From owner-dev-commits-src-main@freebsd.org  Wed Feb 24 23:59:10 2021
Return-Path: <owner-dev-commits-src-main@freebsd.org>
Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5ECB454D91E;
 Wed, 24 Feb 2021 23:59:10 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4DmCZ62FNVz4pVK;
 Wed, 24 Feb 2021 23:59:10 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:5])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3556957BC;
 Wed, 24 Feb 2021 23:59:10 +0000 (UTC) (envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
 by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 11ONxApr012917;
 Wed, 24 Feb 2021 23:59:10 GMT (envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
 by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 11ONxAvU012916;
 Wed, 24 Feb 2021 23:59:10 GMT (envelope-from git)
Date: Wed, 24 Feb 2021 23:59:10 GMT
Message-Id: <202102242359.11ONxAvU012916@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
 dev-commits-src-main@FreeBSD.org
From: Ryan Libby <rlibby@FreeBSD.org>
Subject: git: 14b5a3c7d5c0 - main - vm pqbatch: move unmanaged page assert
 under pagequeue lock
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: rlibby
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 14b5a3c7d5c034c2a5a487b5e2d0de79c2801a65
Auto-Submitted: auto-generated
X-BeenThere: dev-commits-src-main@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Commit messages for the main branch of the src repository
 <dev-commits-src-main.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/dev-commits-src-main>, 
 <mailto:dev-commits-src-main-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/dev-commits-src-main/>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Help: <mailto:dev-commits-src-main-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main>, 
 <mailto:dev-commits-src-main-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 23:59:10 -0000

The branch main has been updated by rlibby:

URL: https://cgit.FreeBSD.org/src/commit/?id=14b5a3c7d5c034c2a5a487b5e2d0de79c2801a65

commit 14b5a3c7d5c034c2a5a487b5e2d0de79c2801a65
Author:     Max Laier <mlaier@FreeBSD.org>
AuthorDate: 2021-02-24 23:56:16 +0000
Commit:     Ryan Libby <rlibby@FreeBSD.org>
CommitDate: 2021-02-24 23:56:16 +0000

    vm pqbatch: move unmanaged page assert under pagequeue lock
    
    This KASSERT is overzealous because of the following race condition:
     1) A managed page which is currently in PQ_LAUNDRY is freed.
        vm_page_free_prep calls vm_page_dequeue_deferred()
    
        The page state is:
           PQ_LAUNDRY, PGA_DEQUEUE|PGA_ENQUEUED
    
     2) The laundry worker comes around and pick up the page and calls
        vm_pageout_defer(m, PQ_LAUNDRY, true) to check if page is still in the
        queue.  We do a vm_page_astate_load and get
           PQ_LAUNDRY, PGA_DEQUEUE|PGA_ENQUEUED
        as per above.
    
     3) The laundry worker is pre-empted and another thread allocates our page
        from the free pool.  For example vm_page_alloc_domain_after calls
        vm_page_dequeue() and sets VPO_UNMANAGED because we are allocating for
        an OBJT_UNMANAGED object.
    
        The page state is:
           PQ_NONE, 0 - VPO_UNMANAGED
    
     4) The laundry worker resumes, and processes vm_pageout_defer based on the
        stale astate which leads to a call to vm_page_pqbatch_submit, which will
        trip on the KASSERT.
    
    Submitted by:   mlaier
    Reviewed by:    markj, rlibby
    Sponsored by:   Dell EMC Isilon
    Differential Revision:  https://reviews.freebsd.org/D28563
---
 sys/vm/vm_page.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/sys/vm/vm_page.c b/sys/vm/vm_page.c
index c36b8cdc5762..20fbbc304490 100644
--- a/sys/vm/vm_page.c
+++ b/sys/vm/vm_page.c
@@ -3545,9 +3545,8 @@ vm_pqbatch_process_page(struct vm_pagequeue *pq, vm_page_t m, uint8_t queue)
 			counter_u64_add(queue_nops, 1);
 			break;
 		}
-		KASSERT(old.queue != PQ_NONE ||
-		    (old.flags & PGA_QUEUE_STATE_MASK) == 0,
-		    ("%s: page %p has unexpected queue state", __func__, m));
+		KASSERT((m->oflags & VPO_UNMANAGED) == 0,
+		    ("%s: page %p is unmanaged", __func__, m));
 
 		new = old;
 		if ((old.flags & PGA_DEQUEUE) != 0) {
@@ -3594,8 +3593,6 @@ vm_page_pqbatch_submit(vm_page_t m, uint8_t queue)
 	struct vm_pagequeue *pq;
 	int domain;
 
-	KASSERT((m->oflags & VPO_UNMANAGED) == 0,
-	    ("page %p is unmanaged", m));
 	KASSERT(queue < PQ_COUNT, ("invalid queue %d", queue));
 
 	domain = vm_page_domain(m);