From owner-freebsd-current@freebsd.org  Tue Nov 27 23:46:30 2018
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6EB69113FEBE
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Tue, 27 Nov 2018 23:46:30 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id CEB287510F
 for <freebsd-current@freebsd.org>; Tue, 27 Nov 2018 23:46:29 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 92168113FEBC; Tue, 27 Nov 2018 23:46:29 +0000 (UTC)
Delivered-To: current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5765D113FEBB
 for <current@mailman.ysv.freebsd.org>; Tue, 27 Nov 2018 23:46:29 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 980AF75109
 for <current@freebsd.org>; Tue, 27 Nov 2018 23:46:28 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from tom.home (kib@localhost [127.0.0.1])
 by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id wARNkH3x015381
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Wed, 28 Nov 2018 01:46:20 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua wARNkH3x015381
Received: (from kostik@localhost)
 by tom.home (8.15.2/8.15.2/Submit) id wARNkHBA015380;
 Wed, 28 Nov 2018 01:46:17 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Wed, 28 Nov 2018 01:46:17 +0200
From: Konstantin Belousov <kostikbel@gmail.com>
To: Vladimir Kondratyev <vladimir@kondratyev.su>
Cc: current@freebsd.org, peter@holm.cc
Subject: Re: r340343 triggers kernel assertion if file is opened with
 O_BENEATH flag set through symlink
Message-ID: <20181127234617.GE2378@kib.kiev.ua>
References: <d8fd4b5d-b6c7-c56e-79f3-504daceb2a51@kondratyev.su>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <d8fd4b5d-b6c7-c56e-79f3-504daceb2a51@kondratyev.su>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM,
 NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tom.home
X-Rspamd-Queue-Id: CEB287510F
X-Spamd-Result: default: False [-6.71 / 15.00]; ARC_NA(0.00)[];
 FORGED_RECIPIENTS_FORWARDING(0.00)[]; RCVD_COUNT_FIVE(0.00)[6];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[];
 FORWARDED(0.00)[current@mailman.ysv.freebsd.org];
 FREEMAIL_FROM(0.00)[gmail.com]; RCPT_COUNT_THREE(0.00)[3];
 MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; R_SPF_SOFTFAIL(0.00)[~all];
 SPF_FAIL_FORWARDING(0.00)[]; TO_DN_SOME(0.00)[];
 RCVD_IN_DNSWL_MED(-0.20)[5.0.0.0.0.5.0.0.0.0.0.0.0.0.0.0.a.6.0.2.4.5.2.2.0.0.9.1.1.0.0.2.list.dnswl.org
 : 127.0.9.2]; 
 MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com];
 NEURAL_HAM_SHORT(-0.97)[-0.969,0];
 IP_SCORE(-3.63)[ip: (-9.87), ipnet: 2001:1900:2254::/48(-4.68), asn:
 10310(-3.51), country: US(-0.09)]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:10310, ipnet:2001:1900:2254::/48, country:US];
 FORGED_RECIPIENTS(0.00)[vladimir@kondratyev.su ..,freebsd-current@freebsd.org];
 DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Nov 2018 23:46:30 -0000

On Wed, Nov 28, 2018 at 12:54:21AM +0300, Vladimir Kondratyev wrote:
> Following test case triggers assertion after r340343:
> 
> 
> #include <fcntl.h>
> 
> int
> main(int argc, char **argv)
> {
>         openat(open("/etc", O_RDONLY), "termcap", O_RDONLY | O_BENEATH);
> }
> 
> It results in:
> 
> panic: Assertion (ndp->ni_lcf & NI_LCF_LATCH) != 0 failed at
> /usr/src/sys/kern/vfs_lookup.c:182
> 

The following should fix it. Problem was that the topping directory was
only latched when the initial path was absolute. Since your example
switched from the relative argument to the absolute symlink, the BENEATH
tracker rightfully complained that there were no recorded top.

I also added some asserts I used during the debugging.

diff --git a/sys/kern/vfs_lookup.c b/sys/kern/vfs_lookup.c
index 78893c4f2bd..7a80775d91d 100644
--- a/sys/kern/vfs_lookup.c
+++ b/sys/kern/vfs_lookup.c
@@ -202,8 +202,10 @@ nameicap_cleanup(struct nameidata *ndp, bool clean_latch)
 		vdrop(nt->dp);
 		uma_zfree(nt_zone, nt);
 	}
-	if (clean_latch && (ndp->ni_lcf & NI_LCF_LATCH) != 0)
+	if (clean_latch && (ndp->ni_lcf & NI_LCF_LATCH) != 0) {
+		ndp->ni_lcf &= ~NI_LCF_LATCH;
 		vrele(ndp->ni_beneath_latch);
+	}
 }
 
 /*
@@ -264,6 +266,7 @@ namei_handle_root(struct nameidata *ndp, struct vnode **dpp)
 		return (ENOTCAPABLE);
 	}
 	if ((cnp->cn_flags & BENEATH) != 0) {
+		MPASS((ndp->ni_lcf & NI_LCF_LATCH) != 0);
 		ndp->ni_lcf |= NI_LCF_BENEATH_ABS;
 		ndp->ni_lcf &= ~NI_LCF_BENEATH_LATCHED;
 		nameicap_cleanup(ndp, false);
@@ -446,7 +449,7 @@ namei(struct nameidata *ndp)
 		if (error == 0 && dp->v_type != VDIR)
 			error = ENOTDIR;
 	}
-	if (error == 0 && (ndp->ni_lcf & NI_LCF_BENEATH_ABS) != 0) {
+	if (error == 0 && (cnp->cn_flags & BENEATH) != 0) {
 		if (ndp->ni_dirfd == AT_FDCWD) {
 			ndp->ni_beneath_latch = fdp->fd_cdir;
 			vrefact(ndp->ni_beneath_latch);
@@ -471,6 +474,8 @@ namei(struct nameidata *ndp)
 			vrele(dp);
 		goto out;
 	}
+	MPASS((ndp->ni_lcf & (NI_LCF_BENEATH_ABS | NI_LCF_LATCH)) !=
+	    NI_LCF_BENEATH_ABS);
 	if (((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) != 0 &&
 	    lookup_cap_dotdot != 0) ||
 	    ((ndp->ni_lcf & NI_LCF_STRICTRELATIVE) == 0 &&