From owner-svn-src-all@FreeBSD.ORG Mon Dec 8 16:42:35 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C74C6ECD; Mon, 8 Dec 2014 16:42:35 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9A328C03; Mon, 8 Dec 2014 16:42:35 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id sB8GgZhX006862; Mon, 8 Dec 2014 16:42:35 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id sB8GgZbm006861; Mon, 8 Dec 2014 16:42:35 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201412081642.sB8GgZbm006861@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Mon, 8 Dec 2014 16:42:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r275619 - head/sys/kern X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2014 16:42:35 -0000 Author: kib Date: Mon Dec 8 16:42:34 2014 New Revision: 275619 URL: https://svnweb.freebsd.org/changeset/base/275619 Log: When getnewbuf_reuse_bp() is called to reclaim some (clean) buffer, the vnode owning the buffer is not locked. More, it cannot be locked safely, since getnewbuf_reuse_bp() is called from newbuf(), and some other vnode is already locked, for which reused buffer will be reassigned. As the consequence, reclamation of the owning vnode could go in parallel, in particular, the call to vnode_destroy_vobject(), which deallocates the vm object and zeroes the v_bufobj->bo_object. Note that the pages wired by the buffer are left wired and can be safely freed by the vfs_vmio_release() without the need for the vm object lock. Also, seeing stale pointer to the v_object is safe due to vm object type stability. Check for bo_bufobj != NULL and cache the value in local variable to avoid trying to lock NULL vm object. Reported and tested by: pho Sponsored by: The FreeBSD Foundation MFC after: 1 week Modified: head/sys/kern/vfs_bio.c Modified: head/sys/kern/vfs_bio.c ============================================================================== --- head/sys/kern/vfs_bio.c Mon Dec 8 16:33:18 2014 (r275618) +++ head/sys/kern/vfs_bio.c Mon Dec 8 16:42:34 2014 (r275619) @@ -1883,15 +1883,18 @@ out: static void vfs_vmio_release(struct buf *bp) { - int i; + vm_object_t obj; vm_page_t m; + int i; if ((bp->b_flags & B_UNMAPPED) == 0) { BUF_CHECK_MAPPED(bp); pmap_qremove(trunc_page((vm_offset_t)bp->b_data), bp->b_npages); } else BUF_CHECK_UNMAPPED(bp); - VM_OBJECT_WLOCK(bp->b_bufobj->bo_object); + obj = bp->b_bufobj->bo_object; + if (obj != NULL) + VM_OBJECT_WLOCK(obj); for (i = 0; i < bp->b_npages; i++) { m = bp->b_pages[i]; bp->b_pages[i] = NULL; @@ -1916,7 +1919,8 @@ vfs_vmio_release(struct buf *bp) vm_page_try_to_cache(m); vm_page_unlock(m); } - VM_OBJECT_WUNLOCK(bp->b_bufobj->bo_object); + if (obj != NULL) + VM_OBJECT_WUNLOCK(obj); if (bp->b_bufsize) { bufspacewakeup();