From owner-svn-src-stable-7@FreeBSD.ORG Fri Apr 17 15:35:16 2009 Return-Path: Delivered-To: svn-src-stable-7@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8FBA81065670; Fri, 17 Apr 2009 15:35:16 +0000 (UTC) (envelope-from alc@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 7D0178FC1E; Fri, 17 Apr 2009 15:35:16 +0000 (UTC) (envelope-from alc@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n3HFZGBT026440; Fri, 17 Apr 2009 15:35:16 GMT (envelope-from alc@svn.freebsd.org) Received: (from alc@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n3HFZGoH026439; Fri, 17 Apr 2009 15:35:16 GMT (envelope-from alc@svn.freebsd.org) Message-Id: <200904171535.n3HFZGoH026439@svn.freebsd.org> From: Alan Cox Date: Fri, 17 Apr 2009 15:35:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r191204 - in stable/7/sys: . contrib/pf dev/ath/ath_hal dev/cxgb vm X-BeenThere: svn-src-stable-7@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 7-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Apr 2009 15:35:17 -0000 Author: alc Date: Fri Apr 17 15:35:16 2009 New Revision: 191204 URL: http://svn.freebsd.org/changeset/base/191204 Log: MFC r175055 Defer setting either PG_CACHED or PG_FREE until after the free page queues lock is acquired. Otherwise, the state of a reservation's pages' flags and its population count can be inconsistent. That could result in a page being freed twice. (This change should have been included in the MFC of the superpages support.) Thanks to: pho for an illuminating crash Approved by: re (kib) Modified: stable/7/sys/ (props changed) stable/7/sys/contrib/pf/ (props changed) stable/7/sys/dev/ath/ath_hal/ (props changed) stable/7/sys/dev/cxgb/ (props changed) stable/7/sys/vm/vm_page.c Modified: stable/7/sys/vm/vm_page.c ============================================================================== --- stable/7/sys/vm/vm_page.c Fri Apr 17 14:58:02 2009 (r191203) +++ stable/7/sys/vm/vm_page.c Fri Apr 17 15:35:16 2009 (r191204) @@ -1402,8 +1402,8 @@ vm_page_free_toq(vm_page_t m) m->flags &= ~PG_ZERO; vm_page_enqueue(PQ_HOLD, m); } else { - m->flags |= PG_FREE; mtx_lock(&vm_page_queue_free_mtx); + m->flags |= PG_FREE; cnt.v_free_count++; #if VM_NRESERVLEVEL > 0 if (!vm_reserv_free_page(m)) @@ -1654,9 +1654,9 @@ vm_page_cache(vm_page_t m) * Insert the page into the object's collection of cached pages * and the physical memory allocator's cache/free page queues. */ - vm_page_flag_set(m, PG_CACHED); vm_page_flag_clear(m, PG_ZERO); mtx_lock(&vm_page_queue_free_mtx); + m->flags |= PG_CACHED; cnt.v_cache_count++; root = object->cache; if (root == NULL) {