git: kernel - Fix MP race in kmalloc/kfree

Matthew Dillon dillon at
Wed Sep 29 17:08:25 PDT 2010

commit df9daea899a8461728f182d303b51686d5e6a3dc
Author: Matthew Dillon <dillon at>
Date:   Wed Sep 29 17:01:53 2010 -0700

    kernel - Fix MP race in kmalloc/kfree
    * Fix two cases where a zone is mis-handled by the new kfree().  Note,
      however, that the race being fixed is nearly impossible (might even
      BE impossible) to produce because it requires a slab to go from
      completely empty to completely full through hysteresis and then destroyed
      all in a few microseconds.
      Essentially when a kfree() occurs on a cpu which is not the owner of
      the zone the chunk is linked into a side-list on the zone using atomic
      ops.  Under certain (very rare) circumstances the cpu doing the kfree()
      must IPI the cpu that owns the zone.
      The moment the chunk is linked in the cpu owning the zone can race the
      incoming IPI and destroy the zone (if it is now completely unused).
      The old kmemusage code handled the race just fine but the new vm_page_t
      based big-block handler could not.
      The solution is to have an atomic-ops counter for inflight IPIs which
      prevents the owning cpu from destroying the zone prematurely.

Summary of changes:
 sys/kern/kern_slaballoc.c |  141 ++++++++++++++++++++++++---------------------
 sys/sys/slaballoc.h       |    1 +
 2 files changed, 77 insertions(+), 65 deletions(-)

DragonFly BSD source repository

More information about the Commits mailing list