Date: Mon, 17 Nov 2003 09:34:58 -0500 (EST) From: Robert Watson <rwatson@freebsd.org> To: Pawel Jakub Dawidek <nick@garage.freebsd.pl> Cc: freebsd-current@freebsd.org Subject: Re: Panic after mount() fail. Message-ID: <Pine.NEB.3.96L.1031117093353.25438m-100000@fledge.watson.org> In-Reply-To: <20031117100606.GK85962@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 17 Nov 2003, Pawel Jakub Dawidek wrote:
> Hello.
>
> There is a problem with mount(2) failures. It can cause panics.
>
> How-to-repeat.
>
> # dd if=/dev/random of=/test.img bs=1m count=8
> # mdconfig -a -t vnode -f /test.img -u 25
> # mkdir -p /mnt/test
> # mount /dev/md25 /mnt/test
> (fail)
> # mount /dev/md25 /mnt/test
> (panic "Memory modified after free ...")
>
> This is because on failure mutex is not destroyed.
This appears not to apply (and possibly not need to apply) against
vfs_mount.c:1.115. Could you update to that revision and confirm that the
problem persists? The change introduces a common vfs_mount_destroy()
call, which is much more careful to destroy the struct mount mtx than the
previous code.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org Network Associates Laboratories
>
> Patch:
>
> --- vfs_mount.c.orig Sun Nov 16 15:46:56 2003
> +++ vfs_mount.c Sun Nov 16 15:21:48 2003
> @@ -1061,6 +1061,7 @@ update:
> vfs_unbusy(mp, td);
> else {
> mp->mnt_vfc->vfc_refcount--;
> + mtx_destroy(&mp->mnt_mtx);
> vfs_unbusy(mp, td);
> #ifdef MAC
> mac_destroy_mount(mp);
> @@ -1142,6 +1143,7 @@ update:
> vp->v_iflag &= ~VI_MOUNT;
> VI_UNLOCK(vp);
> mp->mnt_vfc->vfc_refcount--;
> + mtx_destroy(&mp->mnt_mtx);
> vfs_unbusy(mp, td);
> #ifdef MAC
> mac_destroy_mount(mp);
>
> --
> Pawel Jakub Dawidek pawel@dawidek.net
> UNIX Systems Programmer/Administrator http://garage.freebsd.pl
> Am I Evil? Yes, I Am! http://cerber.sourceforge.net
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1031117093353.25438m-100000>