Site Navigation

Date:      Sat, 30 Jul 2011 14:13:57 +0000 (UTC)
From:      Konstantin Belousov <kib@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r224522 - head/sys/vm
Message-ID:  <201107301413.p6UEDwtd003370@svn.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

Author: kib
Date: Sat Jul 30 14:13:57 2011
New Revision: 224522
URL: http://svn.freebsd.org/changeset/base/224522

Log:
  Fix a race in the device pager allocation. If another thread won and
  allocated the device pager for the given handle, then the object
  fictitious pages list and the object membership in the global object
  list still need to be initialized. Otherwise, dev_pager_dealloc() will
  traverse uninitialized pointers.
  
  Reported and tested by: pho
  Reviewed by:    jhb
  Approved by:	re (kensmith)
  MFC after:      1 week

Modified:
  head/sys/vm/device_pager.c

Modified: head/sys/vm/device_pager.c
==============================================================================
--- head/sys/vm/device_pager.c	Sat Jul 30 14:12:37 2011	(r224521)
+++ head/sys/vm/device_pager.c	Sat Jul 30 14:13:57 2011	(r224522)
@@ -147,6 +147,7 @@ dev_pager_alloc(void *handle, vm_ooffset
 		object1 = vm_object_allocate(OBJT_DEVICE, pindex);
 		object1->flags |= OBJ_COLORED;
 		object1->pg_color = atop(paddr) - OFF_TO_IDX(off - PAGE_SIZE);
+		TAILQ_INIT(&object1->un_pager.devp.devp_pglist);
 		mtx_lock(&dev_pager_mtx);
 		object = vm_pager_object_lookup(&dev_pager_object_list, handle);
 		if (object != NULL) {
@@ -159,7 +160,6 @@ dev_pager_alloc(void *handle, vm_ooffset
 			object = object1;
 			object1 = NULL;
 			object->handle = handle;
-			TAILQ_INIT(&object->un_pager.devp.devp_pglist);
 			TAILQ_INSERT_TAIL(&dev_pager_object_list, object,
 			    pager_object_list);
 		}
@@ -169,7 +169,14 @@ dev_pager_alloc(void *handle, vm_ooffset
 	}
 	mtx_unlock(&dev_pager_mtx);
 	dev_relthread(dev, ref);
-	vm_object_deallocate(object1);
+	if (object1 != NULL) {
+		object1->handle = object1;
+		mtx_lock(&dev_pager_mtx);
+		TAILQ_INSERT_TAIL(&dev_pager_object_list, object1,
+		    pager_object_list);
+		mtx_unlock(&dev_pager_mtx);
+		vm_object_deallocate(object1);
+	}
 	return (object);
 }
 

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201107301413.p6UEDwtd003370>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact