Another long standing vm bug found at Isilon:

Fix a race between vm_object_collapse and vm_fault. Reviewed by: alc@ MFC after: 3 days
2011-05-09 20:27:49 +00:00 · 2011-05-09 20:27:49 +00:00 · e18cc7bf3e
commit e18cc7bf3e
parent 4c83f2f32b
1 changed files with 18 additions and 0 deletions
--- a/sys/vm/vm_object.c
+++ b/sys/vm/vm_object.c
@ -1467,6 +1467,24 @@ vm_object_backing_scan(vm_object_t object, int op)
 			}

 			pp = vm_page_lookup(object, new_pindex);
+			if (
+			    (op & OBSC_COLLAPSE_NOWAIT) != 0 &&
+			    (pp != NULL && pp->valid == 0)
+			) {
+				/*
+				 * The page in the parent is not (yet) valid.
+				 * We don't know anything about the state of
+				 * the original page.  It might be mapped,
+				 * so we must avoid the next if here.
+				 *
+				 * This is due to a race in vm_fault() where
+				 * we must unbusy the original (backing_obj)
+				 * page before we can (re)lock the parent.
+				 * Hence we can get here.
+				 */
+				p = next;
+				continue;
+			}
 			if (
 			    pp != NULL ||
 			    vm_pager_has_page(object, new_pindex, NULL, NULL)