On 26/12/25(Fri) 13:36, Alexander Bluhm wrote:
> On Fri, Dec 26, 2025 at 01:02:17PM +0100, Alexander Bluhm wrote:
> > Anyway. Currently I cannot reproduce. I will keep an eye on it.
> > I will use the diff below if it happens again.
>
> And just after writing this, I hit the crash.
Thanks Alexander, so this confirms the race with uvm_pagefree().
Here's the full diff. Would you please try to reproduce the panic with
it and hopefully report the next bug?
Index: uvm/uvm_page.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_page.c,v
diff -u -p -r1.186 uvm_page.c
--- uvm/uvm_page.c 22 Dec 2025 10:57:14 -0000 1.186
+++ uvm/uvm_page.c 27 Dec 2025 09:25:25 -0000
@@ -971,6 +971,10 @@ uvm_pageclean(struct vm_page *pg)
*/
if (pg->pg_flags & PG_TABLED)
uvm_pageremove(pg);
+ if (pg->uanon) {
+ pg->uanon->an_page = NULL;
+ pg->uanon = NULL;
+ }
/*
* now remove the page from the queues
@@ -987,10 +991,6 @@ uvm_pageclean(struct vm_page *pg)
if (pg->wire_count) {
pg->wire_count = 0;
atomic_dec_int(&uvmexp.wired);
- }
- if (pg->uanon) {
- pg->uanon->an_page = NULL;
- pg->uanon = NULL;
}
/* Clean page state bits. */
Index: uvm/uvm_pdaemon.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_pdaemon.c,v
diff -u -p -r1.144 uvm_pdaemon.c
--- uvm/uvm_pdaemon.c 24 Dec 2025 10:29:22 -0000 1.144
+++ uvm/uvm_pdaemon.c 27 Dec 2025 09:20:44 -0000
@@ -396,15 +396,17 @@ uvmpd_trylockowner(struct vm_page *pg)
{
struct uvm_object *uobj = pg->uobject;
+ struct vm_anon *anon = pg->uanon;
struct rwlock *slock;
if (uobj != NULL) {
slock = uobj->vmobjlock;
- } else {
- struct vm_anon *anon = pg->uanon;
-
- KASSERT(anon != NULL);
+ KASSERTMSG(slock != NULL, "pg %p uobj %p, NULL lock", pg, uobj);
+ } else if (anon != NULL) {
slock = anon->an_lock;
+ KASSERTMSG(slock != NULL, "pg %p anon %p, NULL lock", pg, anon);
+ } else {
+ return NULL;
}
if (rw_enter(slock, RW_WRITE|RW_NOSLEEP)) {
