Date: Thu, 30 May 2013 20:00:20 +0000 (UTC) From: Konstantin Belousov <kib@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r251151 - head/sys/vm Message-ID: <201305302000.r4UK0KYp032722@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kib Date: Thu May 30 20:00:19 2013 New Revision: 251151 URL: http://svnweb.freebsd.org/changeset/base/251151 Log: After the object lock was dropped, the object' reference count could change. Retest the ref_count and return from the function to not execute the further code which assumes that ref_count == 1 if it is not. Also, do not leak vnode lock if other thread cleared OBJ_TMPFS flag meantime. Reported by: bdrewery Tested by: bdrewery, pho Sponsored by: The FreeBSD Foundation Modified: head/sys/vm/vm_object.c Modified: head/sys/vm/vm_object.c ============================================================================== --- head/sys/vm/vm_object.c Thu May 30 19:53:31 2013 (r251150) +++ head/sys/vm/vm_object.c Thu May 30 20:00:19 2013 (r251151) @@ -536,15 +536,15 @@ vm_object_deallocate(vm_object_t object) vn_lock(vp, LK_EXCLUSIVE | LK_RETRY); vdrop(vp); VM_OBJECT_WLOCK(object); - if (object->type == OBJT_DEAD) { + if (object->type == OBJT_DEAD || + object->ref_count != 1) { VM_OBJECT_WUNLOCK(object); VOP_UNLOCK(vp, 0); return; - } else if ((object->flags & OBJ_TMPFS) != 0) { - if (object->ref_count == 1) - VOP_UNSET_TEXT(vp); - VOP_UNLOCK(vp, 0); } + if ((object->flags & OBJ_TMPFS) != 0) + VOP_UNSET_TEXT(vp); + VOP_UNLOCK(vp, 0); } if (object->shadow_count == 0 && object->handle == NULL &&
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305302000.r4UK0KYp032722>