Re: panic: lockmgr still held [tmpfs] [vm_map_remove()->vdropl()
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--eVT9qDHFH2MeofqkUHEaF0vhVg603Jk2O
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
On 3/5/2014 1:50 PM, Konstantin Belousov wrote:
> On Wed, Mar 05, 2014 at 02:21:04PM -0500, John Baldwin wrote:
>> On Wednesday, March 05, 2014 6:07:23 am Konstantin Belousov wrote:
>>> On Wed, Mar 05, 2014 at 11:41:24AM +0200, Andriy Gapon wrote:
>>>> on 04/03/2014 18:45 John Baldwin said the following:
>>>>> So I'm not sure how to fix this. The crash is in this code in=20
>>>>> vm_object_deallocate():
>>>>>
>>>>> if (object->type =3D=3D OBJT_SWAP &&
>>>>> (object->flags & OBJ_TMPFS) !=3D 0) {
>>>>> vp =3D object->un_pager.swp.swp_tmpfs;
>>>>> vhold(vp);
>>>>> VM_OBJECT_WUNLOCK(object);
>>>>> vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
>>>>> vdrop(vp);
>>>>> VM_OBJECT_WLOCK(object);
>>>>> if (object->type =3D=3D OBJT_DEAD ||
>>>>> object->ref_count !=3D 1) {
>>>>> VM_OBJECT_WUNLOCK(object);
>>>>> VOP_UNLOCK(vp, 0);
>>>>> return;
>>>>> }
>>>>> if ((object->flags & OBJ_TMPFS) !=3D 0)
>>>>> VOP_UNSET_TEXT(vp);
>>>>> VOP_UNLOCK(vp, 0);
>>>>> }
>>>>>
>>>>> The vdrop() is dropping the count to zero and trying to free the vn=
ode. The=20
>>>>> real problem I think is that swp_tmpfs doesn't have an implicit vho=
ld() on the=20
>>>>> vnode, so in this case, the code is doing a vhold/vn_lock/vdrop of =
an already-
>>>>> free vnode. For OBJT_VNODE objects, the reference from the object =
back to the=20
>>>>> vnode holds a vref() that gets released by a vput() in=20
>>>>> vm_object_vndeallocate().
>>>>>
>>>>> One fix might be to chagne smp_tmpfs to hold a vhold reference. Th=
is is=20
>>>>> untested but might work (but I'm also not sure that this is the rig=
ht thing in=20
>>>>> that I don't know what other effects it might have).
>>>>
>>>> I agree with your analysis, but I don't think that a filesystem hold=
ing its own
>>>> vnode is a good idea. If I am not mistaken, that would prevent tmpf=
s vnodes
>>>> from going to free list.
>>>> I'd rather try to modify vm_object_deallocate() code. E.g. vdrop() =
could be
>>>> called after VOP_UNLOCK(). Alternatively, the code could handle a d=
oomed vnode
>>>> in a different way.
>>>
>>> I agree with Andrey, it is just a bug to vdrop() before unlock.
>>> Please try this.
>>
>> Ok, my only worry is in the case of Bryan's panic, the hold count on t=
he vnode
>> was already zero before vhold() was called, so is it possible that it =
is a stale
>> pointer or is there some other implicit reference that prevents that? =
If it can't
>> be stale, I think deferring the vdrop() is fine.
>=20
> The object->un_pager.swp.swp_tmpfs is cleared under the object lock
> before the vnode is reclaimed, i.e. long before the vnode can be freed.=
> swp_tmpfs should be kept in sync with the OBJ_TMPFS flag, so the
> vhold() is safe while flag is set and object is locked.
>=20
This has been stable. Not sure if it fixes the original problem, but I
have not seen any panics since using it and doing many poudriere builds.
--=20
Regards,
Bryan Drewery
--eVT9qDHFH2MeofqkUHEaF0vhVg603Jk2O
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTIGYBAAoJEDXXcbtuRpfPiv8IAMEAV0LelmkvG9E7CZivwBey
ZySy99hyqU/v2utMmfQHqmDtYycwPTlJ1OrFogbseo9tSPVjYYh7nHlCRp4RMexj
pDOrYOmMmBJxQFGSJxvQrgXt3GZ/IUu/9FVbBaEBSf/BBG2ewMLIjsHUYNvHyxKK
uOcdEeN9xD0GRBryxns5co/uMx5VqPaaiTvS3ljMKHs2N6Q0Zgjm8QL5XIotZ53p
3ZuhMxUhoo5EJhHU/7NIhE2FmO38dY0ufEv8GEpq2spD7+5fwCv/xWxMixlSMMsG
RPTQmY/yER1Bn953gqlQ4H4a/f8v5kK/qDhgLCXPZ6X+p39PaPMc0iTcyd4kqwo=
=dYN5
-----END PGP SIGNATURE-----
--eVT9qDHFH2MeofqkUHEaF0vhVg603Jk2O--
討論串 (同標題文章)
完整討論串 (本文為第 11 之 11 篇):