From ba2b3349e18e180fe722dcbe1115b3af74f01ff2 Mon Sep 17 00:00:00 2001
From: Mark Johnston <markj@FreeBSD.org>
Date: Thu, 17 May 2018 04:27:08 +0000
Subject: [PATCH] Fix a race in vm_page_pagequeue_lockptr().

The value of m->queue must be cached after comparing it with PQ_NONE,
since it may be concurrently changing.

Reported by:	glebius
Reviewed by:	jeff
Differential Revision:	https://reviews.freebsd.org/D15462
---
 sys/vm/vm_page.c | 5 +++--
 sys/vm/vm_page.h | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/sys/vm/vm_page.c b/sys/vm/vm_page.c
index fc3e80d4303..9c3fdbaf20b 100644
--- a/sys/vm/vm_page.c
+++ b/sys/vm/vm_page.c
@@ -3088,10 +3088,11 @@ vm_page_pagequeue(vm_page_t m)
 static struct mtx *
 vm_page_pagequeue_lockptr(vm_page_t m)
 {
+	uint8_t queue;
 
-	if (m->queue == PQ_NONE)
+	if ((queue = m->queue) == PQ_NONE)
 		return (NULL);
-	return (&vm_page_pagequeue(m)->pq_mutex);
+	return (&vm_pagequeue_domain(m)->vmd_pagequeues[queue].pq_mutex);
 }
 
 static inline void
diff --git a/sys/vm/vm_page.h b/sys/vm/vm_page.h
index 1b3289bcefc..3942acc34ab 100644
--- a/sys/vm/vm_page.h
+++ b/sys/vm/vm_page.h
@@ -208,7 +208,7 @@ struct vm_page {
 	uint16_t flags;			/* page PG_* flags (P) */
 	uint8_t aflags;			/* access is atomic */
 	uint8_t oflags;			/* page VPO_* flags (O) */
-	uint8_t	queue;			/* page queue index (Q) */
+	volatile uint8_t queue;		/* page queue index (Q) */
 	int8_t psind;			/* pagesizes[] index (O) */
 	int8_t segind;			/* vm_phys segment index (C) */
 	uint8_t	order;			/* index of the buddy queue (F) */