svn commit: r224676 - stable/8/sys/vm

Sat Aug 6 11:33:17 UTC 2011

Author: kib
Date: Sat Aug  6 11:33:17 2011
New Revision: 224676
URL: http://svn.freebsd.org/changeset/base/224676

Log:
  MFC r224522:
  Fix a race in the device pager allocation. If another thread won and
  allocated the device pager for the given handle, then the object
  fictitious pages list and the object membership in the global object
  list still need to be initialized. Otherwise, dev_pager_dealloc() will
  traverse uninitialized pointers.

Modified:
  stable/8/sys/vm/device_pager.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)

Modified: stable/8/sys/vm/device_pager.c
==============================================================================

--- stable/8/sys/vm/device_pager.c	Sat Aug  6 10:12:59 2011	(r224675)
+++ stable/8/sys/vm/device_pager.c	Sat Aug  6 11:33:17 2011	(r224676)
@@ -168,6 +168,7 @@ dev_pager_alloc(void *handle, vm_ooffset
 		object1 = vm_object_allocate(OBJT_DEVICE, pindex);
 		object1->flags |= OBJ_COLORED;
 		object1->pg_color = atop(paddr) - OFF_TO_IDX(off - PAGE_SIZE);
+		TAILQ_INIT(&object1->un_pager.devp.devp_pglist);
 		mtx_lock(&dev_pager_mtx);
 		object = vm_pager_object_lookup(&dev_pager_object_list, handle);
 		if (object != NULL) {
@@ -180,7 +181,6 @@ dev_pager_alloc(void *handle, vm_ooffset
 			object = object1;
 			object1 = NULL;
 			object->handle = handle;
-			TAILQ_INIT(&object->un_pager.devp.devp_pglist);
 			TAILQ_INSERT_TAIL(&dev_pager_object_list, object,
 			    pager_object_list);
 		}
@@ -190,7 +190,14 @@ dev_pager_alloc(void *handle, vm_ooffset
 	}
 	mtx_unlock(&dev_pager_mtx);
 	dev_relthread(dev, ref);
-	vm_object_deallocate(object1);
+	if (object1 != NULL) {
+		object1->handle = object1;
+		mtx_lock(&dev_pager_mtx);
+		TAILQ_INSERT_TAIL(&dev_pager_object_list, object1,
+		    pager_object_list);
+		mtx_unlock(&dev_pager_mtx);
+		vm_object_deallocate(object1);
+	}
 	return (object);
 }
 
