From owner-freebsd-hackers  Fri Aug 23 11:56:54 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F2E6337B400
	for <hackers@freebsd.org>; Fri, 23 Aug 2002 11:56:51 -0700 (PDT)
Received: from mail01.svc.cra.dublin.eircom.net (mail01.svc.cra.dublin.eircom.net [159.134.118.17])
	by mx1.FreeBSD.org (Postfix) with SMTP id F3ED543E9E
	for <hackers@freebsd.org>; Fri, 23 Aug 2002 11:56:50 -0700 (PDT)
	(envelope-from pmedwards@eircom.net)
Received: (qmail 17148 messnum 120665 invoked from network[159.134.237.75/jimbo.eircom.net]); 23 Aug 2002 18:56:49 -0000
Received: from jimbo.eircom.net (HELO webmail.eircom.net) (159.134.237.75)
  by mail01.svc.cra.dublin.eircom.net (qp 17148) with SMTP; 23 Aug 2002 18:56:49 -0000
From: "Peter Edwards" <pmedwards@eircom.net>
To: gallatin@cs.duke.edu
Cc: hackers@freebsd.org
Subject: Re: Vinum crash
Date: Fri, 23 Aug 2002 19:56:49 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
X-Originating-IP: 62.17.151.61
X-Mailer: Eircom Net CRC Webmail (http://www.eircom.net/)
Organization: Eircom Net (http://www.eircom.net/)
Message-Id: <20020823185651.F3ED543E9E@mx1.FreeBSD.org>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Hi,

Ok, I'm up to my neck in code I've never seen and making wild 
guesses, but:

In vinumrequest.c:launch_requests(), isn't it possible that the 
final BUF_STRATEGY() from line 431 completes before we get back to the top of the outer "for" loop and that complete_rqe gets called for the
last buffer (we don't have splbio()), bringing the refcount of the
entire request down to zero, then freeing the request. You then get to the top of the loop, and rq will have been freed, but you looking at its contents. Ok, maybe not likely but...

I suppose you could just hold one more reference to the request while doing launch_requests() and check after all theB UF_STRATEGYs are done when you decrement the active count and find it's zero, then do the "request-finished" processing as done by complete_rqe

Just a thought...
-- 
Peter Edwards.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message