[Bug 192863] New: Data race caused by double increment of pq->pq_cnt

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192863

            Bug ID: 192863
           Summary: Data race caused by double increment of pq->pq_cnt
           Product: Base System
           Version: 10.0-RELEASE
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: pfonseca at mpi-sws.org

I've found that there are two accesses to "pq->pq_cnt" that are not
synchronized and that can race in FreeBSD 10.0. One of the accesses increments
the variable in function "vm_pagequeue_cnt_add()" while the other reads its
value in function "vm_pageout_scan()"

Strangely "pq->pq_cnt" is currently incremented twice in the function
"vm_pagequeue_cnt_add()" (in one instance this is done atomically, in the other
it's not).

Racing accesses:

/usr/src/sys/vm/vm_page.h:246

       240  vm_pagequeue_cnt_add(struct vm_pagequeue *pq, int addend)
       241  {
       242
       243  #ifdef notyet
       244      vm_pagequeue_assert_locked(pq);
       245  #endif
==>    246      pq->pq_cnt += addend;
       247      atomic_add_int(pq->pq_vcnt, addend);
       248  }


/usr/src/sys/vm/vm_pageout.c:962 (vm_pageout_scan)

       961      pq = &vmd->vmd_pagequeues[PQ_INACTIVE];
==>    962      maxscan = pq->pq_cnt;
       963      vm_pagequeue_lock(pq);
       964      queues_locked = TRUE;
       965      for (m = TAILQ_FIRST(&pq->pq_pl);
       966           m != NULL && maxscan-- > 0 && page_shortage > 0;

-- 
You are receiving this mail because:
You are the assignee for the bug.