It seems to be possible to truncate an object while it is still mapped.

Don't panic in that case but force a page fault instead. Hopefully this fixes the panic during coredump that deraadt@ reported.
author: kettenis <kettenis@openbsd.org> 2013-12-06 20:13:29 +0000
committer: kettenis <kettenis@openbsd.org> 2013-12-06 20:13:29 +0000
commit: 95e51d18c0ff25d171f52fb09e337d54c6c920dc (patch)
tree: 21c6abcb7ce22a81bf6e354d96ebb0b0007b33e8 /sys
parent: missing comma; (diff)
download: wireguard-openbsd-95e51d18c0ff25d171f52fb09e337d54c6c920dc.tar.xz
wireguard-openbsd-95e51d18c0ff25d171f52fb09e337d54c6c920dc.zip
1 files changed, 8 insertions, 2 deletions
diff --git a/sys/dev/pci/drm/i915/i915_gem.c b/sys/dev/pci/drm/i915/i915_gem.c
index 0453c341fd0..d00431c72a4 100644
--- a/sys/dev/pci/drm/i915/i915_gem.c
+++ b/sys/dev/pci/drm/i915/i915_gem.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: i915_gem.c,v 1.54 2013/12/05 13:29:56 kettenis Exp $	*/
+/*	$OpenBSD: i915_gem.c,v 1.55 2013/12/06 20:13:29 kettenis Exp $	*/
 /*
  * Copyright (c) 2008-2009 Owain G. Ainsworth <oga@openbsd.org>
  *
@@ -1402,7 +1402,13 @@ i915_gem_fault(struct drm_gem_object *gem_obj, struct uvm_faultinfo *ufi,
 
 	dev_priv->entries++;
 
-	KASSERT(obj->base.map);
+	if (!obj->base.map) {
+		uvmfault_unlockall(ufi, ufi->entry->aref.ar_amap,
+		    &obj->base.uobj, NULL);
+		dev_priv->entries--;
+		return (VM_PAGER_BAD);
+	}
+
 	offset -= obj->base.map->ext;
 
 	if (rw_enter(&dev->dev_lock, RW_NOSLEEP | RW_READ) != 0) {
author	kettenis <kettenis@openbsd.org>	2013-12-06 20:13:29 +0000
committer	kettenis <kettenis@openbsd.org>	2013-12-06 20:13:29 +0000
commit	95e51d18c0ff25d171f52fb09e337d54c6c920dc (patch)
tree	21c6abcb7ce22a81bf6e354d96ebb0b0007b33e8 /sys
parent	missing comma; (diff)
download	wireguard-openbsd-95e51d18c0ff25d171f52fb09e337d54c6c920dc.tar.xz wireguard-openbsd-95e51d18c0ff25d171f52fb09e337d54c6c920dc.zip