kern/139312: [PATCH] tmpfs mmap synchronization bug

Gleb Kurtsou gk at FreeBSD.org
Fri Oct 2 18:20:01 UTC 2009 

>Number:         139312
>Category:       kern
>Synopsis:       [PATCH] tmpfs mmap synchronization bug
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 02 18:20:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Gleb Kurtsou
>Release:        9-CURRENT
>Organization:
>Environment:
FreeBSD tops 9.0-CURRENT FreeBSD 9.0-CURRENT #6 r197608+311ce2b: Tue Sep 29 09:02:48 EEST 2009     root at tops:/usr/obj/usr/freebsd-src/local/sys/TOPS  amd64
>Description:
Mmaped pages can get out of sync in tmpfs.  The bug is 100% reproducible
by:
# fsx -S 125 -d /tmpfs/file
It breaks at operation 42.

Fix is inspired by zfs, it calls vm_page_cache_free(). Reading zfs
sources, it looks like it doesn't check v_object->cache, but never the
less bug never shows up on there. Probably it's because of zfs using
VOP_BMAP to do page mapping. tmpfs uses default
vop_getpages/vop_putpages which invokes vop_read/vop_write accordingly.
Removing v_object->cache == NULL checks breaks things again.

The same fix works fine in pefs (http://wiki.freebsd.org/SOC2009GlebKurtsov)
>How-To-Repeat:
# fsx -S 125 -d /tmpfs/file
It breaks at operation 42.
>Fix:


Patch attached with submission follows:

diff --git a/sys/fs/tmpfs/tmpfs_vnops.c b/sys/fs/tmpfs/tmpfs_vnops.c
index db8ceea..59d94d7 100644
--- a/sys/fs/tmpfs/tmpfs_vnops.c
+++ b/sys/fs/tmpfs/tmpfs_vnops.c
@@ -444,7 +444,8 @@ tmpfs_mappedread(vm_object_t vobj, vm_object_t tobj, size_t len, struct uio *uio
 	offset = addr & PAGE_MASK;
 	tlen = MIN(PAGE_SIZE - offset, len);
 
-	if ((vobj == NULL) || (vobj->resident_page_count == 0))
+	if ((vobj == NULL) ||
+	    (vobj->resident_page_count == 0 && vobj->cache == NULL))
 		goto nocache;
 
 	VM_OBJECT_LOCK(vobj);
@@ -555,7 +556,8 @@ tmpfs_mappedwrite(vm_object_t vobj, vm_object_t tobj, size_t len, struct uio *ui
 	offset = addr & PAGE_MASK;
 	tlen = MIN(PAGE_SIZE - offset, len);
 
-	if ((vobj == NULL) || (vobj->resident_page_count == 0)) {
+	if ((vobj == NULL) ||
+	    (vobj->resident_page_count == 0 && vobj->cache == NULL)) {
 		vpg = NULL;
 		goto nocache;
 	}
@@ -573,6 +575,8 @@ lookupvpg:
 		VM_OBJECT_UNLOCK(vobj);
 		error = uiomove_fromphys(&vpg, offset, tlen, uio);
 	} else {
+		if (__predict_false(vobj->cache != NULL))
+			vm_page_cache_free(vobj, idx, idx + 1);
 		VM_OBJECT_UNLOCK(vobj);
 		vpg = NULL;
 	}


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list