From owner-freebsd-current@FreeBSD.ORG  Thu Jan 19 20:38:35 2006
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@freebsd.org
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9156016A41F;
	Thu, 19 Jan 2006 20:38:35 +0000 (GMT) (envelope-from alc@cs.rice.edu)
Received: from cs.rice.edu (cs.rice.edu [128.42.1.30])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0FF1D43D5A;
	Thu, 19 Jan 2006 20:38:35 +0000 (GMT) (envelope-from alc@cs.rice.edu)
Received: from localhost (calypso.cs.rice.edu [128.42.1.127])
	by cs.rice.edu (Postfix) with ESMTP id 2E1CC4AAA8;
	Thu, 19 Jan 2006 14:38:34 -0600 (CST)
Received: from cs.rice.edu ([128.42.1.30])
	by localhost (calypso.cs.rice.edu [128.42.1.127]) (amavisd-new,
	port 10024)
	with LMTP id 26520-01-31; Thu, 19 Jan 2006 14:38:33 -0600 (CST)
Received: by cs.rice.edu (Postfix, from userid 19572)
	id 834CC4AA6C; Thu, 19 Jan 2006 14:38:33 -0600 (CST)
Date: Thu, 19 Jan 2006 14:38:33 -0600
From: Alan Cox <alc@cs.rice.edu>
To: John Baldwin <jhb@freebsd.org>
Message-ID: <20060119203833.GC7599@cs.rice.edu>
References: <20060118070549.GA617@xor.obsecurity.org>
	<43CEEBD4.3060604@FreeBSD.org> <200601190802.31914.jhb@freebsd.org>
	<200601191114.27075.jhb@freebsd.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200601191114.27075.jhb@freebsd.org>
User-Agent: Mutt/1.4.2i
X-Virus-Scanned: by amavis-2.2.1 at cs.rice.edu
Cc: alc@freebsd.org, freebsd-current@freebsd.org,
	Suleiman Souhlal <ssouhlal@freebsd.org>,
	Kris Kennaway <kris@obsecurity.org>
Subject: Re: System call munmap returning with the following locks
	held:	Giant
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jan 2006 20:38:35 -0000

On Thu, Jan 19, 2006 at 11:14:24AM -0500, John Baldwin wrote:
[snip]
> 
> Are you really sure the object's type can change or does the caller of 
> vm_object_deallocate() hold some sort of reference or what not that prevents 
> the type from changing?
> 

My recollection is that the object does not change type until all of
the references have been drained and it is about to be freed by
vm_object_terminate().  At the point where the type check is being
performed, the caller should hold a reference on the object.  Thus,
the type should not be changing.

That said, an unexpected type change still strikes me as the most
plausible cause.

Is there a test that easily reproduces this problem?

Alan