Fix a race in vm_page_dequeue_deferred().

To detect the case where the page is already marked for a deferred dequeue, we must read the "queue" and "aflags" fields in a precise order. Otherwise, a race with a concurrent vm_page_dequeue_complete() could leave the page with PGA_DEQUEUE set despite it already having been dequeued. Fix the problem by using vm_page_queue() to check the queue state, which correctly handles the race. Reviewed by: kib Tested by: pho MFC after: 3 days Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D19039
2019-02-03 18:38:58 +00:00 · 2019-02-03 18:38:58 +00:00 · d0488e698f
commit d0488e698f
parent 634a8a8873
1 changed files with 4 additions and 9 deletions
--- a/sys/vm/vm_page.c
+++ b/sys/vm/vm_page.c
@ -3279,18 +3279,13 @@ vm_page_dequeue_complete(vm_page_t m)
 void
 vm_page_dequeue_deferred(vm_page_t m)
 {
-	int queue;
+	uint8_t queue;

 	vm_page_assert_locked(m);

-	queue = atomic_load_8(&m->queue);
-	if (queue == PQ_NONE) {
-		KASSERT((m->aflags & PGA_QUEUE_STATE_MASK) == 0,
-		    ("page %p has queue state", m));
+	if ((queue = vm_page_queue(m)) == PQ_NONE)
 		return;
-	}
-	if ((m->aflags & PGA_DEQUEUE) == 0)
-		vm_page_aflag_set(m, PGA_DEQUEUE);
+	vm_page_aflag_set(m, PGA_DEQUEUE);
 	vm_pqbatch_submit_page(m, queue);
 }

@ -3386,7 +3381,7 @@ vm_page_requeue(vm_page_t m)
 {

 	vm_page_assert_locked(m);
-	KASSERT(m->queue != PQ_NONE,
+	KASSERT(vm_page_queue(m) != PQ_NONE,
 	    ("%s: page %p is not logically enqueued", __func__, m));

 	if ((m->aflags & PGA_REQUEUE) == 0)