From owner-freebsd-bugs Wed Aug 11 3:40:52 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 2261614D60 for ; Wed, 11 Aug 1999 03:40:51 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id DAA09550; Wed, 11 Aug 1999 03:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Wed, 11 Aug 1999 03:40:02 -0700 (PDT) Message-Id: <199908111040.DAA09550@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: Subject: Re: kern/10959: 3.1-STABLE crashes due to a floppy mount problem Reply-To: Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR kern/10959; it has been noted by GNATS. From: To: freebsd-gnats-submit@freebsd.org Cc: ulianov@ns.csm.ro Subject: Re: kern/10959: 3.1-STABLE crashes due to a floppy mount problem Date: Wed, 11 Aug 1999 03:31:15 -0700 (PDT) I took a stab at reproducing and analysing this PR. The good news is that the problem is reproducible in -current. Analysis: [ mount a write-protected DOS floppy as read/write, attempt to create some file, unmount floppy ] The unmount operation fails as the floppy is write protected and writes are not permitted. Consequently some dirty buffers remain around. However, `msdosfs_unmount()' will unconditionally set the `mnt_data' field of the mount structure to 0, ignoring the error return from `VOP_CLOSE()'. "/sys/msdosfs/msdosfs_vfsops.c" 805 error = VOP_CLOSE(pmp->pm_devvp, 806 (pmp->pm_flags&MSDOSFSMNT_RONLY) ? FREAD : FREAD | FWRITE, 807 NOCRED, p); [...] 811 mp->mnt_data = (qaddr_t)0; 812 mp->mnt_flag &= ~MNT_LOCAL; Later, the syncer process comes around and tries to write the dirty buffers back. At this point, the `mnt_data' field of the mount structure has already been zero'ed. (kgdb) bt #0 msdosfs_sync (mp=0xc08b7a00, waitfor=3, cred=0xc05a4880, p=0xc5d328e0) at ../../msdosfs/msdosfs_vfsops.c:881 #1 0xc0177414 in sync_fsync (ap=0xc5d40f88) at ../../kern/vfs_subr.c:2901 #2 0xc017545c in sched_sync () at vnode_if.h:499 #3 0xc020d7a4 in fork_trampoline () Cannot access memory at address 0x318000. (kgdb) p mp->mnt_data $38 = 0x0 "/sys/msdosfs/msdosfs_vfsops.c" 879 struct denode *dep; 880 struct msdosfsmount *pmp = VFSTOMSDOSFS(mp); 881 int error, allerror = 0; `pmp' thus is zero and the kernel panics when a deference through it is attempted at line 887. 887 if (pmp->pm_fmod != 0) { 888 if (pmp->pm_flags & MSDOSFSMNT_RONLY) ... Questions: (a) at what point should we attempt to detect read-only media? (b) how do we ensure that a (forced?) unmount really scrubs all the buffers that are associated with the device being unmounted? Regards, Koshy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message