From: Martin Pieuchot <mpi@grenadille.net>
Subject: uobject & uanon sanity checks
To: tech@openbsd.org
Date: Mon, 17 Feb 2025 17:34:20 +0100

Diff below ensures the `uobject' and `uanon' pointers are properly
NULL before giving any page to the pmemrange allocator instead of
clearing them in the allocator.

ok?

Index: uvm/uvm_object.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_object.c,v
diff -u -p -r1.25 uvm_object.c
--- uvm/uvm_object.c	21 Feb 2022 16:08:36 -0000	1.25
+++ uvm/uvm_object.c	17 Feb 2025 16:19:32 -0000
@@ -233,10 +233,11 @@ uvm_obj_free(struct uvm_object *uobj)
  	 */
 	RBT_FOREACH(pg, uvm_objtree, &uobj->memt) {
 		/*
-		 * clear PG_TABLED so we don't do work to remove
-		 * this pg from the uobj we are throwing away
+		 * clear PG_TABLED and `uobject' so we don't do work to
+		 * remove this pg from the uobj we are throwing away.
 		 */
 		atomic_clearbits_int(&pg->pg_flags, PG_TABLED);
+		pg->uobject = NULL;
 		uvm_lock_pageq();
 		uvm_pageclean(pg);
 		uvm_unlock_pageq();
Index: uvm/uvm_page.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_page.c,v
diff -u -p -r1.180 uvm_page.c
--- uvm/uvm_page.c	27 Dec 2024 12:04:40 -0000	1.180
+++ uvm/uvm_page.c	17 Feb 2025 16:18:55 -0000
@@ -255,6 +255,8 @@ uvm_page_init(vaddr_t *kvm_startp, vaddr
 		    i++, curpg++, pgno++, paddr += PAGE_SIZE) {
 			curpg->phys_addr = paddr;
 			VM_MDPAGE_INIT(curpg);
+			curpg->uobject = NULL;
+			curpg->uanon = NULL;
 			if (pgno >= seg->avail_start &&
 			    pgno < seg->avail_end) {
 				uvmexp.npages++;
@@ -560,6 +562,8 @@ uvm_page_physload(paddr_t start, paddr_t
 		    lcv++, paddr += PAGE_SIZE) {
 			pgs[lcv].phys_addr = paddr;
 			VM_MDPAGE_INIT(&pgs[lcv]);
+			pgs[lcv].uobject = NULL;
+			pgs[lcv].uanon = NULL;
 			if (atop(paddr) >= avail_start &&
 			    atop(paddr) < avail_end) {
 				if (flags & PHYSLOAD_DEVICE) {
Index: uvm/uvm_pmemrange.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_pmemrange.c,v
diff -u -p -r1.76 uvm_pmemrange.c
--- uvm/uvm_pmemrange.c	8 Nov 2024 15:54:33 -0000	1.76
+++ uvm/uvm_pmemrange.c	17 Feb 2025 16:02:40 -0000
@@ -1226,8 +1226,8 @@ out:
 		}
 		atomic_clearbits_int(&found->pg_flags, PG_ZERO|PQ_FREE);
 
-		found->uobject = NULL;
-		found->uanon = NULL;
+		KASSERT(found->uobject == NULL);
+		KASSERT(found->uanon == NULL);
 		found->pg_version++;
 
 		/*
@@ -1303,6 +1303,9 @@ uvm_pmr_freepages(struct vm_page *pg, ps
 	struct vm_page *firstpg = pg;
 
 	for (i = 0; i < count; i++) {
+		KASSERT(pg->uobject == NULL);
+		KASSERT(pg->uanon == NULL);
+
 		KASSERT(atop(VM_PAGE_TO_PHYS(&pg[i])) ==
 		    atop(VM_PAGE_TO_PHYS(pg)) + i);
 
@@ -1350,6 +1353,9 @@ uvm_pmr_freepageq(struct pglist *pgl)
 	psize_t plen;
 
 	TAILQ_FOREACH(pg, pgl, pageq) {
+		KASSERT(pg->uobject == NULL);
+		KASSERT(pg->uanon == NULL);
+
 		if (!((pg->pg_flags & PQ_FREE) == 0 &&
 		    VALID_FLAGS(pg->pg_flags))) {
 			printf("Flags: 0x%x, will panic now.\n",