Site Navigation

Date:      Sat, 6 Aug 2011 11:33:17 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r224676 - stable/8/sys/vm
Message-ID:  <201108061133.p76BXHcT049993@svn.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

Author: kib
Date: Sat Aug  6 11:33:17 2011
New Revision: 224676
URL: http://svn.freebsd.org/changeset/base/224676

Log:
  MFC r224522:
  Fix a race in the device pager allocation. If another thread won and
  allocated the device pager for the given handle, then the object
  fictitious pages list and the object membership in the global object
  list still need to be initialized. Otherwise, dev_pager_dealloc() will
  traverse uninitialized pointers.

Modified:
  stable/8/sys/vm/device_pager.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/vm/device_pager.c
==============================================================================
--- stable/8/sys/vm/device_pager.c	Sat Aug  6 10:12:59 2011	(r224675)
+++ stable/8/sys/vm/device_pager.c	Sat Aug  6 11:33:17 2011	(r224676)
@@ -168,6 +168,7 @@ dev_pager_alloc(void *handle, vm_ooffset
 		object1 = vm_object_allocate(OBJT_DEVICE, pindex);
 		object1->flags |= OBJ_COLORED;
 		object1->pg_color = atop(paddr) - OFF_TO_IDX(off - PAGE_SIZE);
+		TAILQ_INIT(&object1->un_pager.devp.devp_pglist);
 		mtx_lock(&dev_pager_mtx);
 		object = vm_pager_object_lookup(&dev_pager_object_list, handle);
 		if (object != NULL) {
@@ -180,7 +181,6 @@ dev_pager_alloc(void *handle, vm_ooffset
 			object = object1;
 			object1 = NULL;
 			object->handle = handle;
-			TAILQ_INIT(&object->un_pager.devp.devp_pglist);
 			TAILQ_INSERT_TAIL(&dev_pager_object_list, object,
 			    pager_object_list);
 		}
@@ -190,7 +190,14 @@ dev_pager_alloc(void *handle, vm_ooffset
 	}
 	mtx_unlock(&dev_pager_mtx);
 	dev_relthread(dev, ref);
-	vm_object_deallocate(object1);
+	if (object1 != NULL) {
+		object1->handle = object1;
+		mtx_lock(&dev_pager_mtx);
+		TAILQ_INSERT_TAIL(&dev_pager_object_list, object1,
+		    pager_object_list);
+		mtx_unlock(&dev_pager_mtx);
+		vm_object_deallocate(object1);
+	}
 	return (object);
 }
 

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201108061133.p76BXHcT049993>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact