From owner-freebsd-bugs@FreeBSD.ORG  Tue Aug 31 10:50:03 2010
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 42B5510656B6
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 31 Aug 2010 10:50:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 20D1F8FC25
	for <freebsd-bugs@hub.freebsd.org>;
	Tue, 31 Aug 2010 10:50:03 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id o7VAo2uv061033
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 31 Aug 2010 10:50:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id o7VAo2LI061032;
	Tue, 31 Aug 2010 10:50:02 GMT (envelope-from gnats)
Resent-Date: Tue, 31 Aug 2010 10:50:02 GMT
Resent-Message-Id: <201008311050.o7VAo2LI061032@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Gleb Kurtsou <gk@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B9DAB10656A9
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 31 Aug 2010 10:49:13 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id A9D9C8FC1C
	for <freebsd-gnats-submit@FreeBSD.org>;
	Tue, 31 Aug 2010 10:49:13 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o7VAnD9a048258
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 31 Aug 2010 10:49:13 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o7VAnD8Z048257;
	Tue, 31 Aug 2010 10:49:13 GMT (envelope-from nobody)
Message-Id: <201008311049.o7VAnD8Z048257@www.freebsd.org>
Date: Tue, 31 Aug 2010 10:49:13 GMT
From: Gleb Kurtsou <gk@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/150143: [patch][tmpfs] Source directory vnode can disappear
	before locking it in tmpfs_rename
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2010 10:50:03 -0000


>Number:         150143
>Category:       kern
>Synopsis:       [patch][tmpfs] Source directory vnode can disappear before locking it in tmpfs_rename
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 31 10:50:02 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Gleb Kurtsou
>Release:        FreeBSD 9.0-CURRENT
>Organization:
>Environment:
>Description:
Source directory vnode can disappear before locking it in tmpfs_rename.

Fixes panic triggered by blogbench.

Also note that fdvp vnode locking order may be incorrect in tmpfs_rename, and thus rename is deadlock prone. It was initially incorrect, possible solution could be to lock all necessary vnodes similarly to ufs, but it seems not to work well with tmpfs.
>How-To-Repeat:

>Fix:
Patch attached, tested by Ivan Voras

Patch attached with submission follows:

commit 82d1664e6831dbc44d380170ed5590ff67113749
Author: Gleb Kurtsou <gleb.kurtsou@gmail.com>
Date:   Thu Aug 12 13:05:17 2010 +0300

    tmpfs: Source entry can disappear before we lock fdvp in tmpfs_rename()
    
    Fixes panic triggered by blogbench

diff --git a/fs/tmpfs/tmpfs_vnops.c b/fs/tmpfs/tmpfs_vnops.c
index ef54e5e..117700b 100644
--- a/fs/tmpfs/tmpfs_vnops.c
+++ b/fs/tmpfs/tmpfs_vnops.c
@@ -991,10 +991,14 @@ tmpfs_rename(struct vop_rename_args *v)
 	fnode = VP_TO_TMPFS_NODE(fvp);
 	de = tmpfs_dir_lookup(fdnode, fnode, fcnp);
 
-	/* Avoid manipulating '.' and '..' entries. */
+	/* Entry can disappear before we lock fdvp,
+	 * also avoid manipulating '.' and '..' entries. */
 	if (de == NULL) {
-		MPASS(fvp->v_type == VDIR);
-		error = EINVAL;
+		if ((fcnp->cn_flags & ISDOTDOT) != 0 ||
+		    (fcnp->cn_namelen == 1 && fcnp->cn_nameptr[0] == '.'))
+			error = EINVAL;
+		else
+			error = ENOENT;
 		goto out_locked;
 	}
 	MPASS(de->td_node == fnode);


>Release-Note:
>Audit-Trail:
>Unformatted: