Index: sys/vm/vm_fault.c
===================================================================
--- sys/vm/vm_fault.c
+++ sys/vm/vm_fault.c
@@ -121,6 +121,7 @@
 
 struct faultstate {
 	vm_page_t m;
+	vm_page_t m_cow;
 	vm_object_t object;
 	vm_pindex_t pindex;
 	vm_page_t first_m;
@@ -208,6 +209,7 @@
 fault_deallocate(struct faultstate *fs)
 {
 
+	fault_page_release(&fs->m_cow);
 	fault_page_release(&fs->m);
 	vm_object_pip_wakeup(fs->object);
 	if (fs->object != fs->first_object) {
@@ -818,7 +820,7 @@
 
 	fs.lookup_still_valid = true;
 
-	fs.m = fs.first_m = NULL;
+	fs.m_cow = fs.m = fs.first_m = NULL;
 
 	/*
 	 * Search for the page at object/offset.
@@ -1254,9 +1256,11 @@
 					vm_page_unwire(fs.m, PQ_INACTIVE);
 				}
 				/*
-				 * We no longer need the old page or object.
+				 * Save the cow page to be released after
+				 * pmap_enter is complete.
 				 */
-				fault_page_release(&fs.m);
+				fs.m_cow = fs.m;
+				fs.m = NULL;
 			}
 			/*
 			 * fs.object != fs.first_object due to above 
Index: sys/vm/vm_object.c
===================================================================
--- sys/vm/vm_object.c
+++ sys/vm/vm_object.c
@@ -1604,6 +1604,9 @@
 		if (new_pindex >= object->size)
 			break;
 
+		if (p != NULL && vm_page_busied(p))
+			return (false);
+
 		/*
 		 * See if the parent has the page or if the parent's object
 		 * pager has the page.  If the parent has the page but the page
@@ -1907,8 +1910,7 @@
 			 * If we do not entirely shadow the backing object,
 			 * there is nothing we can do so we give up.
 			 */
-			if (object->resident_page_count != object->size &&
-			    !vm_object_scan_all_shadowed(object)) {
+			if (!vm_object_scan_all_shadowed(object)) {
 				VM_OBJECT_WUNLOCK(backing_object);
 				break;
 			}