Since r354156 we may call release_page() without the page's object's
lock held. Specifically, this happens following the page copy in a CoW
fault. release_page() must therefore unbusy the page only after calling
vm_page_deactivate(). Otherwise, nothing prevents the page from being
freed after the unbusy, and vm_page_deactivate() does not handle races
with vm_page_free_prep().
I do not think there is any harm in keeping the page busy across the
requeue: vm_page_deactivate() moves the page to the tail of the queue,
where the page daemon is not likely to see it before the unbusy is
performed.
Add some assertions to various queue manipulation functions that are
useful for catching this type of bug.