[Bug 200288] Modify after Free: ZFS
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed May 20 02:32:08 UTC 2015
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200288
--- Comment #22 from Alexander Kabaev <kan at FreeBSD.org> ---
So, by looking at the zfs range code, I see these constructs:
if (rl->r_write_wanted) {
cv_broadcast(&rl->r_wr_cv);
cv_destroy(&rl->r_wr_cv);
}
if (rl->r_read_wanted) {
cv_broadcast(&rl->r_rd_cv);
cv_destroy(&rl->r_rd_cv);
}
kmem_free(rl, sizeof (rl_t));
The code appears to wakeup waiters running on cv and then immediately proceeds
to destroy the container structure. Looking at the recent change in
kern_condvar.c, it does appear that thread that awakens does attempt to
decrement the cv_waiters counter in what other thread has already freed.
Hilarity ensures.
Please try to back out the revision 282971 by jhb and see it that brings your
stability back. FWIW, I think code in zfs is hilarious.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-fs
mailing list