From owner-freebsd-bugs  Sat Jun  1 22:10:37 1996
Return-Path: owner-bugs
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id WAA00679
          for bugs-outgoing; Sat, 1 Jun 1996 22:10:37 -0700 (PDT)
Received: (from gnats@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id WAA00671;
          Sat, 1 Jun 1996 22:10:02 -0700 (PDT)
Resent-Date: Sat, 1 Jun 1996 22:10:02 -0700 (PDT)
Resent-Message-Id: <199606020510.WAA00671@freefall.freebsd.org>
Resent-From: gnats (GNATS Management)
Resent-To: freebsd-bugs
Resent-Reply-To: FreeBSD-gnats@freefall.cdrom.com,
        kato@eclogite.eps.nagoya-u.ac.jp
Received: from mail.barrnet.net (mail.barrnet.net [131.119.246.7])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA00433
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 1 Jun 1996 22:01:16 -0700 (PDT)
Received: from marble.eps.nagoya-u.ac.jp (marble.eps.nagoya-u.ac.jp [133.6.57.68]) by mail.barrnet.net (8.7.5/MAIL-RELAY-LEN) with ESMTP id WAA24311 for <FreeBSD-gnats-submit@freebsd.org>; Sat, 1 Jun 1996 22:01:09 -0700 (PDT)
Received: (from kato@localhost) by marble.eps.nagoya-u.ac.jp (8.7.4+2.6Wbeta6/3.3W9) id NAA01317; Sun, 2 Jun 1996 13:59:35 +0900 (JST)
Message-Id: <199606020459.NAA01317@marble.eps.nagoya-u.ac.jp>
Date: Sun, 2 Jun 1996 13:59:35 +0900 (JST)
From: kato@eclogite.eps.nagoya-u.ac.jp
Reply-To: kato@eclogite.eps.nagoya-u.ac.jp
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/1286: cluster_read() calls strategy routine without B_READ
Sender: owner-bugs@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


>Number:         1286
>Category:       kern
>Synopsis:       cluster_read() calls strategy routine without B_READ
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun  1 22:10:01 PDT 1996
>Last-Modified:
>Originator:     KATO Takenori
>Organization:
Dept. Earth Planet. Sci., Nagoya Univ.,  Nagoya, 464-01, Japan
>Release:        FreeBSD 2.2-CURRENT i386
>Environment:
FreeBSD-current with revision 1.35 of vfs_cluster.c.
FreeBSD-960501-SNAP may contain same problem.

>Description:

The allocbuf() set b_flags == (B_MALLOC | B_BUSY) in certain cases after
the change of vfs_bio.c on Mar 2.  The cruster_rbuild() contains:

	tbp = getblk(vp, lbn, size, 0, 0);
	if (tbp->b_flags & (B_CACHE|B_MALLOC))
		return tbp;

If getblk returns a buffer whose b_flags == B_MALLOC | B_BUSY,
cluster_rbuild() returns a buffer without B_READ.  Then cluster_read()
calls VOP_STRATEGY(), lower level routines assumes that the action is
writing, because B_READ is not set.

I realize this problem with CD-ROM access.  When I execute egrep */* 
for CD-ROM, I got the panic:
	panic: vwakeup: neg numoutput

In addition to above panic, this problem may have potential to crash
file system.
When strategy routine is called by cluster_read without B_READ, lower level
routine assumes writing, and writes wrong data into filesystem.

>How-To-Repeat:

1) mount CD-ROM
2) run egrep */* for CD-ROM

>Fix:
The following patch fix the problem.
---------- BEGIN ----------
*** vfs_cluster.c.ORIG	Sun Jun  2 02:25:51 1996
--- vfs_cluster.c	Sun Jun  2 02:26:04 1996
***************
*** 294,300 ****
  	}
  
  	tbp = getblk(vp, lbn, size, 0, 0);
! 	if (tbp->b_flags & (B_CACHE|B_MALLOC))
  	return tbp;
  
  	tbp->b_blkno = blkno;
--- 294,300 ----
  	}
  
  	tbp = getblk(vp, lbn, size, 0, 0);
! 	if (tbp->b_flags & B_CACHE)
  	return tbp;
  
  	tbp->b_blkno = blkno;
---------- END ----------

>Audit-Trail:
>Unformatted: