From owner-freebsd-bugs@FreeBSD.ORG  Thu Sep 16 14:00:50 2004
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A7DDE16A4D2
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 16 Sep 2004 14:00:50 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9F3F543D60
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 16 Sep 2004 14:00:48 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id i8GE0mfm015849
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 16 Sep 2004 14:00:48 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i8GE0mWI015842;
	Thu, 16 Sep 2004 14:00:48 GMT
	(envelope-from gnats)
Resent-Date: Thu, 16 Sep 2004 14:00:48 GMT
Resent-Message-Id: <200409161400.i8GE0mWI015842@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Uwe Doering <gemini@geminix.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6651416A4CE
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 16 Sep 2004 13:53:09 +0000 (GMT)
Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net
	[213.73.91.129])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D548143D49
	for <FreeBSD-gnats-submit@freebsd.org>;
	Thu, 16 Sep 2004 13:53:08 +0000 (GMT)
	(envelope-from gemini@geminix.org)
Received: from gemini by geminix.org with local (Exim 3.36 #1)
	id 1C7wh9-0007PJ-00
	for FreeBSD-gnats-submit@freebsd.org; Thu, 16 Sep 2004 15:53:07 +0200
Message-Id: <E1C7wh9-0007PJ-00@geminix.org>
Date: Thu, 16 Sep 2004 15:53:07 +0200
From: Uwe Doering <gemini@geminix.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: kern/71792: Wrong/missing 'goto' target label in contigmalloc1()
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Uwe Doering <gemini@geminix.org>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Sep 2004 14:00:50 -0000


>Number:         71792
>Category:       kern
>Synopsis:       Wrong/missing 'goto' target label in contigmalloc1()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 16 14:00:48 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Uwe Doering
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
EscapeBox - Managed On-Demand UNIX Servers
http://www.escapebox.net

>Environment:
System: FreeBSD geminix.org 4.10-STABLE FreeBSD 4.10-STABLE #1: Tue Sep 14 20:12:02 GMT 2004 root@localhost:/RELENG_4_Enhanced i386

>Description:
There are two loops in contigmalloc1() (src/sys/vm/vm_page.c) that
try to make room in the memory arena if there was no page available
on first try that would fit the applying constraints.  The first
loop scans PQ_INACTIVE, the second one PQ_ACTIVE.

Now, the second loop apparently has come into existence by means of
a cut-and-paste operation.  Unfortunately, the author of the code
segment forgot to give that loop its own 'goto' target label, to be
used in start-over situations.  Instead, the 'goto' statements jump
back into the PQ_INACTIVE loop, possibly over and over again.

>How-To-Repeat:
The problem becomes apparent when looking at the relevant source
code.

>Fix:
Give the PQ_ACTIVE loop its own start-over target label.  Please
consider adopting the patch below.

--- vm_page.c.diff begins here ---
--- src/sys/vm/vm_page.c.orig	Wed Jan 28 22:24:01 2004
+++ src/sys/vm/vm_page.c	Sat May  8 20:48:22 2004
@@ -1892,6 +1894,7 @@
 					vm_page_cache(m);
 			}
 
+again2:
 			for (m = TAILQ_FIRST(&vm_page_queues[PQ_ACTIVE].pl);
 				m != NULL;
 				m = next) {
@@ -1901,18 +1904,18 @@
 
 				next = TAILQ_NEXT(m, pageq);
 				if (vm_page_sleep_busy(m, TRUE, "vpctw1"))
-					goto again1;
+					goto again2;
 				vm_page_test_dirty(m);
 				if (m->dirty) {
 					if (m->object->type == OBJT_VNODE) {
 						vn_lock(m->object->handle, LK_EXCLUSIVE | LK_RETRY, curproc);
 						vm_object_page_clean(m->object, 0, 0, OBJPC_SYNC);
 						VOP_UNLOCK(m->object->handle, 0, curproc);
-						goto again1;
+						goto again2;
 					} else if (m->object->type == OBJT_SWAP ||
 								m->object->type == OBJT_DEFAULT) {
 						vm_pageout_flush(&m, 1, 0);
-						goto again1;
+						goto again2;
 					}
 				}
 				if ((m->dirty == 0) && (m->busy == 0) && (m->hold_count == 0))
--- vm_page.c.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: