git: d8cb6c173417 - stable/13 - swap_pager: Fix a race in swap_pager_swapoff_object()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 09 Oct 2023 00:59:02 UTC
The branch stable/13 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=d8cb6c173417f47b2337c12ab662a13c6e147789
commit d8cb6c173417f47b2337c12ab662a13c6e147789
Author: Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-10-02 11:49:27 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-10-09 00:42:30 +0000
swap_pager: Fix a race in swap_pager_swapoff_object()
When we disable swapping to a device, we scan the full VM object list
looking for objects with swap trie nodes that reference the device in
question. The pages corresponding to those nodes are paged in.
While paging in, we drop the VM object lock. Moreover, we do not hold a
reference for the object; swap_pager_swapoff_object() merely bumps the
paging-in-progress counter. vm_object_terminate() waits for this
counter to drain before proceeding and freeing pages.
However, swap_pager_swapoff_object() decrements the counter before
re-acquiring the VM object lock, which means that vm_object_terminate()
can race to acquire the lock and free the pages. Then,
swap_pager_swapoff_object() ends up unbusying a freed page. Fix the
problem by acquiring the lock before waking up sleepers.
PR: 273610
Reported by: Graham Perrin <grahamperrin@gmail.com>
Reviewed by: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42029
(cherry picked from commit e61568aeeec7667789e6c9d4837e074edecc990e)
---
sys/vm/swap_pager.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/vm/swap_pager.c b/sys/vm/swap_pager.c
index 7e5fa90efd16..dd7fecc066c4 100644
--- a/sys/vm/swap_pager.c
+++ b/sys/vm/swap_pager.c
@@ -1897,8 +1897,8 @@ swap_pager_swapoff_object(struct swdevt *sp, vm_object_t object)
if (rv != VM_PAGER_OK)
panic("%s: read from swap failed: %d",
__func__, rv);
- vm_object_pip_wakeupn(object, 1);
VM_OBJECT_WLOCK(object);
+ vm_object_pip_wakeupn(object, 1);
vm_page_xunbusy(m);
/*