->next;
3058 last_timestamp = map->timestamp;
3059 if (rv != KERN_SUCCESS) {
3060 vm_map_wire_entry_failure(map, entry, faddr);
3064 } else if (!user_wire ||
3065 (entry->eflags & MAP_ENTRY_USER_WIRED) == 0) {
3066 entry->wired_count++;
3069 * Check the map for holes in the specified region.
3070 * If VM_MAP_WIRE_HOLESOK was specified, skip this check.
3073 if ((flags & VM_MAP_WIRE_HOLESOK) == 0 &&
3074 entry->end < end && entry->next->start > entry->end) {
3076 rv = KERN_INVALID_ADDRESS;
3079 entry = entry->next;
3083 need_wakeup = FALSE;
3084 if (first_entry == NULL) {
3085 result = vm_map_lookup_entry(map, start, &first_entry);
3086 if (!result && (flags & VM_MAP_WIRE_HOLESOK))
3087 first_entry = first_entry->next;
3089 KASSERT(result, ("vm_map_wire: lookup failed"));
3091 for (entry = first_entry; entry->start < end; entry = entry->next) {
3093 * If VM_MAP_WIRE_HOLESOK was specified, an empty
3094 * space in the unwired region could have been mapped
3095 * while the map lock was dropped for faulting in the
3096 * pages or draining MAP_ENTRY_IN_TRANSITION.
3097 * Moreover, another thread could be simultaneously
3098 * wiring this new mapping entry. Detect these cases
3099 * and skip any entries marked as in transition not by us.
3101 if ((entry->eflags & MAP_ENTRY_IN_TRANSITION) == 0 ||
3102 entry->wiring_thread != curthread) {
3103 KASSERT((flags & VM_MAP_WIRE_HOLESOK) != 0,
3104 ("vm_map_wire: !HOLESOK and new/changed entry"));
3108 if ((entry->eflags & MAP_ENTRY_WIRE_SKIPPED) != 0)
3109 goto next_entry_done;
3111 if (rv == KERN_SUCCESS) {
3113 entry->eflags |= MAP_ENTRY_USER_WIRED;
3114 } else if (entry->wired_count == -1) {
3116 * Wiring failed on this entry. Thus, unwiring is
3119 entry->wired_count = 0;
3120 } else if (!user_wire ||
3121 (entry->eflags & MAP_ENTRY_USER_WIRED) == 0) {
3123 * Undo the wiring. Wiring succeeded on this entry
3124 * but failed on a later entry.
3126 if (entry->wired_count == 1)
3127 vm_map_entry_unwire(map, entry);
3129 entry->wired_count--;
3132 KASSERT((entry->eflags & MAP_ENTRY_IN_TRANSITION) != 0,
3133 ("vm_map_wire: in-transition flag missing %p", entry));
3134 KASSERT(entry->wiring_thread == curthread,
3135 ("vm_map_wire: alien wire %p", entry));
3136 entry->eflags &= ~(MAP_ENTRY_IN_TRANSITION |
3137 MAP_ENTRY_WIRE_SKIPPED);
3138 entry->wiring_thread = NULL;
3139 if (entry->eflags & MAP_ENTRY_NEEDS_WAKEUP) {
3140 entry->eflags &= ~MAP_ENTRY_NEEDS_WAKEUP;
3143 vm_map_simplify_entry(map, entry);
3154 * Push any dirty cached pages in the address range to their pager.
3155 * If syncio is TRUE, dirty pages are written synchronously.
3156 * If invalidate is TRUE, any cached pages are freed as well.
3158 * If the size of the region from start to end is zero, we are
3159 * supposed to flush all modified pages within the region containing
3160 * start. Unfortunately, a region can be split or coalesced with
3161 * neighboring regions, making it difficult to determine what the
3162 * original region was. Therefore, we approximate this requirement by
3163 * flushing the current region containing start.
3165 * Returns an error if any part of the specified range is not mapped.
3173 boolean_t invalidate)
3175 vm_map_entry_t current;
3176 vm_map_entry_t entry;
3179 vm_ooffset_t offset;
3180 unsigned int last_timestamp;
3183 vm_map_lock_read(map);
3184 VM_MAP_RANGE_CHECK(map, start, end);
3185 if (!vm_map_lookup_entry(map, start, &entry)) {
3186 vm_map_unlock_read(map);
3187 return (KERN_INVALID_ADDRESS);
3188 } else if (start == end) {
3189 start = entry->start;
3193 * Make a first pass to check for user-wired memory and holes.
3195 for (current = entry; current->start < end; current = current->next) {
3196 if (invalidate && (current->eflags & MAP_ENTRY_USER_WIRED)) {
3197 vm_map_unlock_read(map);
3198 return (KERN_INVALID_ARGUMENT);
3200 if (end > current->end &&
3201 current->end != current->next->start) {
3202 vm_map_unlock_read(map);
3203 return (KERN_INVALID_ADDRESS);
3208 pmap_remove(map->pmap, start, end);
3212 * Make a second pass, cleaning/uncaching pages from the indicated
3215 for (current = entry; current->start < end;) {
3216 offset = current->offset + (start - current->start);
3217 size = (end <= current->end ? end : current->end) - start;
3218 if (current->eflags & MAP_ENTRY_IS_SUB_MAP) {
3220 vm_map_entry_t tentry;
3223 smap = current->object.sub_map;
3224 vm_map_lock_read(smap);
3225 (void) vm_map_lookup_entry(smap, offset, &tentry);
3226 tsize = tentry->end - offset;
3229 object = tentry->object.vm_object;
3230 offset = tentry->offset + (offset - tentry->start);
3231 vm_map_unlock_read(smap);
3233 object = current->object.vm_object;
3235 vm_object_reference(object);
3236 last_timestamp = map->timestamp;
3237 vm_map_unlock_read(map);
3238 if (!vm_object_sync(object, offset, size, syncio, invalidate))
3241 vm_object_deallocate(object);
3242 vm_map_lock_read(map);
3243 if (last_timestamp == map->timestamp ||
3244 !vm_map_lookup_entry(map, start, ¤t))
3245 current = current->next;
3248 vm_map_unlock_read(map);
3249 return (failed ? KERN_FAILURE : KERN_SUCCESS);
3253 * vm_map_entry_unwire: [ internal use only ]
3255 * Make the region specified by this entry pageable.
3257 * The map in question should be locked.
3258 * [This is the reason for this routine's existence.]
3261 vm_map_entry_unwire(vm_map_t map, vm_map_entry_t entry)
3264 VM_MAP_ASSERT_LOCKED(map);
3265 KASSERT(entry->wired_count > 0,
3266 ("vm_map_entry_unwire: entry %p isn't wired", entry));
3267 pmap_unwire(map->pmap, entry->start, entry->end);
3268 vm_object_unwire(entry->object.vm_object, entry->offset, entry->end -
3269 entry->start, PQ_ACTIVE);
3270 entry->wired_count = 0;
3274 vm_map_entry_deallocate(vm_map_entry_t entry, boolean_t system_map)
3277 if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0)
3278 vm_object_deallocate(entry->object.vm_object);
3279 uma_zfree(system_map ? kmapentzone : mapentzone, entry);
3283 * vm_map_entry_delete: [ internal use only ]
3285 * Deallocate the given entry from the target map.
3288 vm_map_entry_delete(vm_map_t map, vm_map_entry_t entry)
3291 vm_pindex_t offidxstart, offidxend, count, size1;
3294 vm_map_entry_unlink(map, entry, UNLINK_MERGE_NONE);
3295 object = entry->object.vm_object;
3297 if ((entry->eflags & MAP_ENTRY_GUARD) != 0) {
3298 MPASS(entry->cred == NULL);
3299 MPASS((entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0);
3300 MPASS(object == NULL);
3301 vm_map_entry_deallocate(entry, map->system_map);
3305 size = entry->end - entry->start;
3308 if (entry->cred != NULL) {
3309 swap_release_by_cred(size, entry->cred);
3310 crfree(entry->cred);
3313 if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) == 0 &&
3315 KASSERT(entry->cred == NULL || object->cred == NULL ||
3316 (entry->eflags & MAP_ENTRY_NEEDS_COPY),
3317 ("OVERCOMMIT vm_map_entry_delete: both cred %p", entry));
3319 offidxstart = OFF_TO_IDX(entry->offset);
3320 offidxend = offidxstart + count;
3321 VM_OBJECT_WLOCK(object);
3322 if (object->ref_count != 1 && ((object->flags & (OBJ_NOSPLIT |
3323 OBJ_ONEMAPPING)) == OBJ_ONEMAPPING ||
3324 object == kernel_object)) {
3325 vm_object_collapse(object);
3328 * The option OBJPR_NOTMAPPED can be passed here
3329 * because vm_map_delete() already performed
3330 * pmap_remove() on the only mapping to this range
3333 vm_object_page_remove(object, offidxstart, offidxend,
3335 if (object->type == OBJT_SWAP)
3336 swap_pager_freespace(object, offidxstart,
3338 if (offidxend >= object->size &&
3339 offidxstart < object->size) {
3340 size1 = object->size;
3341 object->size = offidxstart;
3342 if (object->cred != NULL) {
3343 size1 -= object->size;
3344 KASSERT(object->charge >= ptoa(size1),
3345 ("object %p charge < 0", object));
3346 swap_release_by_cred(ptoa(size1),
3348 object->charge -= ptoa(size1);
3352 VM_OBJECT_WUNLOCK(object);
3354 entry->object.vm_object = NULL;
3355 if (map->system_map)
3356 vm_map_entry_deallocate(entry, TRUE);
3358 entry->next = curthread->td_map_def_user;
3359 curthread->td_map_def_user = entry;
3364 * vm_map_delete: [ internal use only ]
3366 * Deallocates the given address range from the target
3370 vm_map_delete(vm_map_t map, vm_offset_t start, vm_offset_t end)
3372 vm_map_entry_t entry;
3373 vm_map_entry_t first_entry;
3375 VM_MAP_ASSERT_LOCKED(map);
3377 return (KERN_SUCCESS);
3380 * Find the start of the region, and clip it
3382 if (!vm_map_lookup_entry(map, start, &first_entry))
3383 entry = first_entry->next;
3385 entry = first_entry;
3386 vm_map_clip_start(map, entry, start);
3390 * Step through all entries in this region
3392 while (entry->start < end) {
3393 vm_map_entry_t next;
3396 * Wait for wiring or unwiring of an entry to complete.
3397 * Also wait for any system wirings to disappear on
3400 if ((entry->eflags & MAP_ENTRY_IN_TRANSITION) != 0 ||
3401 (vm_map_pmap(map) != kernel_pmap &&
3402 vm_map_entry_system_wired_count(entry) != 0)) {
3403 unsigned int last_timestamp;
3404 vm_offset_t saved_start;
3405 vm_map_entry_t tmp_entry;
3407 saved_start = entry->start;
3408 entry->eflags |= MAP_ENTRY_NEEDS_WAKEUP;
3409 last_timestamp = map->timestamp;
3410 (void) vm_map_unlock_and_wait(map, 0);
3412 if (last_timestamp + 1 != map->timestamp) {
3414 * Look again for the entry because the map was
3415 * modified while it was unlocked.
3416 * Specifically, the entry may have been
3417 * clipped, merged, or deleted.
3419 if (!vm_map_lookup_entry(map, saved_start,
3421 entry = tmp_entry->next;
3424 vm_map_clip_start(map, entry,
3430 vm_map_clip_end(map, entry, end);
3435 * Unwire before removing addresses from the pmap; otherwise,
3436 * unwiring will put the entries back in the pmap.
3438 if (entry->wired_count != 0)
3439 vm_map_entry_unwire(map, entry);
3442 * Remove mappings for the pages, but only if the
3443 * mappings could exist. For instance, it does not
3444 * make sense to call pmap_remove() for guard entries.
3446 if ((entry->eflags & MAP_ENTRY_IS_SUB_MAP) != 0 ||
3447 entry->object.vm_object != NULL)
3448 pmap_remove(map->pmap, entry->start, entry->end);
3450 if (entry->end == map->anon_loc)
3451 map->anon_loc = entry->start;
3454 * Delete the entry only after removing all pmap
3455 * entries pointing to its pages. (Otherwise, its
3456 * page frames may be reallocated, and any modify bits
3457 * will be set in the wrong object!)
3459 vm_map_entry_delete(map, entry);
3462 return (KERN_SUCCESS);
3468 * Remove the given address range from the target map.
3469 * This is the exported form of vm_map_delete.
3472 vm_map_remove(vm_map_t map, vm_offset_t start, vm_offset_t end)
3477 VM_MAP_RANGE_CHECK(map, start, end);
3478 result = vm_map_delete(map, start, end);
3484 * vm_map_check_protection:
3486 * Assert that the target map allows the specified privilege on the
3487 * entire address region given. The entire region must be allocated.
3489 * WARNING! This code does not and should not check whether the
3490 * contents of the region is accessible. For example a smaller file
3491 * might be mapped into a larger address space.
3493 * NOTE! This code is also called by munmap().
3495 * The map must be locked. A read lock is sufficient.
3498 vm_map_check_protection(vm_map_t map, vm_offset_t start, vm_offset_t end,
3499 vm_prot_t protection)
3501 vm_map_entry_t entry;
3502 vm_map_entry_t tmp_entry;
3504 if (!vm_map_lookup_entry(map, start, &tmp_entry))
3508 while (start < end) {
3512 if (start < entry->start)
3515 * Check protection associated with entry.
3517 if ((entry->protection & protection) != protection)
3519 /* go to next entry */
3521 entry = entry->next;
3527 * vm_map_copy_entry:
3529 * Copies the contents of the source entry to the destination
3530 * entry. The entries *must* be aligned properly.
3536 vm_map_entry_t src_entry,
3537 vm_map_entry_t dst_entry,
3538 vm_ooffset_t *fork_charge)
3540 vm_object_t src_object;
3541 vm_map_entry_t fake_entry;
3546 VM_MAP_ASSERT_LOCKED(dst_map);
3548 if ((dst_entry->eflags|src_entry->eflags) & MAP_ENTRY_IS_SUB_MAP)
3551 if (src_entry->wired_count == 0 ||
3552 (src_entry->protection & VM_PROT_WRITE) == 0) {
3554 * If the source entry is marked needs_copy, it is already
3557 if ((src_entry->eflags & MAP_ENTRY_NEEDS_COPY) == 0 &&
3558 (src_entry->protection & VM_PROT_WRITE) != 0) {
3559 pmap_protect(src_map->pmap,
3562 src_entry->protection & ~VM_PROT_WRITE);
3566 * Make a copy of the object.
3568 size = src_entry->end - src_entry->start;
3569 if ((src_object = src_entry->object.vm_object) != NULL) {
3570 VM_OBJECT_WLOCK(src_object);
3571 charged = ENTRY_CHARGED(src_entry);
3572 if (src_object->handle == NULL &&
3573 (src_object->type == OBJT_DEFAULT ||
3574 src_object->type == OBJT_SWAP)) {
3575 vm_object_collapse(src_object);
3576 if ((src_object->flags & (OBJ_NOSPLIT |
3577 OBJ_ONEMAPPING)) == OBJ_ONEMAPPING) {
3578 vm_object_split(src_entry);
3580 src_entry->object.vm_object;
3583 vm_object_reference_locked(src_object);
3584 vm_object_clear_flag(src_object, OBJ_ONEMAPPING);
3585 if (src_entry->cred != NULL &&
3586 !(src_entry->eflags & MAP_ENTRY_NEEDS_COPY)) {
3587 KASSERT(src_object->cred == NULL,
3588 ("OVERCOMMIT: vm_map_copy_entry: cred %p",
3590 src_object->cred = src_entry->cred;
3591 src_object->charge = size;
3593 VM_OBJECT_WUNLOCK(src_object);
3594 dst_entry->object.vm_object = src_object;
3596 cred = curthread->td_ucred;
3598 dst_entry->cred = cred;
3599 *fork_charge += size;
3600 if (!(src_entry->eflags &
3601 MAP_ENTRY_NEEDS_COPY)) {
3603 src_entry->cred = cred;
3604 *fork_charge += size;
3607 src_entry->eflags |= MAP_ENTRY_COW |
3608 MAP_ENTRY_NEEDS_COPY;
3609 dst_entry->eflags |= MAP_ENTRY_COW |
3610 MAP_ENTRY_NEEDS_COPY;
3611 dst_entry->offset = src_entry->offset;
3612 if (src_entry->eflags & MAP_ENTRY_VN_WRITECNT) {
3614 * MAP_ENTRY_VN_WRITECNT cannot
3615 * indicate write reference from
3616 * src_entry, since the entry is
3617 * marked as needs copy. Allocate a
3618 * fake entry that is used to
3619 * decrement object->un_pager.vnp.writecount
3620 * at the appropriate time. Attach
3621 * fake_entry to the deferred list.
3623 fake_entry = vm_map_entry_create(dst_map);
3624 fake_entry->eflags = MAP_ENTRY_VN_WRITECNT;
3625 src_entry->eflags &= ~MAP_ENTRY_VN_WRITECNT;
3626 vm_object_reference(src_object);
3627 fake_entry->object.vm_object = src_object;
3628 fake_entry->start = src_entry->start;
3629 fake_entry->end = src_entry->end;
3630 fake_entry->next = curthread->td_map_def_user;
3631 curthread->td_map_def_user = fake_entry;
3634 pmap_copy(dst_map->pmap, src_map->pmap,
3635 dst_entry->start, dst_entry->end - dst_entry->start,
3638 dst_entry->object.vm_object = NULL;
3639 dst_entry->offset = 0;
3640 if (src_entry->cred != NULL) {
3641 dst_entry->cred = curthread->td_ucred;
3642 crhold(dst_entry->cred);
3643 *fork_charge += size;
3648 * We don't want to make writeable wired pages copy-on-write.
3649 * Immediately copy these pages into the new map by simulating
3650 * page faults. The new pages are pageable.
3652 vm_fault_copy_entry(dst_map, src_map, dst_entry, src_entry,
3658 * vmspace_map_entry_forked:
3659 * Update the newly-forked vmspace each time a map entry is inherited
3660 * or copied. The values for vm_dsize and vm_tsize are approximate
3661 * (and mostly-obsolete ideas in the face of mmap(2) et al.)
3664 vmspace_map_entry_forked(const struct vmspace *vm1, struct vmspace *vm2,
3665 vm_map_entry_t entry)
3667 vm_size_t entrysize;
3670 if ((entry->eflags & MAP_ENTRY_GUARD) != 0)
3672 entrysize = entry->end - entry->start;
3673 vm2->vm_map.size += entrysize;
3674 if (entry->eflags & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) {
3675 vm2->vm_ssize += btoc(entrysize);
3676 } else if (entry->start >= (vm_offset_t)vm1->vm_daddr &&
3677 entry->start < (vm_offset_t)vm1->vm_daddr + ctob(vm1->vm_dsize)) {
3678 newend = MIN(entry->end,
3679 (vm_offset_t)vm1->vm_daddr + ctob(vm1->vm_dsize));
3680 vm2->vm_dsize += btoc(newend - entry->start);
3681 } else if (entry->start >= (vm_offset_t)vm1->vm_taddr &&
3682 entry->start < (vm_offset_t)vm1->vm_taddr + ctob(vm1->vm_tsize)) {
3683 newend = MIN(entry->end,
3684 (vm_offset_t)vm1->vm_taddr + ctob(vm1->vm_tsize));
3685 vm2->vm_tsize += btoc(newend - entry->start);
3691 * Create a new process vmspace structure and vm_map
3692 * based on those of an existing process. The new map
3693 * is based on the old map, according to the inheritance
3694 * values on the regions in that map.
3696 * XXX It might be worth coalescing the entries added to the new vmspace.
3698 * The source map must not be locked.
3701 vmspace_fork(struct vmspace *vm1, vm_ooffset_t *fork_charge)
3703 struct vmspace *vm2;
3704 vm_map_t new_map, old_map;
3705 vm_map_entry_t new_entry, old_entry;
3710 old_map = &vm1->vm_map;
3711 /* Copy immutable fields of vm1 to vm2. */
3712 vm2 = vmspace_alloc(vm_map_min(old_map), vm_map_max(old_map),
3717 vm2->vm_taddr = vm1->vm_taddr;
3718 vm2->vm_daddr = vm1->vm_daddr;
3719 vm2->vm_maxsaddr = vm1->vm_maxsaddr;
3720 vm_map_lock(old_map);
3722 vm_map_wait_busy(old_map);
3723 new_map = &vm2->vm_map;
3724 locked = vm_map_trylock(new_map); /* trylock to silence WITNESS */
3725 KASSERT(locked, ("vmspace_fork: lock failed"));
3727 error = pmap_vmspace_copy(new_map->pmap, old_map->pmap);
3729 sx_xunlock(&old_map->lock);
3730 sx_xunlock(&new_map->lock);
3731 vm_map_process_deferred();
3736 new_map->anon_loc = old_map->anon_loc;
3738 old_entry = old_map->header.next;
3740 while (old_entry != &old_map->header) {
3741 if (old_entry->eflags & MAP_ENTRY_IS_SUB_MAP)
3742 panic("vm_map_fork: encountered a submap");
3744 inh = old_entry->inheritance;
3745 if ((old_entry->eflags & MAP_ENTRY_GUARD) != 0 &&
3746 inh != VM_INHERIT_NONE)
3747 inh = VM_INHERIT_COPY;
3750 case VM_INHERIT_NONE:
3753 case VM_INHERIT_SHARE:
3755 * Clone the entry, creating the shared object if necessary.
3757 object = old_entry->object.vm_object;
3758 if (object == NULL) {
3759 object = vm_object_allocate(OBJT_DEFAULT,
3760 atop(old_entry->end - old_entry->start));
3761 old_entry->object.vm_object = object;
3762 old_entry->offset = 0;
3763 if (old_entry->cred != NULL) {
3764 object->cred = old_entry->cred;
3765 object->charge = old_entry->end -
3767 old_entry->cred = NULL;
3772 * Add the reference before calling vm_object_shadow
3773 * to insure that a shadow object is created.
3775 vm_object_reference(object);
3776 if (old_entry->eflags & MAP_ENTRY_NEEDS_COPY) {
3777 vm_object_shadow(&old_entry->object.vm_object,
3779 old_entry->end - old_entry->start);
3780 old_entry->eflags &= ~MAP_ENTRY_NEEDS_COPY;
3781 /* Transfer the second reference too. */
3782 vm_object_reference(
3783 old_entry->object.vm_object);
3786 * As in vm_map_simplify_entry(), the
3787 * vnode lock will not be acquired in
3788 * this call to vm_object_deallocate().
3790 vm_object_deallocate(object);
3791 object = old_entry->object.vm_object;
3793 VM_OBJECT_WLOCK(object);
3794 vm_object_clear_flag(object, OBJ_ONEMAPPING);
3795 if (old_entry->cred != NULL) {
3796 KASSERT(object->cred == NULL, ("vmspace_fork both cred"));
3797 object->cred = old_entry->cred;
3798 object->charge = old_entry->end - old_entry->start;
3799 old_entry->cred = NULL;
3803 * Assert the correct state of the vnode
3804 * v_writecount while the object is locked, to
3805 * not relock it later for the assertion
3808 if (old_entry->eflags & MAP_ENTRY_VN_WRITECNT &&
3809 object->type == OBJT_VNODE) {
3810 KASSERT(((struct vnode *)object->handle)->
3812 ("vmspace_fork: v_writecount %p", object));
3813 KASSERT(object->un_pager.vnp.writemappings > 0,
3814 ("vmspace_fork: vnp.writecount %p",
3817 VM_OBJECT_WUNLOCK(object);
3820 * Clone the entry, referencing the shared object.
3822 new_entry = vm_map_entry_create(new_map);
3823 *new_entry = *old_entry;
3824 new_entry->eflags &= ~(MAP_ENTRY_USER_WIRED |
3825 MAP_ENTRY_IN_TRANSITION);
3826 new_entry->wiring_thread = NULL;
3827 new_entry->wired_count = 0;
3828 if (new_entry->eflags & MAP_ENTRY_VN_WRITECNT) {
3829 vnode_pager_update_writecount(object,
3830 new_entry->start, new_entry->end);
3834 * Insert the entry into the new map -- we know we're
3835 * inserting at the end of the new map.
3837 vm_map_entry_link(new_map, new_entry);
3838 vmspace_map_entry_forked(vm1, vm2, new_entry);
3841 * Update the physical map
3843 pmap_copy(new_map->pmap, old_map->pmap,
3845 (old_entry->end - old_entry->start),
3849 case VM_INHERIT_COPY:
3851 * Clone the entry and link into the map.
3853 new_entry = vm_map_entry_create(new_map);
3854 *new_entry = *old_entry;
3856 * Copied entry is COW over the old object.
3858 new_entry->eflags &= ~(MAP_ENTRY_USER_WIRED |
3859 MAP_ENTRY_IN_TRANSITION | MAP_ENTRY_VN_WRITECNT);
3860 new_entry->wiring_thread = NULL;
3861 new_entry->wired_count = 0;
3862 new_entry->object.vm_object = NULL;
3863 new_entry->cred = NULL;
3864 vm_map_entry_link(new_map, new_entry);
3865 vmspace_map_entry_forked(vm1, vm2, new_entry);
3866 vm_map_copy_entry(old_map, new_map, old_entry,
3867 new_entry, fork_charge);
3870 case VM_INHERIT_ZERO:
3872 * Create a new anonymous mapping entry modelled from
3875 new_entry = vm_map_entry_create(new_map);
3876 memset(new_entry, 0, sizeof(*new_entry));
3878 new_entry->start = old_entry->start;
3879 new_entry->end = old_entry->end;
3880 new_entry->eflags = old_entry->eflags &
3881 ~(MAP_ENTRY_USER_WIRED | MAP_ENTRY_IN_TRANSITION |
3882 MAP_ENTRY_VN_WRITECNT);
3883 new_entry->protection = old_entry->protection;
3884 new_entry->max_protection = old_entry->max_protection;
3885 new_entry->inheritance = VM_INHERIT_ZERO;
3887 vm_map_entry_link(new_map, new_entry);
3888 vmspace_map_entry_forked(vm1, vm2, new_entry);
3890 new_entry->cred = curthread->td_ucred;
3891 crhold(new_entry->cred);
3892 *fork_charge += (new_entry->end - new_entry->start);
3896 old_entry = old_entry->next;
3899 * Use inlined vm_map_unlock() to postpone handling the deferred
3900 * map entries, which cannot be done until both old_map and
3901 * new_map locks are released.
3903 sx_xunlock(&old_map->lock);
3904 sx_xunlock(&new_map->lock);
3905 vm_map_process_deferred();
3911 * Create a process's stack for exec_new_vmspace(). This function is never
3912 * asked to wire the newly created stack.
3915 vm_map_stack(vm_map_t map, vm_offset_t addrbos, vm_size_t max_ssize,
3916 vm_prot_t prot, vm_prot_t max, int cow)
3918 vm_size_t growsize, init_ssize;
3922 MPASS((map->flags & MAP_WIREFUTURE) == 0);
3923 growsize = sgrowsiz;
3924 init_ssize = (max_ssize < growsize) ? max_ssize : growsize;
3926 vmemlim = lim_cur(curthread, RLIMIT_VMEM);
3927 /* If we would blow our VMEM resource limit, no go */
3928 if (map->size + init_ssize > vmemlim) {
3932 rv = vm_map_stack_locked(map, addrbos, max_ssize, growsize, prot,
3939 static int stack_guard_page = 1;
3940 SYSCTL_INT(_security_bsd, OID_AUTO, stack_guard_page, CTLFLAG_RWTUN,
3941 &stack_guard_page, 0,
3942 "Specifies the number of guard pages for a stack that grows");
3945 vm_map_stack_locked(vm_map_t map, vm_offset_t addrbos, vm_size_t max_ssize,
3946 vm_size_t growsize, vm_prot_t prot, vm_prot_t max, int cow)
3948 vm_map_entry_t new_entry, prev_entry;
3949 vm_offset_t bot, gap_bot, gap_top, top;
3950 vm_size_t init_ssize, sgp;
3954 * The stack orientation is piggybacked with the cow argument.
3955 * Extract it into orient and mask the cow argument so that we
3956 * don't pass it around further.
3958 orient = cow & (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP);
3959 KASSERT(orient != 0, ("No stack grow direction"));
3960 KASSERT(orient != (MAP_STACK_GROWS_DOWN | MAP_STACK_GROWS_UP),
3963 if (addrbos < vm_map_min(map) ||
3964 addrbos + max_ssize > vm_map_max(map) ||
3965 addrbos + max_ssize <= addrbos)
3966 return (KERN_INVALID_ADDRESS);
3967 sgp = (vm_size_t)stack_guard_page * PAGE_SIZE;
3968 if (sgp >= max_ssize)
3969 return (KERN_INVALID_ARGUMENT);
3971 init_ssize = growsize;
3972 if (max_ssize < init_ssize + sgp)
3973 init_ssize = max_ssize - sgp;
3975 /* If addr is already mapped, no go */
3976 if (vm_map_lookup_entry(map, addrbos, &prev_entry))
3977 return (KERN_NO_SPACE);
3980 * If we can't accommodate max_ssize in the current mapping, no go.
3982 if (prev_entry->next->start < addrbos + max_ssize)
3983 return (KERN_NO_SPACE);
3986 * We initially map a stack of only init_ssize. We will grow as
3987 * needed later. Depending on the orientation of the stack (i.e.
3988 * the grow direction) we either map at the top of the range, the
3989 * bottom of the range or in the middle.
3991 * Note: we would normally expect prot and max to be VM_PROT_ALL,
3992 * and cow to be 0. Possibly we should eliminate these as input
3993 * parameters, and just pass these values here in the insert call.
3995 if (orient == MAP_STACK_GROWS_DOWN) {
3996 bot = addrbos + max_ssize - init_ssize;
3997 top = bot + init_ssize;
4000 } else /* if (orient == MAP_STACK_GROWS_UP) */ {
4002 top = bot + init_ssize;
4004 gap_top = addrbos + max_ssize;
4006 rv = vm_map_insert(map, NULL, 0, bot, top, prot, max, cow);
4007 if (rv != KERN_SUCCESS)
4009 new_entry = prev_entry->next;
4010 KASSERT(new_entry->end == top || new_entry->start == bot,
4011 ("Bad entry start/end for new stack entry"));
4012 KASSERT((orient & MAP_STACK_GROWS_DOWN) == 0 ||
4013 (new_entry->eflags & MAP_ENTRY_GROWS_DOWN) != 0,
4014 ("new entry lacks MAP_ENTRY_GROWS_DOWN"));
4015 KASSERT((orient & MAP_STACK_GROWS_UP) == 0 ||
4016 (new_entry->eflags & MAP_ENTRY_GROWS_UP) != 0,
4017 ("new entry lacks MAP_ENTRY_GROWS_UP"));
4018 rv = vm_map_insert(map, NULL, 0, gap_bot, gap_top, VM_PROT_NONE,
4019 VM_PROT_NONE, MAP_CREATE_GUARD | (orient == MAP_STACK_GROWS_DOWN ?
4020 MAP_CREATE_STACK_GAP_DN : MAP_CREATE_STACK_GAP_UP));
4021 if (rv != KERN_SUCCESS)
4022 (void)vm_map_delete(map, bot, top);
4027 * Attempts to grow a vm stack entry. Returns KERN_SUCCESS if we
4028 * successfully grow the stack.
4031 vm_map_growstack(vm_map_t map, vm_offset_t addr, vm_map_entry_t gap_entry)
4033 vm_map_entry_t stack_entry;
4037 vm_offset_t gap_end, gap_start, grow_start;
4038 size_t grow_amount, guard, max_grow;
4039 rlim_t lmemlim, stacklim, vmemlim;
4041 bool gap_deleted, grow_down, is_procstack;
4053 * Disallow stack growth when the access is performed by a
4054 * debugger or AIO daemon. The reason is that the wrong
4055 * resource limits are applied.
4057 if (map != &p->p_vmspace->vm_map || p->p_textvp == NULL)
4058 return (KERN_FAILURE);
4060 MPASS(!map->system_map);
4062 guard = stack_guard_page * PAGE_SIZE;
4063 lmemlim = lim_cur(curthread, RLIMIT_MEMLOCK);
4064 stacklim = lim_cur(curthread, RLIMIT_STACK);
4065 vmemlim = lim_cur(curthread, RLIMIT_VMEM);
4067 /* If addr is not in a hole for a stack grow area, no need to grow. */
4068 if (gap_entry == NULL && !vm_map_lookup_entry(map, addr, &gap_entry))
4069 return (KERN_FAILURE);
4070 if ((gap_entry->eflags & MAP_ENTRY_GUARD) == 0)
4071 return (KERN_SUCCESS);
4072 if ((gap_entry->eflags & MAP_ENTRY_STACK_GAP_DN) != 0) {
4073 stack_entry = gap_entry->next;
4074 if ((stack_entry->eflags & MAP_ENTRY_GROWS_DOWN) == 0 ||
4075 stack_entry->start != gap_entry->end)
4076 return (KERN_FAILURE);
4077 grow_amount = round_page(stack_entry->start - addr);
4079 } else if ((gap_entry->eflags & MAP_ENTRY_STACK_GAP_UP) != 0) {
4080 stack_entry = gap_entry->prev;
4081 if ((stack_entry->eflags & MAP_ENTRY_GROWS_UP) == 0 ||
4082 stack_entry->end != gap_entry->start)
4083 return (KERN_FAILURE);
4084 grow_amount = round_page(addr + 1 - stack_entry->end);
4087 return (KERN_FAILURE);
4089 max_grow = gap_entry->end - gap_entry->start;
4090 if (guard > max_grow)
4091 return (KERN_NO_SPACE);
4093 if (grow_amount > max_grow)
4094 return (KERN_NO_SPACE);
4097 * If this is the main process stack, see if we're over the stack
4100 is_procstack = addr >= (vm_offset_t)vm->vm_maxsaddr &&
4101 addr < (vm_offset_t)p->p_sysent->sv_usrstack;
4102 if (is_procstack && (ctob(vm->vm_ssize) + grow_amount > stacklim))
4103 return (KERN_NO_SPACE);
4108 if (is_procstack && racct_set(p, RACCT_STACK,
4109 ctob(vm->vm_ssize) + grow_amount)) {
4111 return (KERN_NO_SPACE);
4117 grow_amount = roundup(grow_amount, sgrowsiz);
4118 if (grow_amount > max_grow)
4119 grow_amount = max_grow;
4120 if (is_procstack && (ctob(vm->vm_ssize) + grow_amount > stacklim)) {
4121 grow_amount = trunc_page((vm_size_t)stacklim) -
4127 limit = racct_get_available(p, RACCT_STACK);
4129 if (is_procstack && (ctob(vm->vm_ssize) + grow_amount > limit))
4130 grow_amount = limit - ctob(vm->vm_ssize);
4133 if (!old_mlock && (map->flags & MAP_WIREFUTURE) != 0) {
4134 if (ptoa(pmap_wired_count(map->pmap)) + grow_amount > lmemlim) {
4141 if (racct_set(p, RACCT_MEMLOCK,
4142 ptoa(pmap_wired_count(map->pmap)) + grow_amount)) {
4152 /* If we would blow our VMEM resource limit, no go */
4153 if (map->size + grow_amount > vmemlim) {
4160 if (racct_set(p, RACCT_VMEM, map->size + grow_amount)) {
4169 if (vm_map_lock_upgrade(map)) {
4171 vm_map_lock_read(map);
4176 grow_start = gap_entry->end - grow_amount;
4177 if (gap_entry->start + grow_amount == gap_entry->end) {
4178 gap_start = gap_entry->start;
4179 gap_end = gap_entry->end;
4180 vm_map_entry_delete(map, gap_entry);
4183 MPASS(gap_entry->start < gap_entry->end - grow_amount);
4184 gap_entry->end -= grow_amount;
4185 vm_map_entry_resize_free(map, gap_entry);
4186 gap_deleted = false;
4188 rv = vm_map_insert(map, NULL, 0, grow_start,
4189 grow_start + grow_amount,
4190 stack_entry->protection, stack_entry->max_protection,
4191 MAP_STACK_GROWS_DOWN);
4192 if (rv != KERN_SUCCESS) {
4194 rv1 = vm_map_insert(map, NULL, 0, gap_start,
4195 gap_end, VM_PROT_NONE, VM_PROT_NONE,
4196 MAP_CREATE_GUARD | MAP_CREATE_STACK_GAP_DN);
4197 MPASS(rv1 == KERN_SUCCESS);
4199 gap_entry->end += grow_amount;
4200 vm_map_entry_resize_free(map, gap_entry);
4204 grow_start = stack_entry->end;
4205 cred = stack_entry->cred;
4206 if (cred == NULL && stack_entry->object.vm_object != NULL)
4207 cred = stack_entry->object.vm_object->cred;
4208 if (cred != NULL && !swap_reserve_by_cred(grow_amount, cred))
4210 /* Grow the underlying object if applicable. */
4211 else if (stack_entry->object.vm_object == NULL ||
4212 vm_object_coalesce(stack_entry->object.vm_object,
4213 stack_entry->offset,
4214 (vm_size_t)(stack_entry->end - stack_entry->start),
4215 (vm_size_t)grow_amount, cred != NULL)) {
4216 if (gap_entry->start + grow_amount == gap_entry->end)
4217 vm_map_entry_delete(map, gap_entry);
4219 gap_entry->start += grow_amount;
4220 stack_entry->end += grow_amount;
4221 map->size += grow_amount;
4222 vm_map_entry_resize_free(map, stack_entry);
4227 if (rv == KERN_SUCCESS && is_procstack)
4228 vm->vm_ssize += btoc(grow_amount);
4231 * Heed the MAP_WIREFUTURE flag if it was set for this process.
4233 if (rv == KERN_SUCCESS && (map->flags & MAP_WIREFUTURE) != 0) {
4235 vm_map_wire(map, grow_start, grow_start + grow_amount,
4236 VM_MAP_WIRE_USER | VM_MAP_WIRE_NOHOLES);
4237 vm_map_lock_read(map);
4239 vm_map_lock_downgrade(map);
4243 if (racct_enable && rv != KERN_SUCCESS) {
4245 error = racct_set(p, RACCT_VMEM, map->size);
4246 KASSERT(error == 0, ("decreasing RACCT_VMEM failed"));
4248 error = racct_set(p, RACCT_MEMLOCK,
4249 ptoa(pmap_wired_count(map->pmap)));
4250 KASSERT(error == 0, ("decreasing RACCT_MEMLOCK failed"));
4252 error = racct_set(p, RACCT_STACK, ctob(vm->vm_ssize));
4253 KASSERT(error == 0, ("decreasing RACCT_STACK failed"));
4262 * Unshare the specified VM space for exec. If other processes are
4263 * mapped to it, then create a new one. The new vmspace is null.
4266 vmspace_exec(struct proc *p, vm_offset_t minuser, vm_offset_t maxuser)
4268 struct vmspace *oldvmspace = p->p_vmspace;
4269 struct vmspace *newvmspace;
4271 KASSERT((curthread->td_pflags & TDP_EXECVMSPC) == 0,
4272 ("vmspace_exec recursed"));
4273 newvmspace = vmspace_alloc(minuser, maxuser, pmap_pinit);
4274 if (newvmspace == NULL)
4276 newvmspace->vm_swrss = oldvmspace->vm_swrss;
4278 * This code is written like this for prototype purposes. The
4279 * goal is to avoid running down the vmspace here, but let the
4280 * other process's that are still using the vmspace to finally
4281 * run it down. Even though there is little or no chance of blocking
4282 * here, it is a good idea to keep this form for future mods.
4284 PROC_VMSPACE_LOCK(p);
4285 p->p_vmspace = newvmspace;
4286 PROC_VMSPACE_UNLOCK(p);
4287 if (p == curthread->td_proc)
4288 pmap_activate(curthread);
4289 curthread->td_pflags |= TDP_EXECVMSPC;
4294 * Unshare the specified VM space for forcing COW. This
4295 * is called by rfork, for the (RFMEM|RFPROC) == 0 case.
4298 vmspace_unshare(struct proc *p)
4300 struct vmspace *oldvmspace = p->p_vmspace;
4301 struct vmspace *newvmspace;
4302 vm_ooffset_t fork_charge;
4304 if (oldvmspace->vm_refcnt == 1)
4307 newvmspace = vmspace_fork(oldvmspace, &fork_charge);
4308 if (newvmspace == NULL)
4310 if (!swap_reserve_by_cred(fork_charge, p->p_ucred)) {
4311 vmspace_free(newvmspace);
4314 PROC_VMSPACE_LOCK(p);
4315 p->p_vmspace = newvmspace;
4316 PROC_VMSPACE_UNLOCK(p);
4317 if (p == curthread->td_proc)
4318 pmap_activate(curthread);
4319 vmspace_free(oldvmspace);
4326 * Finds the VM object, offset, and
4327 * protection for a given virtual address in the
4328 * specified map, assuming a page fault of the
4331 * Leaves the map in question locked for read; return
4332 * values are guaranteed until a vm_map_lookup_done
4333 * call is performed. Note that the map argument
4334 * is in/out; the returned map must be used in
4335 * the call to vm_map_lookup_done.
4337 * A handle (out_entry) is returned for use in
4338 * vm_map_lookup_done, to make that fast.
4340 * If a lookup is requested with "write protection"
4341 * specified, the map may be changed to perform virtual
4342 * copying operations, although the data referenced will
4346 vm_map_lookup(vm_map_t *var_map, /* IN/OUT */
4348 vm_prot_t fault_typea,
4349 vm_map_entry_t *out_entry, /* OUT */
4350 vm_object_t *object, /* OUT */
4351 vm_pindex_t *pindex, /* OUT */
4352 vm_prot_t *out_prot, /* OUT */
4353 boolean_t *wired) /* OUT */
4355 vm_map_entry_t entry;
4356 vm_map_t map = *var_map;
4358 vm_prot_t fault_type = fault_typea;
4359 vm_object_t eobject;
4365 vm_map_lock_read(map);
4369 * Lookup the faulting address.
4371 if (!vm_map_lookup_entry(map, vaddr, out_entry)) {
4372 vm_map_unlock_read(map);
4373 return (KERN_INVALID_ADDRESS);
4381 if (entry->eflags & MAP_ENTRY_IS_SUB_MAP) {
4382 vm_map_t old_map = map;
4384 *var_map = map = entry->object.sub_map;
4385 vm_map_unlock_read(old_map);
4390 * Check whether this task is allowed to have this page.
4392 prot = entry->protection;
4393 if ((fault_typea & VM_PROT_FAULT_LOOKUP) != 0) {
4394 fault_typea &= ~VM_PROT_FAULT_LOOKUP;
4395 if (prot == VM_PROT_NONE && map != kernel_map &&
4396 (entry->eflags & MAP_ENTRY_GUARD) != 0 &&
4397 (entry->eflags & (MAP_ENTRY_STACK_GAP_DN |
4398 MAP_ENTRY_STACK_GAP_UP)) != 0 &&
4399 vm_map_growstack(map, vaddr, entry) == KERN_SUCCESS)
4400 goto RetryLookupLocked;
4402 fault_type &= VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
4403 if ((fault_type & prot) != fault_type || prot == VM_PROT_NONE) {
4404 vm_map_unlock_read(map);
4405 return (KERN_PROTECTION_FAILURE);
4407 KASSERT((prot & VM_PROT_WRITE) == 0 || (entry->eflags &
4408 (MAP_ENTRY_USER_WIRED | MAP_ENTRY_NEEDS_COPY)) !=
4409 (MAP_ENTRY_USER_WIRED | MAP_ENTRY_NEEDS_COPY),
4410 ("entry %p flags %x", entry, entry->eflags));
4411 if ((fault_typea & VM_PROT_COPY) != 0 &&
4412 (entry->max_protection & VM_PROT_WRITE) == 0 &&
4413 (entry->eflags & MAP_ENTRY_COW) == 0) {
4414 vm_map_unlock_read(map);
4415 return (KERN_PROTECTION_FAILURE);
4419 * If this page is not pageable, we have to get it for all possible
4422 *wired = (entry->wired_count != 0);
4424 fault_type = entry->protection;
4425 size = entry->end - entry->start;
4427 * If the entry was copy-on-write, we either ...
4429 if (entry->eflags & MAP_ENTRY_NEEDS_COPY) {
4431 * If we want to write the page, we may as well handle that
4432 * now since we've got the map locked.
4434 * If we don't need to write the page, we just demote the
4435 * permissions allowed.
4437 if ((fault_type & VM_PROT_WRITE) != 0 ||
4438 (fault_typea & VM_PROT_COPY) != 0) {
4440 * Make a new object, and place it in the object
4441 * chain. Note that no new references have appeared
4442 * -- one just moved from the map to the new
4445 if (vm_map_lock_upgrade(map))
4448 if (entry->cred == NULL) {
4450 * The debugger owner is charged for
4453 cred = curthread->td_ucred;
4455 if (!swap_reserve_by_cred(size, cred)) {
4458 return (KERN_RESOURCE_SHORTAGE);
4462 vm_object_shadow(&entry->object.vm_object,
4463 &entry->offset, size);
4464 entry->eflags &= ~MAP_ENTRY_NEEDS_COPY;
4465 eobject = entry->object.vm_object;
4466 if (eobject->cred != NULL) {
4468 * The object was not shadowed.
4470 swap_release_by_cred(size, entry->cred);
4471 crfree(entry->cred);
4473 } else if (entry->cred != NULL) {
4474 VM_OBJECT_WLOCK(eobject);
4475 eobject->cred = entry->cred;
4476 eobject->charge = size;
4477 VM_OBJECT_WUNLOCK(eobject);
4481 vm_map_lock_downgrade(map);
4484 * We're attempting to read a copy-on-write page --
4485 * don't allow writes.
4487 prot &= ~VM_PROT_WRITE;
4492 * Create an object if necessary.
4494 if (entry->object.vm_object == NULL &&
4496 if (vm_map_lock_upgrade(map))
4498 entry->object.vm_object = vm_object_allocate(OBJT_DEFAULT,
4501 if (entry->cred != NULL) {
4502 VM_OBJECT_WLOCK(entry->object.vm_object);
4503 entry->object.vm_object->cred = entry->cred;
4504 entry->object.vm_object->charge = size;
4505 VM_OBJECT_WUNLOCK(entry->object.vm_object);
4508 vm_map_lock_downgrade(map);
4512 * Return the object/offset from this entry. If the entry was
4513 * copy-on-write or empty, it has been fixed up.
4515 *pindex = OFF_TO_IDX((vaddr - entry->start) + entry->offset);
4516 *object = entry->object.vm_object;
4519 return (KERN_SUCCESS);
4523 * vm_map_lookup_locked:
4525 * Lookup the faulting address. A version of vm_map_lookup that returns
4526 * KERN_FAILURE instead of blocking on map lock or memory allocation.
4529 vm_map_lookup_locked(vm_map_t *var_map, /* IN/OUT */
4531 vm_prot_t fault_typea,
4532 vm_map_entry_t *out_entry, /* OUT */
4533 vm_object_t *object, /* OUT */
4534 vm_pindex_t *pindex, /* OUT */
4535 vm_prot_t *out_prot, /* OUT */
4536 boolean_t *wired) /* OUT */
4538 vm_map_entry_t entry;
4539 vm_map_t map = *var_map;
4541 vm_prot_t fault_type = fault_typea;
4544 * Lookup the faulting address.
4546 if (!vm_map_lookup_entry(map, vaddr, out_entry))
4547 return (KERN_INVALID_ADDRESS);
4552 * Fail if the entry refers to a submap.
4554 if (entry->eflags & MAP_ENTRY_IS_SUB_MAP)
4555 return (KERN_FAILURE);
4558 * Check whether this task is allowed to have this page.
4560 prot = entry->protection;
4561 fault_type &= VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
4562 if ((fault_type & prot) != fault_type)
4563 return (KERN_PROTECTION_FAILURE);
4566 * If this page is not pageable, we have to get it for all possible
4569 *wired = (entry->wired_count != 0);
4571 fault_type = entry->protection;
4573 if (entry->eflags & MAP_ENTRY_NEEDS_COPY) {
4575 * Fail if the entry was copy-on-write for a write fault.
4577 if (fault_type & VM_PROT_WRITE)
4578 return (KERN_FAILURE);
4580 * We're attempting to read a copy-on-write page --
4581 * don't allow writes.
4583 prot &= ~VM_PROT_WRITE;
4587 * Fail if an object should be created.
4589 if (entry->object.vm_object == NULL && !map->system_map)
4590 return (KERN_FAILURE);
4593 * Return the object/offset from this entry. If the entry was
4594 * copy-on-write or empty, it has been fixed up.
4596 *pindex = OFF_TO_IDX((vaddr - entry->start) + entry->offset);
4597 *object = entry->object.vm_object;
4600 return (KERN_SUCCESS);
4604 * vm_map_lookup_done:
4606 * Releases locks acquired by a vm_map_lookup
4607 * (according to the handle returned by that lookup).
4610 vm_map_lookup_done(vm_map_t map, vm_map_entry_t entry)
4613 * Unlock the main-level map
4615 vm_map_unlock_read(map);
4619 vm_map_max_KBI(const struct vm_map *map)
4622 return (vm_map_max(map));
4626 vm_map_min_KBI(const struct vm_map *map)
4629 return (vm_map_min(map));
4633 vm_map_pmap_KBI(vm_map_t map)
4639 #include "opt_ddb.h"
4641 #include <sys/kernel.h>
4643 #include <ddb/ddb.h>
4646 vm_map_print(vm_map_t map)
4648 vm_map_entry_t entry;
4650 db_iprintf("Task map %p: pmap=%p, nentries=%d, version=%u\n",
4652 (void *)map->pmap, map->nentries, map->timestamp);
4655 for (entry = map->header.next; entry != &map->header;
4656 entry = entry->next) {
4657 db_iprintf("map entry %p: start=%p, end=%p, eflags=%#x, \n",
4658 (void *)entry, (void *)entry->start, (void *)entry->end,
4661 static char *inheritance_name[4] =
4662 {"share", "copy", "none", "donate_copy"};
4664 db_iprintf(" prot=%x/%x/%s",
4666 entry->max_protection,
4667 inheritance_name[(int)(unsigned char)entry->inheritance]);
4668 if (entry->wired_count != 0)
4669 db_printf(", wired");
4671 if (entry->eflags & MAP_ENTRY_IS_SUB_MAP) {
4672 db_printf(", share=%p, offset=0x%jx\n",
4673 (void *)entry->object.sub_map,
4674 (uintmax_t)entry->offset);
4675 if ((entry->prev == &map->header) ||
4676 (entry->prev->object.sub_map !=
4677 entry->object.sub_map)) {
4679 vm_map_print((vm_map_t)entry->object.sub_map);
4683 if (entry->cred != NULL)
4684 db_printf(", ruid %d", entry->cred->cr_ruid);
4685 db_printf(", object=%p, offset=0x%jx",
4686 (void *)entry->object.vm_object,
4687 (uintmax_t)entry->offset);
4688 if (entry->object.vm_object && entry->object.vm_object->cred)
4689 db_printf(", obj ruid %d charge %jx",
4690 entry->object.vm_object->cred->cr_ruid,
4691 (uintmax_t)entry->object.vm_object->charge);
4692 if (entry->eflags & MAP_ENTRY_COW)
4693 db_printf(", copy (%s)",
4694 (entry->eflags & MAP_ENTRY_NEEDS_COPY) ? "needed" : "done");
4697 if ((entry->prev == &map->header) ||
4698 (entry->prev->object.vm_object !=
4699 entry->object.vm_object)) {
4701 vm_object_print((db_expr_t)(intptr_t)
4702 entry->object.vm_object,
4711 DB_SHOW_COMMAND(map, map)
4715 db_printf("usage: show map <addr>\n");
4718 vm_map_print((vm_map_t)addr);
4721 DB_SHOW_COMMAND(procvm, procvm)
4726 p = db_lookup_proc(addr);
4731 db_printf("p = %p, vmspace = %p, map = %p, pmap = %p\n",
4732 (void *)p, (void *)p->p_vmspace, (void *)&p->p_vmspace->vm_map,
4733 (void *)vmspace_pmap(p->p_vmspace));
4735 vm_map_print((vm_map_t)&p->p_vmspace->vm_map);
projects / FreeBSD / FreeBSD.git / blob