From owner-freebsd-bugs  Tue Feb  3 07:40:03 1998
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA11576
          for freebsd-bugs-outgoing; Tue, 3 Feb 1998 07:40:03 -0800 (PST)
          (envelope-from owner-freebsd-bugs@FreeBSD.ORG)
Received: (from gnats@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA11552;
          Tue, 3 Feb 1998 07:40:02 -0800 (PST)
          (envelope-from gnats)
Received: from marble.eps.nagoya-u.ac.jp (marble.eps.nagoya-u.ac.jp [133.6.124.146])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA10981
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 3 Feb 1998 07:34:01 -0800 (PST)
          (envelope-from kato@migmatite.eps.nagoya-u.ac.jp)
Received: (from kato@localhost) by marble.eps.nagoya-u.ac.jp (8.8.8/3.4W4) id AAA00403; Wed, 4 Feb 1998 00:33:53 +0900 (JST)
Message-Id: <199802031533.AAA00403@marble.eps.nagoya-u.ac.jp>
Date: Wed, 4 Feb 1998 00:33:53 +0900 (JST)
From: KATO Takenori <kato@migmatite.eps.nagoya-u.ac.jp>
Reply-To: kato@migmatite.eps.nagoya-u.ac.jp
To: FreeBSD-gnats-submit@FreeBSD.ORG
X-Send-Pr-Version: 3.2
Subject: kern/5634: locking violation in umapfs
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org
X-To-Unsubscribe: mail to majordomo@FreeBSD.org "unsubscribe freebsd-bugs"


>Number:         5634
>Category:       kern
>Synopsis:       locking violation in umapfs
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb  3 07:40:01 PST 1998
>Last-Modified:
>Originator:     KATO Takenori
>Organization:
Dept. Earth Planet. Sci, Nagoya Univ.
>Release:        FreeBSD 3.0-CURRENT i386
>Environment:

umapfs kernel

>Description:

The umap_node_find() calls vget at flags = 0.  This code assumes that
vget() does not lock vnode in it.  It is true in 4.4BSD-Lite2 but
vget() in FreeBSD may lock vnode in it.  Therefore, we should not
assume that vget() does not lock vnode.

>How-To-Repeat:

Using umapfs.

>Fix:
	
---------- BEGIN ----------
*** umap_subr.c.ORIG	Tue Feb  3 23:12:33 1998
--- umap_subr.c	Wed Feb  4 00:19:53 1998
***************
*** 143,148 ****
--- 143,150 ----
  	struct umap_node_hashhead *hd;
  	struct umap_node *a;
  	struct vnode *vp;
+ 	int	error;
+ 	int	vpunlocked;
  
  #ifdef UMAPFS_DIAGNOSTIC
  	printf("umap_node_find(mp = %x, target = %x)\n", mp, targetvp);
***************
*** 165,171 ****
  			 * stuff, but we don't want to lock
  			 * the lower node.
  			 */
! 			if (vget(vp, 0, p)) {
  #ifdef UMAPFS_DIAGNOSTIC
  				printf ("umap_node_find: vget failed.\n");
  #endif
--- 167,181 ----
  			 * stuff, but we don't want to lock
  			 * the lower node.
  			 */
! 			if (VOP_ISLOCKED(vp)) {
! 				VOP_UNLOCK(vp, 0, p);
! 				vpunlocked = 1;
! 			} else
! 				vpunlocked = 0;
! 			error = vget(vp, 0, p);
! 			if (vpunlocked)
! 				vn_lock(vp, LK_EXCLUSIVE|LK_RETRY, p);
! 			if (error) {
  #ifdef UMAPFS_DIAGNOSTIC
  				printf ("umap_node_find: vget failed.\n");
  #endif
---------- END ----------
>Audit-Trail:
>Unformatted: