From owner-freebsd-current@FreeBSD.ORG Thu Jan 19 01:31:13 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A71E816A41F; Thu, 19 Jan 2006 01:31:13 +0000 (GMT) (envelope-from ssouhlal@FreeBSD.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6923B43D4C; Thu, 19 Jan 2006 01:31:13 +0000 (GMT) (envelope-from ssouhlal@FreeBSD.org) Received: from [172.19.8.104] (216-239-45-4.google.com [216.239.45.4]) by elvis.mu.org (Postfix) with ESMTP id 4F62A1A3C22; Wed, 18 Jan 2006 17:31:13 -0800 (PST) Message-ID: <43CEEBD4.3060604@FreeBSD.org> Date: Wed, 18 Jan 2006 17:31:00 -0800 From: Suleiman Souhlal User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051204) X-Accept-Language: en-us, en MIME-Version: 1.0 To: John Baldwin References: <20060118070549.GA617@xor.obsecurity.org> <200601181652.59407.jhb@freebsd.org> In-Reply-To: <200601181652.59407.jhb@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-current@freebsd.org, current@freebsd.org, Kris Kennaway Subject: Re: System call munmap returning with the following locks held: Giant X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2006 01:31:13 -0000 Hi, John Baldwin wrote: > I sent this to you on IRC, but for the archives, here's a possible fix. It > looks like vm_object_deallocate() never unlocks Giant if it locks it, and the > leak would only happen if mpsafevfs=0 or you are using a non-safe filesystem: The real problem is that vm_object_deallocate() doesn't expect the object's type to change if it sees it's a vnode, when it's not holding the object lock: /* * In general, the object should be locked when working with * its type. In this case, in order to maintain proper lock * ordering, an exception is possible because a vnode-backed * object never changes its type. */ vfslocked = 0; if (object->type == OBJT_VNODE) { struct vnode *vp = (struct vnode *) object->handle; vfslocked = VFS_LOCK_GIANT(vp->v_mount); } VM_OBJECT_LOCK(object); if (object->type == OBJT_VNODE) { vm_object_vndeallocate(object); VFS_UNLOCK_GIANT(vfslocked); return; } The comment is actually wrong, and the object's type can change to OBJT_DEAD when the corresponing vnode gets freed, so maybe you might want to change it. -- Suleiman