From owner-freebsd-current@FreeBSD.ORG Wed Mar 5 19:50:07 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B4DEDE04; Wed, 5 Mar 2014 19:50:07 +0000 (UTC) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 37A88632; Wed, 5 Mar 2014 19:50:07 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.7/8.14.7) with ESMTP id s25Jo1SA001607; Wed, 5 Mar 2014 21:50:01 +0200 (EET) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua s25Jo1SA001607 Received: (from kostik@localhost) by tom.home (8.14.7/8.14.7/Submit) id s25Jo11V001606; Wed, 5 Mar 2014 21:50:01 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Wed, 5 Mar 2014 21:50:01 +0200 From: Konstantin Belousov To: John Baldwin Subject: Re: panic: lockmgr still held [tmpfs] [vm_map_remove()->vdropl()] (r262186: Thu Feb 20) Message-ID: <20140305195001.GF24664@kib.kiev.ua> References: <53109ACB.20102@FreeBSD.org> <5316F144.1000105@FreeBSD.org> <20140305110723.GB24664@kib.kiev.ua> <201403051421.04381.jhb@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+TV/ighyc7Vd8/th" Content-Disposition: inline In-Reply-To: <201403051421.04381.jhb@freebsd.org> User-Agent: Mutt/1.5.22 (2013-10-16) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home Cc: Alan Cox , freebsd-current@freebsd.org, Andriy Gapon , Bryan Drewery X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Mar 2014 19:50:07 -0000 --+TV/ighyc7Vd8/th Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Mar 05, 2014 at 02:21:04PM -0500, John Baldwin wrote: > On Wednesday, March 05, 2014 6:07:23 am Konstantin Belousov wrote: > > On Wed, Mar 05, 2014 at 11:41:24AM +0200, Andriy Gapon wrote: > > > on 04/03/2014 18:45 John Baldwin said the following: > > > > So I'm not sure how to fix this. The crash is in this code in=20 > > > > vm_object_deallocate(): > > > >=20 > > > > if (object->type =3D=3D OBJT_SWAP && > > > > (object->flags & OBJ_TMPFS) !=3D 0) { > > > > vp =3D object->un_pager.swp.swp_tmpfs; > > > > vhold(vp); > > > > VM_OBJECT_WUNLOCK(object); > > > > vn_lock(vp, LK_EXCLUSIVE | LK_RETRY); > > > > vdrop(vp); > > > > VM_OBJECT_WLOCK(object); > > > > if (object->type =3D=3D OBJT_DEAD || > > > > object->ref_count !=3D 1) { > > > > VM_OBJECT_WUNLOCK(object); > > > > VOP_UNLOCK(vp, 0); > > > > return; > > > > } > > > > if ((object->flags & OBJ_TMPFS) !=3D 0) > > > > VOP_UNSET_TEXT(vp); > > > > VOP_UNLOCK(vp, 0); > > > > } > > > >=20 > > > > The vdrop() is dropping the count to zero and trying to free the vn= ode. The=20 > > > > real problem I think is that swp_tmpfs doesn't have an implicit vho= ld() on the=20 > > > > vnode, so in this case, the code is doing a vhold/vn_lock/vdrop of = an already- > > > > free vnode. For OBJT_VNODE objects, the reference from the object = back to the=20 > > > > vnode holds a vref() that gets released by a vput() in=20 > > > > vm_object_vndeallocate(). > > > >=20 > > > > One fix might be to chagne smp_tmpfs to hold a vhold reference. Th= is is=20 > > > > untested but might work (but I'm also not sure that this is the rig= ht thing in=20 > > > > that I don't know what other effects it might have). > > >=20 > > > I agree with your analysis, but I don't think that a filesystem holdi= ng its own > > > vnode is a good idea. If I am not mistaken, that would prevent tmpfs= vnodes > > > from going to free list. > > > I'd rather try to modify vm_object_deallocate() code. E.g. vdrop() c= ould be > > > called after VOP_UNLOCK(). Alternatively, the code could handle a do= omed vnode > > > in a different way. > >=20 > > I agree with Andrey, it is just a bug to vdrop() before unlock. > > Please try this. >=20 > Ok, my only worry is in the case of Bryan's panic, the hold count on the = vnode > was already zero before vhold() was called, so is it possible that it is = a stale > pointer or is there some other implicit reference that prevents that? If= it can't > be stale, I think deferring the vdrop() is fine. The object->un_pager.swp.swp_tmpfs is cleared under the object lock before the vnode is reclaimed, i.e. long before the vnode can be freed. swp_tmpfs should be kept in sync with the OBJ_TMPFS flag, so the vhold() is safe while flag is set and object is locked. --+TV/ighyc7Vd8/th Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTF3/oAAoJEJDCuSvBvK1BT30P/2HQj2BS1x2SXpuy9fzHY/7T qityHJT9VE7u16/Im0gtYopBT0N3W+HoLTuL8DYrBJoV/PDPYORB7frD2OA99Du7 q/dij85dqJbwowwnmA/nJFBBqRLb6ECFmCULBvS/1LHU695WeOVoZJ1N7xtGvceY Kintppw2pGdJ2Ru7X9gX7Fm5/i3cxTuYaNdNBzqNZ//wHj8HOJ+Y8ucVuy0/vcug npwUqs+QnFy12TSE/YUnaFLrYDGRGbkAPPfVxcik1sNxTq9p708FyKq76OA0MpPD RwoGgBdVNwMY/K2SDsShFq7gQ6Pn86HdTAcLcEXBl8+/SLu7KVzeQcIlnORHQnVi BNDllMwdYVks9CPy8BB8kqqZvEUfGC0TNaKPBT4nEqlQRCatTguxNRJudptZMrnE LoTiVGnOYCx5EHVYPOiWoDimQTjrSUsq8zQ7wvp3NP9Niq979RsCnwBPpfx1DmfJ PPJfhUDAFnN50W1pPbjHEzLr6tx+l24z9cFz3kd2kAb19FewR3Hh8m9ZoTT7O2Nv IGJsaxPp+LX8JWQYO4+zkeDbAnpKvljzeTBWDmWVGPw4ZmHkkFYy8a237fjtun94 EQCFpXoYSUOurXWRRazm3eQw2BG+yg5PvebloulQAzmFjceAjncDUVL+393Wekdy EzQfp8eU2V7PZEWLyARM =6d1Z -----END PGP SIGNATURE----- --+TV/ighyc7Vd8/th--