Re: freelist corruption

Sun, 27 May 2001 23:46:11 -0700 

> Peter Jeremy wrote:
> > 
> > On 2001-May-27 20:36:54 -0700, Kris Kennaway <[EMAIL PROTECTED]> wrote:
> > >I've been getting rather a lot of these tonight..any ideas?
> > >
> > >May 27 18:52:06 xor /boot/kernel/kernel: Data modified on freelist: word 2 of 
>object 0xc1a60100 size 64 previous type pagedep (0xd6adc0de != 0xdeadc0de)
> > 
> > If this isn't an ECC system
> 
>       I got one of these on my ECC system:
> 
> May 25 01:16:20 <kern.crit> Master /boot/kernel/kernel: Data modified on
> freelist: word 2 of object 0xc1a58dc0 size 52 previous type vfscache
> (0xd6adc0de != 0xdeadc0de)

I'm using the following experimental patch to avoid system crashes and
the freelist corruption message.  The softupdate code seems to free
pagedeps structures with the NEWBLOCK flag set (which indicates that a
newdirblk structure is currently pointing to the pagedep structure).
When the newdirblk structure is freed later on, it clears the NEWBLOCK
flag, changing 0xdeadc0de to 0xd6adc0de.  If the memory for the
pagedep structure has been reused for something else, the system might
crash.  free_newdirblk will typically be on the ddb stack backtrace

- Tor Egge


Index: sys/ufs/ffs/ffs_softdep.c
===================================================================
RCS file: /home/ncvs/src/sys/ufs/ffs/ffs_softdep.c,v
retrieving revision 1.97
diff -u -r1.97 ffs_softdep.c
--- sys/ufs/ffs/ffs_softdep.c   2001/05/19 19:24:26     1.97
+++ sys/ufs/ffs/ffs_softdep.c   2001/05/24 01:48:22
@@ -1932,6 +1932,11 @@
                                        WORKLIST_INSERT(&inodedep->id_bufwait,
                                            &dirrem->dm_list);
                        }
+                       if ((pagedep->pd_state & NEWBLOCK) != 0) {
+                               FREE_LOCK(&lk);
+                               panic("deallocate_dependencies: "
+                                     "active pagedep");
+                       }
                        WORKLIST_REMOVE(&pagedep->pd_list);
                        LIST_REMOVE(pagedep, pd_hash);
                        WORKITEM_FREE(pagedep, D_PAGEDEP);
@@ -3930,8 +3935,12 @@
         * is written back to disk.
         */
        if (LIST_FIRST(&pagedep->pd_pendinghd) == 0) {
-               LIST_REMOVE(pagedep, pd_hash);
-               WORKITEM_FREE(pagedep, D_PAGEDEP);
+               if ((pagedep->pd_state & NEWBLOCK) != 0) {
+                       printf("handle_written_filepage: active pagedep\n");
+               } else {
+                       LIST_REMOVE(pagedep, pd_hash);
+                       WORKITEM_FREE(pagedep, D_PAGEDEP);
+               }
        }
        return (0);
 }

Reply via email to