From nobody Mon Oct 09 18:13:24 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S46bT3ZVrz4w0p7; Mon, 9 Oct 2023 18:13:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S46bT1P8Gz4Lmk; Mon, 9 Oct 2023 18:13:25 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696875205; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zsrN0IMkGYUtFlBO0z8csWqPSUluIownLybkseIfr3Q=; b=q5fU8AxzJIWfl/4aA3pijUZC+xtnAOftHGMOe1OQNcED9XMzLWRMRxrDm0+Vi1Xy+1z3Pb OJw2DZkj3bkJInGoTwPDNq9/ELT49SjD7/Ir77KSRboAtSxaDRmN/0RzkWlV2bKpw7Y8kz m/IDSFb5yzx4sO8sMLF/WZx6HWI7uPq5joI41HXpmh2L67r7HwYwPkjsauxJT1E1owUMUM 4UqIl6tIFYrmBE4DG+W97q//2W7FJo3TKxbYXyinpTwm91xRRtf34ihTtPcTlNh77rmee8 1iaeU+hApKjddEs/Qjdsmlq6Aq+SyuWI3x+jhAEyox1IzMgqXVoTgHA8/eOQXg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696875205; a=rsa-sha256; cv=none; b=eiPcg8w1k61+Enpcx3dk+lbXxtXKSUDcGT3u15kPiVMfl0cdOf3eccbgVDClAgHYlznm+0 oM0+2y9qvLy4ucTTcWK5Rmh3It7DaG8/iMPvP91cEDbKcClmZuEBdaKw2Ch6dE3EdNiVYX BdBZaBkFvbopj9WZITd8oeccTSXjDcLQpN+g0e2bK4Iw4qG1sX2kmlxZCTy2heMDNHElFr 5lcvNyyMQuvEZOqJzzo4w5jUVIWacyoh32NA5ncQHabckq3AT+wSdO/d7Wen3YRxOkxNvP zyHse9qfqotm2PQ0RBQUL/JVAYHcvP/27cMlRZuHQsxi08FOcRh49ABjQb/Opw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1696875205; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zsrN0IMkGYUtFlBO0z8csWqPSUluIownLybkseIfr3Q=; b=TaRUvWwFLTXKKomMWnWjM5u0GoA1t57iC0ox5Jg14LSbdu0dPVXAzssY774j4pZx2L3sSZ huR1n+/ywsGjlcuWdiG43mxHb2Tqw+bh33JjXLg6Y8tPdG3N2opgTIEM10tnrCsBaIGdG/ N/nXyyDwogl2EWztxTb9D+7OVci+Ora0UwOIpdKI09Vo2ZHlJwfBk4yjGzxVJOYNkpO3Z0 EO2ZS1AGTt5QfhY4wRSP111G35fFsAoVIuRy8GhVPlBxby6gHBRIk87dqFXEjStBQcWZOD +ZVdQLJcZN7I3mBhczcCitQSrMKxC8wXts0D0oMTpd644Mlz7rnVTLatXxvbSw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S46bT0FlGz15S3; Mon, 9 Oct 2023 18:13:25 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 399IDON8072324; Mon, 9 Oct 2023 18:13:24 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 399IDO9D072321; Mon, 9 Oct 2023 18:13:24 GMT (envelope-from git) Date: Mon, 9 Oct 2023 18:13:24 GMT Message-Id: <202310091813.399IDO9D072321@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: 6f35c2380737 - releng/14.0 - swap_pager: Fix a race in swap_pager_swapoff_object() List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.0 X-Git-Reftype: branch X-Git-Commit: 6f35c2380737fbef590ed48ed0669eebd1656287 Auto-Submitted: auto-generated The branch releng/14.0 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6f35c2380737fbef590ed48ed0669eebd1656287 commit 6f35c2380737fbef590ed48ed0669eebd1656287 Author: Mark Johnston AuthorDate: 2023-10-02 11:49:27 +0000 Commit: Mark Johnston CommitDate: 2023-10-09 18:07:02 +0000 swap_pager: Fix a race in swap_pager_swapoff_object() When we disable swapping to a device, we scan the full VM object list looking for objects with swap trie nodes that reference the device in question. The pages corresponding to those nodes are paged in. While paging in, we drop the VM object lock. Moreover, we do not hold a reference for the object; swap_pager_swapoff_object() merely bumps the paging-in-progress counter. vm_object_terminate() waits for this counter to drain before proceeding and freeing pages. However, swap_pager_swapoff_object() decrements the counter before re-acquiring the VM object lock, which means that vm_object_terminate() can race to acquire the lock and free the pages. Then, swap_pager_swapoff_object() ends up unbusying a freed page. Fix the problem by acquiring the lock before waking up sleepers. Approved by: re (gjb) PR: 273610 Reported by: Graham Perrin Reviewed by: kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D42029 (cherry picked from commit e61568aeeec7667789e6c9d4837e074edecc990e) (cherry picked from commit aa229a59adeaf49517183c8117a239e2b68012f5) --- sys/vm/swap_pager.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/vm/swap_pager.c b/sys/vm/swap_pager.c index e548c2d16a0b..38151b3be96f 100644 --- a/sys/vm/swap_pager.c +++ b/sys/vm/swap_pager.c @@ -1890,8 +1890,8 @@ swap_pager_swapoff_object(struct swdevt *sp, vm_object_t object) if (rv != VM_PAGER_OK) panic("%s: read from swap failed: %d", __func__, rv); - vm_object_pip_wakeupn(object, 1); VM_OBJECT_WLOCK(object); + vm_object_pip_wakeupn(object, 1); vm_page_xunbusy(m); /*