Date: Wed, 20 May 2015 02:32:08 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-fs@FreeBSD.org Subject: [Bug 200288] Modify after Free: ZFS Message-ID: <bug-200288-3630-CaHNnGuaPH@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-200288-3630@https.bugs.freebsd.org/bugzilla/> References: <bug-200288-3630@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200288 --- Comment #22 from Alexander Kabaev <kan@FreeBSD.org> --- So, by looking at the zfs range code, I see these constructs: if (rl->r_write_wanted) { cv_broadcast(&rl->r_wr_cv); cv_destroy(&rl->r_wr_cv); } if (rl->r_read_wanted) { cv_broadcast(&rl->r_rd_cv); cv_destroy(&rl->r_rd_cv); } kmem_free(rl, sizeof (rl_t)); The code appears to wakeup waiters running on cv and then immediately proceeds to destroy the container structure. Looking at the recent change in kern_condvar.c, it does appear that thread that awakens does attempt to decrement the cv_waiters counter in what other thread has already freed. Hilarity ensures. Please try to back out the revision 282971 by jhb and see it that brings your stability back. FWIW, I think code in zfs is hilarious. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-200288-3630-CaHNnGuaPH>