Date: Mon, 31 Jul 2023 21:36:07 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 272856] cd9660_rrip_loop() can call bread() without brelse() Message-ID: <bug-272856-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272856 Bug ID: 272856 Summary: cd9660_rrip_loop() can call bread() without brelse() Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 243757 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D243757&action= =3Dedit a gzipped cd9660 image that causes bread() to be called w/o brelse() cd9660_rrip_loop() in sys/fs/cd9660/cd9660_rrip.c says: while (1) { ...; || bread(ana->imp->im_devvp, ana->iso_ce_blk << (ana->imp->im_bshift - DEV_BSHIFT), ana->imp->logical_block_size, NOCRED, &bp)) ...; } if (bp) brelse(bp); The brelse(bp) is outside the loop; if the loop bread()s twice, a block is left locked. I've attached a demo image: # gunzip cd7a.iso.gz # mdconfig cd7a.iso # mount_cd9660 /dev/md0 /mnt panic: userret: Returning with 1 locks held panic() at panic+0x26 userret() at userret+0xf4 syscallret() at syscallret+0xa0 ecall_handler() at ecall_handler+0x22 do_trap_user() at do_trap_user+0xf2 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- syscall (378, FreeBSD ELF64, nmount) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-272856-227>