cc: Fix dirty VACB list corruption causing FAST_FAIL_CORRUPT_LIST_ENTRY crashes#5
Draft
Copilot wants to merge 1 commit into
Draft
cc: Fix dirty VACB list corruption causing FAST_FAIL_CORRUPT_LIST_ENTRY crashes#5Copilot wants to merge 1 commit into
Copilot wants to merge 1 commit into
Conversation
- CcRosMarkDirtyVacb: guard against double-insertion (primary crash fix) - CcRosUnmarkDirtyVacb: return BOOLEAN, guard against double-unmark - CcRosFlushVacb: only re-mark dirty on failure if we were the one who unmarked - Add comments to suspicious lockless Dirty reads in CcFlushCache and CcRosReleaseVacb
Copilot
AI
changed the title
cc: Fix dirty VACB list corruption and race conditions
cc: Fix dirty VACB list corruption causing FAST_FAIL_CORRUPT_LIST_ENTRY crashes
Jun 2, 2026
Copilot created this pull request from a session on behalf of
tkreuzer
June 2, 2026 18:52
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Random
BugCheck 0x139(FAST_FAIL_CORRUPT_LIST_ENTRY) crashes duringCcRosUnmarkDirtyVacb → RemoveEntryListcaused by corruptedDirtyVacbListEntryFlink/Blink pointers. Three bugs in dirty VACB tracking:Double-insert into dirty list (primary crash)
CcRosMarkDirtyVacbonly hadASSERT(!Vacb->Dirty)— compiled out in release. Race:CcRosFlushVacbcallsCcRosUnmarkDirtyVacb→Dirty=FALSE, VACB removed from listCcRosMarkDirtyVacb→ VACB inserted at tail,Dirty=TRUEMmFlushSegmentfails →CcRosMarkDirtyVacbcalled again → same node inserted twiceSecond
InsertTailListcorrupts the previous tail'sFlinkwithout unlinking first. NextRemoveEntryListon a neighbor failsRtlpCheckListEntry→FAST_FAIL.Fix:
CcRosMarkDirtyVacbnow checksVacb->Dirtyunder the spinlock and returns early if already dirty.Double-unmark (counter underflow / extra refcount drop)
CcRosUnmarkDirtyVacbonly hadASSERT(Vacb->Dirty).CcFlushCachereadsvacb->DirtyafterCcRosLookupVacbreleases its locks; lazy writer can flush the same VACB in the window, causingCcTotalDirtyPages/DirtyPagesunsigned underflow and a spuriousCcRosVacbDecRefCount.Fix:
CcRosUnmarkDirtyVacbnow returnsBOOLEANand early-returnsFALSE(under the lock) ifVacb->Dirtyis already clear.Unconditional re-mark on flush failure
CcRosFlushVacbalways calledCcRosMarkDirtyVacbon failure regardless of whether it had actually unmarked anything, compounding the double-insert risk.Fix:
CcRosFlushVacbcaptures theBOOLEANfromCcRosUnmarkDirtyVacband only re-marks dirty on failure whenWasMarked == TRUE.Suspicious code annotated
Lockless
vacb->Dirtyreads inCcFlushCacheandCcRosReleaseVacbare now commented explaining the races and why the new guards make them safe.