From owner-svn-src-head@freebsd.org Sun Dec 6 17:46:13 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB4859A05E8; Sun, 6 Dec 2015 17:46:13 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7F41A11D4; Sun, 6 Dec 2015 17:46:13 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tB6HkC80072737; Sun, 6 Dec 2015 17:46:12 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id tB6HkCWb072736; Sun, 6 Dec 2015 17:46:12 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201512061746.tB6HkCWb072736@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: "Conrad E. Meyer" Date: Sun, 6 Dec 2015 17:46:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r291907 - head/sys/vm X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Dec 2015 17:46:13 -0000 Author: cem Date: Sun Dec 6 17:46:12 2015 New Revision: 291907 URL: https://svnweb.freebsd.org/changeset/base/291907 Log: vm_fault_hold: handle vm_page_rename failure On vm_page_rename failure, fix a missing object unlock and a double free of a page. First remove the old page, then rename into other page into first_object, then free the old page. This avoids the problem on rename failure. This is a little ugly but seems to be the most straightforward solution. Tested with: $ sysctl debug.fail_point.uma_zalloc_arg="1%return" $ kyua test -k /usr/tests/sys/Kyuafile Submitted by: Ryan Libby Reviewed by: kib Seen by: alc Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D4326 Modified: head/sys/vm/vm_fault.c Modified: head/sys/vm/vm_fault.c ============================================================================== --- head/sys/vm/vm_fault.c Sun Dec 6 17:39:13 2015 (r291906) +++ head/sys/vm/vm_fault.c Sun Dec 6 17:46:12 2015 (r291907) @@ -839,7 +839,7 @@ vnode_locked: * get rid of the unnecessary page */ vm_page_lock(fs.first_m); - vm_page_free(fs.first_m); + vm_page_remove(fs.first_m); vm_page_unlock(fs.first_m); /* * grab the page and put it into the @@ -848,9 +848,13 @@ vnode_locked: */ if (vm_page_rename(fs.m, fs.first_object, fs.first_pindex)) { + VM_OBJECT_WUNLOCK(fs.first_object); unlock_and_deallocate(&fs); goto RetryFault; } + vm_page_lock(fs.first_m); + vm_page_free(fs.first_m); + vm_page_unlock(fs.first_m); #if VM_NRESERVLEVEL > 0 /* * Rename the reservation.