From owner-svn-src-all@FreeBSD.ORG Sat Aug 6 11:33:17 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CFD15106564A; Sat, 6 Aug 2011 11:33:17 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id A60FC8FC0A; Sat, 6 Aug 2011 11:33:17 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p76BXH1V049995; Sat, 6 Aug 2011 11:33:17 GMT (envelope-from kib@svn.freebsd.org) Received: (from kib@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p76BXHcT049993; Sat, 6 Aug 2011 11:33:17 GMT (envelope-from kib@svn.freebsd.org) Message-Id: <201108061133.p76BXHcT049993@svn.freebsd.org> From: Konstantin Belousov Date: Sat, 6 Aug 2011 11:33:17 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r224676 - stable/8/sys/vm X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2011 11:33:17 -0000 Author: kib Date: Sat Aug 6 11:33:17 2011 New Revision: 224676 URL: http://svn.freebsd.org/changeset/base/224676 Log: MFC r224522: Fix a race in the device pager allocation. If another thread won and allocated the device pager for the given handle, then the object fictitious pages list and the object membership in the global object list still need to be initialized. Otherwise, dev_pager_dealloc() will traverse uninitialized pointers. Modified: stable/8/sys/vm/device_pager.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/amd64/include/xen/ (props changed) stable/8/sys/cddl/contrib/opensolaris/ (props changed) stable/8/sys/contrib/dev/acpica/ (props changed) stable/8/sys/contrib/pf/ (props changed) Modified: stable/8/sys/vm/device_pager.c ============================================================================== --- stable/8/sys/vm/device_pager.c Sat Aug 6 10:12:59 2011 (r224675) +++ stable/8/sys/vm/device_pager.c Sat Aug 6 11:33:17 2011 (r224676) @@ -168,6 +168,7 @@ dev_pager_alloc(void *handle, vm_ooffset object1 = vm_object_allocate(OBJT_DEVICE, pindex); object1->flags |= OBJ_COLORED; object1->pg_color = atop(paddr) - OFF_TO_IDX(off - PAGE_SIZE); + TAILQ_INIT(&object1->un_pager.devp.devp_pglist); mtx_lock(&dev_pager_mtx); object = vm_pager_object_lookup(&dev_pager_object_list, handle); if (object != NULL) { @@ -180,7 +181,6 @@ dev_pager_alloc(void *handle, vm_ooffset object = object1; object1 = NULL; object->handle = handle; - TAILQ_INIT(&object->un_pager.devp.devp_pglist); TAILQ_INSERT_TAIL(&dev_pager_object_list, object, pager_object_list); } @@ -190,7 +190,14 @@ dev_pager_alloc(void *handle, vm_ooffset } mtx_unlock(&dev_pager_mtx); dev_relthread(dev, ref); - vm_object_deallocate(object1); + if (object1 != NULL) { + object1->handle = object1; + mtx_lock(&dev_pager_mtx); + TAILQ_INSERT_TAIL(&dev_pager_object_list, object1, + pager_object_list); + mtx_unlock(&dev_pager_mtx); + vm_object_deallocate(object1); + } return (object); }