Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 05 Jan 2016 23:53:26 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-fs@FreeBSD.org
Subject:   [Bug 205938] [ext2fs][patch][panic] EXT4: reading mmaped file causes panic because struct buf leaks
Message-ID:  <bug-205938-3630@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D205938

            Bug ID: 205938
           Summary: [ext2fs][patch][panic] EXT4: reading mmaped file
                    causes panic because struct buf leaks
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: crash, patch
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: damjan.jov@gmail.com
                CC: freebsd-fs@FreeBSD.org

Created attachment 165127
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D165127&action=
=3Dedit
Fix a kernel panic when reading mmaped files from EXT4

Calling mmap() on any sizeable file on an EXT4 filesystem, and then attempt=
ing
to read that memory (can be easily tested using the "cmp file file" tool),
causes a reproducible kernel panic:

userret: returning with the following locks held:
exclusive lockmgr bufwait (bufwait) r =3D 0 (0xfffffe001d90c220) locked @
/usr/src/sys/kern/vfs_bio.c:1454
panic: witness_warn
cpuid =3D 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace-self_wrapper+0x2b/frame 0xfffffe002b7e6=
7f0
vpanic() at vpanic+0x182/frame 0xfffffe002b7e6870
kassert_panic() at kassert_panic+0x126/frame 0xfffffe002b7e68e0
witness_warn() at witness_warn+0x3c6/frame 0xfffffe002b7e69b0
userret() at userret+0x98/frame 0xfffffe002b7e69e0
trap() at trap+0x3f4/frame 0xfffffe002b7e6bf0
calltrap() at calltrap+0x8/frame 0xfffffe002b7e6bf0
--- trap 0xc, rip =3D 0x4019c0, rsp =3D 0x7fffffffe940, rbp =3D 0x7ffffffff=
eea30 ---
KDB: enter: panic
[ thread pid 909 tid 100082 ]
Stopped at      kdb_enter+0x3b: movq    $0,kdb_why


The problem comes from ext4_bmapext() in sys/fs/ext2fs/ext2_bmap.c never
calling brelse(), meaning the "struct buf" returned in path.ep_bp from
ext4_ext_find_extent() is never released/unlocked, something userret() catc=
hes
later and panics from.

The attached patch always calls brelse(path.ep_bp), fixing reading EXT4 fil=
es
using mmap().

This affects all versions of FreeBSD.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-205938-3630>