Date: Wed, 20 Aug 2014 18:42:02 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 192863] New: Data race caused by double increment of pq->pq_cnt Message-ID: <bug-192863-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192863 Bug ID: 192863 Summary: Data race caused by double increment of pq->pq_cnt Product: Base System Version: 10.0-RELEASE Hardware: Any OS: Any Status: Needs Triage Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: pfonseca@mpi-sws.org I've found that there are two accesses to "pq->pq_cnt" that are not synchronized and that can race in FreeBSD 10.0. One of the accesses increments the variable in function "vm_pagequeue_cnt_add()" while the other reads its value in function "vm_pageout_scan()" Strangely "pq->pq_cnt" is currently incremented twice in the function "vm_pagequeue_cnt_add()" (in one instance this is done atomically, in the other it's not). Racing accesses: /usr/src/sys/vm/vm_page.h:246 240 vm_pagequeue_cnt_add(struct vm_pagequeue *pq, int addend) 241 { 242 243 #ifdef notyet 244 vm_pagequeue_assert_locked(pq); 245 #endif ==> 246 pq->pq_cnt += addend; 247 atomic_add_int(pq->pq_vcnt, addend); 248 } /usr/src/sys/vm/vm_pageout.c:962 (vm_pageout_scan) 961 pq = &vmd->vmd_pagequeues[PQ_INACTIVE]; ==> 962 maxscan = pq->pq_cnt; 963 vm_pagequeue_lock(pq); 964 queues_locked = TRUE; 965 for (m = TAILQ_FIRST(&pq->pq_pl); 966 m != NULL && maxscan-- > 0 && page_shortage > 0; -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-192863-8>