From owner-freebsd-fs  Mon Mar 18 14:36:41 2002
Delivered-To: freebsd-fs@freebsd.org
Received: from elvis.mu.org (elvis.mu.org [192.203.228.196])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5F07137B400; Mon, 18 Mar 2002 14:36:31 -0800 (PST)
Received: by elvis.mu.org (Postfix, from userid 1192)
	id 3F1E6AE1FE; Mon, 18 Mar 2002 14:36:31 -0800 (PST)
Date: Mon, 18 Mar 2002 14:36:31 -0800
From: Alfred Perlstein <alfred@freebsd.org>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Kris Kennaway <kris@obsecurity.org>, current@freebsd.org,
	fs@freebsd.org
Subject: Re: panic: bwrite: buffer is not busy???
Message-ID: <20020318223631.GA23014@elvis.mu.org>
References: <20020317124958.A34008@xor.obsecurity.org> <xzpadt6r1xr.fsf@flood.ping.uio.no> <20020318061739.GB894@elvis.mu.org> <xzpvgbupdqa.fsf@flood.ping.uio.no> <20020318071623.GD894@elvis.mu.org> <20020318010245.A48956@xor.obsecurity.org> <xzp4rjep7m5.fsf@flood.ping.uio.no> <20020318143204.GA688@elvis.mu.org> <xzplmcpn8un.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <xzplmcpn8un.fsf@flood.ping.uio.no>
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-fs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-fs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-fs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-fs>
X-Loop: FreeBSD.org

* Dag-Erling Smorgrav <des@ofug.org> [020318 08:23] wrote:
> Alfred Perlstein <alfred@freebsd.org> writes:
> > I think you're right, I'm pretty sure the fix is basically moving
> > the p->p_fd = NULL to after the closef will fix things [...]
> 
> There will still be a race...

Are you sure? :)

Btw, is there a way to easily reproduce this bug?

Index: kern/kern_descrip.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_descrip.c,v
retrieving revision 1.128
diff -u -r1.128 kern_descrip.c
--- kern/kern_descrip.c	15 Mar 2002 08:03:46 -0000	1.128
+++ kern/kern_descrip.c	18 Mar 2002 19:04:24 -0000
@@ -1321,10 +1321,11 @@
 fdfree(td)
 	struct thread *td;
 {
-	register struct filedesc *fdp = td->td_proc->p_fd;
+	register struct filedesc *fdp;
 	struct file **fpp;
 	register int i;
 
+	fdp = td->td_proc->p_fd;
 	/* Certain daemons might not have file descriptors. */
 	if (fdp == NULL)
 		return;
@@ -1344,6 +1345,11 @@
 		if (*fpp)
 			(void) closef(*fpp, td);
 	}
+
+	PROC_LOCK(td->td_proc);
+	td->td_proc->p_fd = NULL;
+	PROC_UNLOCK(td->td_proc);
+
 	if (fdp->fd_nfiles > NDFILE)
 		FREE(fdp->fd_ofiles, M_FILEDESC);
 	if (fdp->fd_cdir)
Index: kern/vfs_syscalls.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.231
diff -u -r1.231 vfs_syscalls.c
--- kern/vfs_syscalls.c	12 Mar 2002 04:00:10 -0000	1.231
+++ kern/vfs_syscalls.c	18 Mar 2002 19:05:23 -0000
@@ -451,9 +451,12 @@
 		return;
 	sx_slock(&allproc_lock);
 	LIST_FOREACH(p, &allproc, p_list) {
+		PROC_LOCK(p);
 		fdp = p->p_fd;
-		if (fdp == NULL)
+		if (fdp == NULL) {
+			PROC_UNLOCK(p);
 			continue;
+		}
 		FILEDESC_LOCK(fdp);
 		if (fdp->fd_cdir == olddp) {
 			VREF(newdp);
@@ -469,6 +472,7 @@
 			vrele(olddp);
 		} else
 			FILEDESC_UNLOCK(fdp);
+		PROC_UNLOCK(p);
 	}
 	sx_sunlock(&allproc_lock);
 	if (rootvnode == olddp) {

-- 
-Alfred Perlstein [alfred@freebsd.org]
'Instead of asking why a piece of software is using "1970s technology,"
 start asking why software is ignoring 30 years of accumulated wisdom.'
Tax deductible donations for FreeBSD: http://www.freebsdfoundation.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-fs" in the body of the message