Back out rev. 1.125. This bit was left behind (intentionally?) when the

remainder of that commit was backed out.  However,clearing the PQ_AOBJ bit
here is definitely wrong.

Our pagedaemon uses two separate lists to keep track of inactive
pages.  It uses PQ_SWAPBACKED, which really is both PQ_ANON and
PQ_AOBJ to keep track of which inactive queue a page is sitting on.
So if you twiddle PQ_AOBJ (or PQ_ANON) for an inactive page, a
subsequent uvm_pagefree(9) will remove the page from the wrong queue!
This usually goes unnoticed, but if the page happens to be the last
one on the queue, the queues get corrupted.  The damage quickly
spreads to the free page queues and almost certainly results in the
uvm_pmr_size_RB_REMOVE_COLOR() faults that people have seen
sporadically since the spring of this year.

ok visa@, beck@, krw@, guenther@

1 files changed, 1 insertions, 2 deletions

diff --git a/sys/uvm/uvm_km.c b/sys/uvm/uvm_km.c
index 385a13374fa..96ba63600bc 100644
--- a/sys/uvm/uvm_km.c
+++ b/sys/uvm/uvm_km.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uvm_km.c,v 1.126 2015/02/07 08:21:24 miod Exp $	*/
+/*	$OpenBSD: uvm_km.c,v 1.127 2015/09/17 18:04:49 kettenis Exp $	*/
 /*	$NetBSD: uvm_km.c,v 1.42 2001/01/14 02:10:01 thorpej Exp $	*/
 
 /* 
@@ -259,7 +259,6 @@ uvm_km_pgremove(struct uvm_object *uobj, vaddr_t start, vaddr_t end)
 		slot = uao_dropswap(uobj, curoff >> PAGE_SHIFT);
 
 		if (pp != NULL) {
-			atomic_clearbits_int(&pp->pg_flags, PQ_AOBJ);
 			uvm_lock_pageq();
 			uvm_pagefree(pp);
 			uvm_unlock_pageq();