Date: Fri, 29 Jul 2005 18:42:00 GMT From: Ade Lovett <ade@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/84318: non-atomic operations on vfs.runningbufspace Message-ID: <200507291842.j6TIg07B046329@freefall.freebsd.org> Resent-Message-ID: <200507291850.j6TIo8w1046468@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 84318 >Category: kern >Synopsis: non-atomic operations on vfs.runningbufspace >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 29 18:50:08 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Ade Lovett >Release: FreeBSD 6.0-BETA1 i386 >Organization: Supernews >Environment: FreeBSD 6.0-BETA1 #0: Wed Jul 27 17:52:15 UTC 2005 root@builder.supernews.net:/usr/obj/usr/src/sys/SUPERNEWS 6.0-BETA1 as of date above, affects all architectures >Description: There are two locations within /sys/vm/vnode_pager.c where non-atomic operations are used on runningbufspace, resulting in cases where this value can go negative with various undefined and interesting results. >How-To-Repeat: Run a 6.0 system under heavy VFS load (in our case, as a Usenet news transit server). Monitor the vfs.runningbufspace sysctl, and after a short period (30 to 60 minutes is usual), notice that: transit-12# sysctl vfs.runningbufspace vfs.runningbufspace: -131072 >Fix: Apply following to /sys/vm/vnode_pager.c which corrects the two locations where non-atomic operations are being used to modify runningbufspace. Index: vnode_pager.c =================================================================== RCS file: /home/FreeBSD/cvs/src/sys/vm/vnode_pager.c,v retrieving revision 1.221 diff -u -1 -r1.221 vnode_pager.c --- vnode_pager.c 19 May 2005 03:53:07 -0000 1.221 +++ vnode_pager.c 28 Jul 2005 21:58:24 -0000 @@ -66,2 +66,3 @@ #include <sys/sf_buf.h> +#include <sys/mutex.h> @@ -548,3 +549,3 @@ bp->b_runningbufspace = bp->b_bufsize; - runningbufspace += bp->b_runningbufspace; + atomic_add_int(&runningbufspace, bp->b_runningbufspace); @@ -900,3 +901,3 @@ bp->b_runningbufspace = bp->b_bufsize; - runningbufspace += bp->b_runningbufspace; + atomic_add_int(&runningbufspace, bp->b_runningbufspace); >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507291842.j6TIg07B046329>