From owner-freebsd-current@FreeBSD.ORG  Mon Nov 17 06:37:04 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 20DD816A4CE
	for <freebsd-current@freebsd.org>;
	Mon, 17 Nov 2003 06:37:04 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9687B43FBD
	for <freebsd-current@freebsd.org>;
	Mon, 17 Nov 2003 06:37:02 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.9p2/8.12.9) with ESMTP id hAHEYxMg064395;
	Mon, 17 Nov 2003 09:34:59 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)hAHEYxer064392;
	Mon, 17 Nov 2003 09:34:59 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Mon, 17 Nov 2003 09:34:58 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
In-Reply-To: <20031117100606.GK85962@garage.freebsd.pl>
Message-ID: <Pine.NEB.3.96L.1031117093353.25438m-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-current@freebsd.org
Subject: Re: Panic after mount() fail.
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Nov 2003 14:37:04 -0000


On Mon, 17 Nov 2003, Pawel Jakub Dawidek wrote: 

> Hello.
> 
> There is a problem with mount(2) failures. It can cause panics.
> 
> How-to-repeat.
> 
> 	# dd if=/dev/random of=/test.img bs=1m count=8
> 	# mdconfig -a -t vnode -f /test.img -u 25
> 	# mkdir -p /mnt/test
> 	# mount /dev/md25 /mnt/test
> 	(fail)
> 	# mount /dev/md25 /mnt/test
> 	(panic "Memory modified after free ...")
> 
> This is because on failure mutex is not destroyed.

This appears not to apply (and possibly not need to apply) against
vfs_mount.c:1.115.  Could you update to that revision and confirm that the
problem persists?  The change introduces a common vfs_mount_destroy()
call, which is much more careful to destroy the struct mount mtx than the
previous code.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories

> 
> Patch:
> 
> --- vfs_mount.c.orig	Sun Nov 16 15:46:56 2003
> +++ vfs_mount.c	Sun Nov 16 15:21:48 2003
> @@ -1061,6 +1061,7 @@ update:
>  			vfs_unbusy(mp, td);
>  		else {
>  			mp->mnt_vfc->vfc_refcount--;
> +			mtx_destroy(&mp->mnt_mtx);
>  			vfs_unbusy(mp, td);
>  #ifdef MAC
>  			mac_destroy_mount(mp);
> @@ -1142,6 +1143,7 @@ update:
>  		vp->v_iflag &= ~VI_MOUNT;
>  		VI_UNLOCK(vp);
>  		mp->mnt_vfc->vfc_refcount--;
> +		mtx_destroy(&mp->mnt_mtx);
>  		vfs_unbusy(mp, td);
>  #ifdef MAC
>  		mac_destroy_mount(mp);
> 
> -- 
> Pawel Jakub Dawidek                       pawel@dawidek.net
> UNIX Systems Programmer/Administrator     http://garage.freebsd.pl
> Am I Evil? Yes, I Am!                     http://cerber.sourceforge.net
>