Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 May 2015 02:32:08 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-fs@FreeBSD.org
Subject:   [Bug 200288] Modify after Free: ZFS
Message-ID:  <bug-200288-3630-CaHNnGuaPH@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-200288-3630@https.bugs.freebsd.org/bugzilla/>
References:  <bug-200288-3630@https.bugs.freebsd.org/bugzilla/>

next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200288

--- Comment #22 from Alexander Kabaev <kan@FreeBSD.org> ---
So, by looking at the zfs range code, I see these constructs:

        if (rl->r_write_wanted) {
            cv_broadcast(&rl->r_wr_cv);
            cv_destroy(&rl->r_wr_cv);
        }
        if (rl->r_read_wanted) {
            cv_broadcast(&rl->r_rd_cv);
            cv_destroy(&rl->r_rd_cv);
        }
        kmem_free(rl, sizeof (rl_t));

The code appears to wakeup waiters running on cv and then immediately proceeds
to destroy the container structure. Looking at the recent change in
kern_condvar.c, it does appear that thread that awakens does attempt to
decrement the cv_waiters counter in what other thread has already freed.
Hilarity ensures.

Please try to back out the revision 282971 by jhb and see it that brings your
stability back. FWIW, I think code in zfs is hilarious.

-- 
You are receiving this mail because:
You are the assignee for the bug.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200288-3630-CaHNnGuaPH>