From owner-svn-src-head@FreeBSD.ORG  Wed Jan  9 16:48:39 2013
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 214DE5E5;
 Wed,  9 Jan 2013 16:48:39 +0000 (UTC) (envelope-from ken@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 by mx1.freebsd.org (Postfix) with ESMTP id CDB5DD15;
 Wed,  9 Jan 2013 16:48:38 +0000 (UTC)
Received: from svn.freebsd.org (svn.FreeBSD.org [8.8.178.70])
 by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id r09GmcbD048697;
 Wed, 9 Jan 2013 16:48:38 GMT (envelope-from ken@svn.freebsd.org)
Received: (from ken@localhost)
 by svn.freebsd.org (8.14.5/8.14.5/Submit) id r09Gmcki048695;
 Wed, 9 Jan 2013 16:48:38 GMT (envelope-from ken@svn.freebsd.org)
Message-Id: <201301091648.r09Gmcki048695@svn.freebsd.org>
From: "Kenneth D. Merry" <ken@FreeBSD.org>
Date: Wed, 9 Jan 2013 16:48:38 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r245226 - head/sys/vm
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 16:48:39 -0000

Author: ken
Date: Wed Jan  9 16:48:38 2013
New Revision: 245226
URL: http://svnweb.freebsd.org/changeset/base/245226

Log:
  Fix a bug in the device pager code that can trigger an assertion
  in devfs if a particular race condition is hit in the device pager
  code.
  
  This was a side effect of change 227530 which changed the device
  pager interface to call a new destructor routine for the cdev.
  That destructor routine, old_dev_pager_dtor(), takes a VM object
  handle.
  
  The object handle is cast to a struct cdev *, and passed into
  dev_rel().
  
  That works in most cases, except the case in cdev_pager_allocate()
  where there is a race condition between two threads allocating an
  object backed by the same device.  The loser of the race
  deallocates its object at the end of the function.
  
  The problem is that before inserting the object into the
  dev_pager_object_list, the object's handle is changed from the
  struct cdev pointer to the object's own address.  This is to avoid
  conflicts with the winner of the race, which already inserted an
  object in the list with a handle that is a pointer to the same cdev
  structure.
  
  The object is then passed to vm_object_deallocate(), and eventually
  makes its way down to old_dev_pager_dtor().  That function passes
  the handle pointer (which is actually a VM object, not a struct
  cdev as usual) into dev_rel().  dev_rel() decrements the reference
  count in the assumed struct cdev (which happens to be 0), and
  that triggers the assertion in dev_rel() that the reference count
  is greater than or equal to 0.
  
  The fix is to add a cdev pointer to the VM object, and use that
  pointer when calling the cdev_pg_dtor() routine.
  
  vm_object.h:	Add a struct cdev pointer to the VM object
  		structure.
  
  device_pager.c:	In cdev_pager_allocate(), populate the new cdev
  		pointer.
  
  		In dev_pager_dealloc(), use the new cdev pointer
  		when calling the object's cdev_pg_dtor() routine.
  
  Reviewed by:	kib
  Sponsored by:	Spectra Logic Corporation
  MFC after:	1 week

Modified:
  head/sys/vm/device_pager.c
  head/sys/vm/vm_object.h

Modified: head/sys/vm/device_pager.c
==============================================================================
--- head/sys/vm/device_pager.c	Wed Jan  9 15:22:37 2013	(r245225)
+++ head/sys/vm/device_pager.c	Wed Jan  9 16:48:38 2013	(r245226)
@@ -158,6 +158,7 @@ cdev_pager_allocate(void *handle, enum o
 		object1->pg_color = color;
 		object1->handle = handle;
 		object1->un_pager.devp.ops = ops;
+		object1->un_pager.devp.dev = handle;
 		TAILQ_INIT(&object1->un_pager.devp.devp_pglist);
 		mtx_lock(&dev_pager_mtx);
 		object = vm_pager_object_lookup(&dev_pager_object_list, handle);
@@ -235,7 +236,7 @@ dev_pager_dealloc(object)
 	vm_page_t m;
 
 	VM_OBJECT_UNLOCK(object);
-	object->un_pager.devp.ops->cdev_pg_dtor(object->handle);
+	object->un_pager.devp.ops->cdev_pg_dtor(object->un_pager.devp.dev);
 
 	mtx_lock(&dev_pager_mtx);
 	TAILQ_REMOVE(&dev_pager_object_list, object, pager_object_list);

Modified: head/sys/vm/vm_object.h
==============================================================================
--- head/sys/vm/vm_object.h	Wed Jan  9 15:22:37 2013	(r245225)
+++ head/sys/vm/vm_object.h	Wed Jan  9 16:48:38 2013	(r245226)
@@ -136,6 +136,7 @@ struct vm_object {
 		struct {
 			TAILQ_HEAD(, vm_page) devp_pglist;
 			struct cdev_pager_ops *ops;
+			struct cdev *dev;
 		} devp;
 
 		/*