Date: Fri, 2 Oct 2009 18:11:55 GMT From: Gleb Kurtsou <gk@FreeBSD.org> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/139312: [PATCH] tmpfs mmap synchronization bug Message-ID: <200910021811.n92IBtib073246@www.freebsd.org> Resent-Message-ID: <200910021820.n92IK1n6081061@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 139312 >Category: kern >Synopsis: [PATCH] tmpfs mmap synchronization bug >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Oct 02 18:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Gleb Kurtsou >Release: 9-CURRENT >Organization: >Environment: FreeBSD tops 9.0-CURRENT FreeBSD 9.0-CURRENT #6 r197608+311ce2b: Tue Sep 29 09:02:48 EEST 2009 root@tops:/usr/obj/usr/freebsd-src/local/sys/TOPS amd64 >Description: Mmaped pages can get out of sync in tmpfs. The bug is 100% reproducible by: # fsx -S 125 -d /tmpfs/file It breaks at operation 42. Fix is inspired by zfs, it calls vm_page_cache_free(). Reading zfs sources, it looks like it doesn't check v_object->cache, but never the less bug never shows up on there. Probably it's because of zfs using VOP_BMAP to do page mapping. tmpfs uses default vop_getpages/vop_putpages which invokes vop_read/vop_write accordingly. Removing v_object->cache == NULL checks breaks things again. The same fix works fine in pefs (http://wiki.freebsd.org/SOC2009GlebKurtsov) >How-To-Repeat: # fsx -S 125 -d /tmpfs/file It breaks at operation 42. >Fix: Patch attached with submission follows: diff --git a/sys/fs/tmpfs/tmpfs_vnops.c b/sys/fs/tmpfs/tmpfs_vnops.c index db8ceea..59d94d7 100644 --- a/sys/fs/tmpfs/tmpfs_vnops.c +++ b/sys/fs/tmpfs/tmpfs_vnops.c @@ -444,7 +444,8 @@ tmpfs_mappedread(vm_object_t vobj, vm_object_t tobj, size_t len, struct uio *uio offset = addr & PAGE_MASK; tlen = MIN(PAGE_SIZE - offset, len); - if ((vobj == NULL) || (vobj->resident_page_count == 0)) + if ((vobj == NULL) || + (vobj->resident_page_count == 0 && vobj->cache == NULL)) goto nocache; VM_OBJECT_LOCK(vobj); @@ -555,7 +556,8 @@ tmpfs_mappedwrite(vm_object_t vobj, vm_object_t tobj, size_t len, struct uio *ui offset = addr & PAGE_MASK; tlen = MIN(PAGE_SIZE - offset, len); - if ((vobj == NULL) || (vobj->resident_page_count == 0)) { + if ((vobj == NULL) || + (vobj->resident_page_count == 0 && vobj->cache == NULL)) { vpg = NULL; goto nocache; } @@ -573,6 +575,8 @@ lookupvpg: VM_OBJECT_UNLOCK(vobj); error = uiomove_fromphys(&vpg, offset, tlen, uio); } else { + if (__predict_false(vobj->cache != NULL)) + vm_page_cache_free(vobj, idx, idx + 1); VM_OBJECT_UNLOCK(vobj); vpg = NULL; } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200910021811.n92IBtib073246>