Date: Wed, 9 Jan 2013 16:48:38 +0000 (UTC) From: "Kenneth D. Merry" <ken@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r245226 - head/sys/vm Message-ID: <201301091648.r09Gmcki048695@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ken Date: Wed Jan 9 16:48:38 2013 New Revision: 245226 URL: http://svnweb.freebsd.org/changeset/base/245226 Log: Fix a bug in the device pager code that can trigger an assertion in devfs if a particular race condition is hit in the device pager code. This was a side effect of change 227530 which changed the device pager interface to call a new destructor routine for the cdev. That destructor routine, old_dev_pager_dtor(), takes a VM object handle. The object handle is cast to a struct cdev *, and passed into dev_rel(). That works in most cases, except the case in cdev_pager_allocate() where there is a race condition between two threads allocating an object backed by the same device. The loser of the race deallocates its object at the end of the function. The problem is that before inserting the object into the dev_pager_object_list, the object's handle is changed from the struct cdev pointer to the object's own address. This is to avoid conflicts with the winner of the race, which already inserted an object in the list with a handle that is a pointer to the same cdev structure. The object is then passed to vm_object_deallocate(), and eventually makes its way down to old_dev_pager_dtor(). That function passes the handle pointer (which is actually a VM object, not a struct cdev as usual) into dev_rel(). dev_rel() decrements the reference count in the assumed struct cdev (which happens to be 0), and that triggers the assertion in dev_rel() that the reference count is greater than or equal to 0. The fix is to add a cdev pointer to the VM object, and use that pointer when calling the cdev_pg_dtor() routine. vm_object.h: Add a struct cdev pointer to the VM object structure. device_pager.c: In cdev_pager_allocate(), populate the new cdev pointer. In dev_pager_dealloc(), use the new cdev pointer when calling the object's cdev_pg_dtor() routine. Reviewed by: kib Sponsored by: Spectra Logic Corporation MFC after: 1 week Modified: head/sys/vm/device_pager.c head/sys/vm/vm_object.h Modified: head/sys/vm/device_pager.c ============================================================================== --- head/sys/vm/device_pager.c Wed Jan 9 15:22:37 2013 (r245225) +++ head/sys/vm/device_pager.c Wed Jan 9 16:48:38 2013 (r245226) @@ -158,6 +158,7 @@ cdev_pager_allocate(void *handle, enum o object1->pg_color = color; object1->handle = handle; object1->un_pager.devp.ops = ops; + object1->un_pager.devp.dev = handle; TAILQ_INIT(&object1->un_pager.devp.devp_pglist); mtx_lock(&dev_pager_mtx); object = vm_pager_object_lookup(&dev_pager_object_list, handle); @@ -235,7 +236,7 @@ dev_pager_dealloc(object) vm_page_t m; VM_OBJECT_UNLOCK(object); - object->un_pager.devp.ops->cdev_pg_dtor(object->handle); + object->un_pager.devp.ops->cdev_pg_dtor(object->un_pager.devp.dev); mtx_lock(&dev_pager_mtx); TAILQ_REMOVE(&dev_pager_object_list, object, pager_object_list); Modified: head/sys/vm/vm_object.h ============================================================================== --- head/sys/vm/vm_object.h Wed Jan 9 15:22:37 2013 (r245225) +++ head/sys/vm/vm_object.h Wed Jan 9 16:48:38 2013 (r245226) @@ -136,6 +136,7 @@ struct vm_object { struct { TAILQ_HEAD(, vm_page) devp_pglist; struct cdev_pager_ops *ops; + struct cdev *dev; } devp; /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301091648.r09Gmcki048695>