From cec3990d347972c30558b135b1bc9954184fb5fe Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Thu, 11 Mar 2021 10:34:28 -0500 Subject: vm_reserv: Fix list locking in vm_reserv_reclaim_contig() The per-domain partpop queue is locked by the combination of the per-domain lock and individual reservation mutexes. vm_reserv_reclaim_contig() scans the queue looking for partially populated reservations that can be reclaimed in order to satisfy the caller's allocation. During the scan, we drop the per-domain lock. At this point, the rvn pointer may be invalidated. Take care to load rvn after re-acquiring the per-domain lock. While here, simplify the condition used to check whether a reservation was dequeued while the per-domain lock was dropped. Reviewed by: alc, kib Reported by: gallatin Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D29203 (cherry picked from commit 968079f253c11433d47bece4b41b46fcbf985903) --- sys/vm/vm_reserv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sys/vm/vm_reserv.c b/sys/vm/vm_reserv.c index e7f542a66fdb..a9602c3977df 100644 --- a/sys/vm/vm_reserv.c +++ b/sys/vm/vm_reserv.c @@ -1344,8 +1344,8 @@ vm_reserv_reclaim_contig(int domain, u_long npages, vm_paddr_t low, TAILQ_INSERT_AFTER(queue, rv, marker, partpopq); vm_reserv_domain_unlock(domain); vm_reserv_lock(rv); - if (!rv->inpartpopq || - TAILQ_NEXT(rv, partpopq) != marker) { + if (TAILQ_PREV(marker, vm_reserv_queue, partpopq) != + rv) { vm_reserv_unlock(rv); vm_reserv_domain_lock(domain); rvn = TAILQ_NEXT(marker, partpopq); @@ -1363,8 +1363,9 @@ vm_reserv_reclaim_contig(int domain, u_long npages, vm_paddr_t low, vm_reserv_unlock(rv); return (true); } - vm_reserv_unlock(rv); vm_reserv_domain_lock(domain); + rvn = TAILQ_NEXT(rv, partpopq); + vm_reserv_unlock(rv); } vm_reserv_domain_unlock(domain); vm_reserv_domain_scan_unlock(domain); -- cgit v1.2.3