Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 18 Jan 2006 16:52:56 -0500
From:      John Baldwin <jhb@freebsd.org>
To:        freebsd-current@freebsd.org
Cc:        current@freebsd.org, Kris Kennaway <kris@obsecurity.org>
Subject:   Re: System call munmap returning with the following locks held: Giant
Message-ID:  <200601181652.59407.jhb@freebsd.org>
In-Reply-To: <20060118070549.GA617@xor.obsecurity.org>
References:  <20060118070549.GA617@xor.obsecurity.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 18 January 2006 02:05, Kris Kennaway wrote:
> I ran some code of ups@ that essentially does mmap/munmap of created
> files, which I ran on a nfs-mounted filesystem.  At the same time I
> was running umount -f on that filesystem in a loop (this was all to
> try and provoke another umount -f panic I'm seeing).  It quickly
> panicked with this:
>
> System call munmap returning with the following locks held:
> exclusive sleep mutex Giant r = 0 (0xc07ea408) locked @ vm/vm_object.c:449
> panic: witness_warn
> cpuid = 1
> KDB: enter: panic
> [thread pid 3045 tid 100101 ]
> Stopped at      kdb_enter+0x30: leave
> db> wh
> Tracing pid 3045 tid 100101 td 0xc9627000
> kdb_enter(c071c7f5,1,c0720ca2,f7a46c64,c9627000) at kdb_enter+0x30
> panic(c0720ca2,f7a46c8c,1,2,c9627000) at panic+0x13f
> witness_warn(2,0,c073c410,c07214aa,c9922318) at witness_warn+0x16a
> syscall(3b,3b,3b,2804ebb6,bfbfe8a8) at syscall+0x56d
> Xint0x80_syscall() at Xint0x80_syscall+0x1f
> --- syscall (0, FreeBSD ELF32, nosys), eip = 0x28127e7f, esp = 0xbfbfe7fc,
> ebp = 0xbfbfe828 --- db>

I sent this to you on IRC, but for the archives, here's a possible fix.  It 
looks like vm_object_deallocate() never unlocks Giant if it locks it, and the 
leak would only happen if mpsafevfs=0 or you are using a non-safe filesystem:

Index: vm_object.c
===================================================================
RCS file: /usr/cvs/src/sys/vm/vm_object.c,v
retrieving revision 1.353
diff -u -r1.353 vm_object.c
--- vm_object.c	31 Dec 2005 14:39:20 -0000	1.353
+++ vm_object.c	18 Jan 2006 18:50:40 -0000
@@ -467,6 +467,7 @@
 		object->ref_count--;
 		if (object->ref_count > 1) {
 			VM_OBJECT_UNLOCK(object);
+			VFS_UNLOCK_GIANT(vfslocked);
 			return;
 		} else if (object->ref_count == 1) {
 			if (object->shadow_count == 0) {
@@ -495,6 +496,7 @@
 					 * Let the lower priority thread run.
 					 */
 					tsleep(&proc0, PVM, "vmo_de", 1);
+					MPASS(vfslocked == 0);
 					continue;
 				}
 				/*
@@ -535,11 +537,13 @@
 					object = robject;
 					vm_object_collapse(object);
 					VM_OBJECT_UNLOCK(object);
+					MPASS(vfslocked == 0);
 					continue;
 				}
 				VM_OBJECT_UNLOCK(robject);
 			}
 			VM_OBJECT_UNLOCK(object);
+			MPASS(vfslocked == 0);
 			return;
 		}
 doterm:
@@ -562,6 +566,7 @@
 		else
 			VM_OBJECT_UNLOCK(object);
 		object = temp;
+		VFS_UNLOCK_GIANT(vfslocked);
 	}
 }
 

-- 
John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve"  =  http://www.FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601181652.59407.jhb>