From owner-freebsd-bugs@FreeBSD.ORG Fri Jul 29 18:50:09 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FC4E16A41F for ; Fri, 29 Jul 2005 18:50:09 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE3C543D4C for ; Fri, 29 Jul 2005 18:50:08 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6TIo8cP046469 for ; Fri, 29 Jul 2005 18:50:08 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6TIo8w1046468; Fri, 29 Jul 2005 18:50:08 GMT (envelope-from gnats) Resent-Date: Fri, 29 Jul 2005 18:50:08 GMT Resent-Message-Id: <200507291850.j6TIo8w1046468@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Ade Lovett Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F6ED16A41F for ; Fri, 29 Jul 2005 18:42:01 +0000 (GMT) (envelope-from ade@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A92343D58 for ; Fri, 29 Jul 2005 18:42:01 +0000 (GMT) (envelope-from ade@FreeBSD.org) Received: from freefall.freebsd.org (ade@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6TIg0pi046330 for ; Fri, 29 Jul 2005 18:42:00 GMT (envelope-from ade@freefall.freebsd.org) Received: (from ade@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6TIg07B046329; Fri, 29 Jul 2005 18:42:00 GMT (envelope-from ade) Message-Id: <200507291842.j6TIg07B046329@freefall.freebsd.org> Date: Fri, 29 Jul 2005 18:42:00 GMT From: Ade Lovett To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/84318: non-atomic operations on vfs.runningbufspace X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ade Lovett List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2005 18:50:09 -0000 >Number: 84318 >Category: kern >Synopsis: non-atomic operations on vfs.runningbufspace >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 29 18:50:08 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Ade Lovett >Release: FreeBSD 6.0-BETA1 i386 >Organization: Supernews >Environment: FreeBSD 6.0-BETA1 #0: Wed Jul 27 17:52:15 UTC 2005 root@builder.supernews.net:/usr/obj/usr/src/sys/SUPERNEWS 6.0-BETA1 as of date above, affects all architectures >Description: There are two locations within /sys/vm/vnode_pager.c where non-atomic operations are used on runningbufspace, resulting in cases where this value can go negative with various undefined and interesting results. >How-To-Repeat: Run a 6.0 system under heavy VFS load (in our case, as a Usenet news transit server). Monitor the vfs.runningbufspace sysctl, and after a short period (30 to 60 minutes is usual), notice that: transit-12# sysctl vfs.runningbufspace vfs.runningbufspace: -131072 >Fix: Apply following to /sys/vm/vnode_pager.c which corrects the two locations where non-atomic operations are being used to modify runningbufspace. Index: vnode_pager.c =================================================================== RCS file: /home/FreeBSD/cvs/src/sys/vm/vnode_pager.c,v retrieving revision 1.221 diff -u -1 -r1.221 vnode_pager.c --- vnode_pager.c 19 May 2005 03:53:07 -0000 1.221 +++ vnode_pager.c 28 Jul 2005 21:58:24 -0000 @@ -66,2 +66,3 @@ #include +#include @@ -548,3 +549,3 @@ bp->b_runningbufspace = bp->b_bufsize; - runningbufspace += bp->b_runningbufspace; + atomic_add_int(&runningbufspace, bp->b_runningbufspace); @@ -900,3 +901,3 @@ bp->b_runningbufspace = bp->b_bufsize; - runningbufspace += bp->b_runningbufspace; + atomic_add_int(&runningbufspace, bp->b_runningbufspace); >Release-Note: >Audit-Trail: >Unformatted: