https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192863
Bug ID: 192863
Summary: Data race caused by double increment of pq->pq_cnt
Product: Base System
Version: 10.0-RELEASE
Hardware: Any
OS: Any
Status: Needs Triage
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: pfons...@mpi-sws.org
I've found that there are two accesses to "pq->pq_cnt" that are not
synchronized and that can race in FreeBSD 10.0. One of the accesses increments
the variable in function "vm_pagequeue_cnt_add()" while the other reads its
value in function "vm_pageout_scan()"
Strangely "pq->pq_cnt" is currently incremented twice in the function
"vm_pagequeue_cnt_add()" (in one instance this is done atomically, in the other
it's not).
Racing accesses:
/usr/src/sys/vm/vm_page.h:246
240 vm_pagequeue_cnt_add(struct vm_pagequeue *pq, int addend)
241 {
242
243 #ifdef notyet
244 vm_pagequeue_assert_locked(pq);
245 #endif
==> 246 pq->pq_cnt += addend;
247 atomic_add_int(pq->pq_vcnt, addend);
248 }
/usr/src/sys/vm/vm_pageout.c:962 (vm_pageout_scan)
961 pq = &vmd->vmd_pagequeues[PQ_INACTIVE];
==> 962 maxscan = pq->pq_cnt;
963 vm_pagequeue_lock(pq);
964 queues_locked = TRUE;
965 for (m = TAILQ_FIRST(&pq->pq_pl);
966 m != NULL && maxscan-- > 0 && page_shortage > 0;
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
