svn commit: r324612 - in stable: 10/sys/ufs/ffs 11/sys/ufs/ffs

John Baldwin jhb at FreeBSD.org
Fri Oct 13 22:40:58 UTC 2017 

Author: jhb
Date: Fri Oct 13 22:40:57 2017
New Revision: 324612
URL: https://svnweb.freebsd.org/changeset/base/324612

Log:
  MFC 324039: Don't defer wakeup()s for completed journal workitems.
  
  Normally wakeups() are performed for completed softupdates work items
  in workitem_free() before the underlying memory is free()'d.
  complete_jseg() was clearing the "wakeup needed" flag in work items to
  defer the wakeup until the end of each loop iteration.  However, this
  resulted in the item being free'd before it's address was used with
  wakeup().  As a result, another part of the kernel could allocate this
  memory from malloc() and use it as a wait channel for a different
  "event" with a different lock.  This triggered an assertion failure
  when the lock passed to sleepq_add() did not match the existing lock
  associated with the sleep queue.  Fix this by removing the code to
  defer the wakeup in complete_jseg() allowing the wakeup to occur
  slightly earlier in workitem_free() before free() is called.

Modified:
  stable/11/sys/ufs/ffs/ffs_softdep.c
Directory Properties:
  stable/11/   (props changed)

Changes in other areas also in this revision:
Modified:
  stable/10/sys/ufs/ffs/ffs_softdep.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/11/sys/ufs/ffs/ffs_softdep.c
==============================================================================
--- stable/11/sys/ufs/ffs/ffs_softdep.c	Fri Oct 13 21:58:44 2017	(r324611)
+++ stable/11/sys/ufs/ffs/ffs_softdep.c	Fri Oct 13 22:40:57 2017	(r324612)
@@ -3596,15 +3596,13 @@ complete_jseg(jseg)
 {
 	struct worklist *wk;
 	struct jmvref *jmvref;
-	int waiting;
 #ifdef INVARIANTS
 	int i = 0;
 #endif
 
 	while ((wk = LIST_FIRST(&jseg->js_entries)) != NULL) {
 		WORKLIST_REMOVE(wk);
-		waiting = wk->wk_state & IOWAITING;
-		wk->wk_state &= ~(INPROGRESS | IOWAITING);
+		wk->wk_state &= ~INPROGRESS;
 		wk->wk_state |= COMPLETE;
 		KASSERT(i++ < jseg->js_cnt,
 		    ("handle_written_jseg: overflow %d >= %d",
@@ -3645,8 +3643,6 @@ complete_jseg(jseg)
 			    TYPENAME(wk->wk_type));
 			/* NOTREACHED */
 		}
-		if (waiting)
-			wakeup(wk);
 	}
 	/* Release the self reference so the structure may be freed. */
 	rele_jseg(jseg);

More information about the svn-src-stable-11 mailing list