From owner-svn-src-all@FreeBSD.ORG Sat Jul 30 14:13:58 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E281106564A; Sat, 30 Jul 2011 14:13:58 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 1D62A8FC0A; Sat, 30 Jul 2011 14:13:58 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p6UEDwKc003372; Sat, 30 Jul 2011 14:13:58 GMT (envelope-from kib@svn.freebsd.org) Received: (from kib@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p6UEDwtd003370; Sat, 30 Jul 2011 14:13:58 GMT (envelope-from kib@svn.freebsd.org) Message-Id: <201107301413.p6UEDwtd003370@svn.freebsd.org> From: Konstantin Belousov Date: Sat, 30 Jul 2011 14:13:57 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r224522 - head/sys/vm X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2011 14:13:58 -0000 Author: kib Date: Sat Jul 30 14:13:57 2011 New Revision: 224522 URL: http://svn.freebsd.org/changeset/base/224522 Log: Fix a race in the device pager allocation. If another thread won and allocated the device pager for the given handle, then the object fictitious pages list and the object membership in the global object list still need to be initialized. Otherwise, dev_pager_dealloc() will traverse uninitialized pointers. Reported and tested by: pho Reviewed by: jhb Approved by: re (kensmith) MFC after: 1 week Modified: head/sys/vm/device_pager.c Modified: head/sys/vm/device_pager.c ============================================================================== --- head/sys/vm/device_pager.c Sat Jul 30 14:12:37 2011 (r224521) +++ head/sys/vm/device_pager.c Sat Jul 30 14:13:57 2011 (r224522) @@ -147,6 +147,7 @@ dev_pager_alloc(void *handle, vm_ooffset object1 = vm_object_allocate(OBJT_DEVICE, pindex); object1->flags |= OBJ_COLORED; object1->pg_color = atop(paddr) - OFF_TO_IDX(off - PAGE_SIZE); + TAILQ_INIT(&object1->un_pager.devp.devp_pglist); mtx_lock(&dev_pager_mtx); object = vm_pager_object_lookup(&dev_pager_object_list, handle); if (object != NULL) { @@ -159,7 +160,6 @@ dev_pager_alloc(void *handle, vm_ooffset object = object1; object1 = NULL; object->handle = handle; - TAILQ_INIT(&object->un_pager.devp.devp_pglist); TAILQ_INSERT_TAIL(&dev_pager_object_list, object, pager_object_list); } @@ -169,7 +169,14 @@ dev_pager_alloc(void *handle, vm_ooffset } mtx_unlock(&dev_pager_mtx); dev_relthread(dev, ref); - vm_object_deallocate(object1); + if (object1 != NULL) { + object1->handle = object1; + mtx_lock(&dev_pager_mtx); + TAILQ_INSERT_TAIL(&dev_pager_object_list, object1, + pager_object_list); + mtx_unlock(&dev_pager_mtx); + vm_object_deallocate(object1); + } return (object); }