From owner-freebsd-fs  Mon Feb 25 18:38:12 2002
Delivered-To: freebsd-fs@freebsd.org
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by hub.freebsd.org (Postfix) with SMTP id 9F7E737B421
	for <fs@FreeBSD.ORG>; Mon, 25 Feb 2002 18:37:49 -0800 (PST)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa51774@salmon>; 26 Feb 2002 02:37:48 +0000 (GMT)
To: Kirk McKusick <mckusick@mckusick.com>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	Kris Kennaway <kris@obsecurity.org>, Tony Finch <dot@dotat.at>,
	fs@FreeBSD.ORG, fanf@chiark.greenend.org.uk
Subject: Re: UFS panic on -stable 
In-Reply-To: Your message of "Mon, 25 Feb 2002 17:41:08 PST."
             <200202260141.g1Q1f8i28365@beastie.mckusick.com> 
Date: Tue, 26 Feb 2002 02:37:47 +0000
From: Ian Dowse <iedowse@maths.tcd.ie>
Message-ID:  <200202260237.aa51774@salmon.maths.tcd.ie>
Sender: owner-freebsd-fs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-fs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-fs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-fs>
X-Loop: FreeBSD.org

In message <200202260141.g1Q1f8i28365@beastie.mckusick.com>, Kirk McKusick writ
es:
>this bug. It does point a big finger at the buffer cache code
>since that would be about the only place that data corruption
>could be happening here.

My feeling was that this particular crash may be caused by something
at the vnode level since it appeared that the inode had been fully
freed while the vnode was still referenced. The process was sshd,
so I was looking for something that could have changed the mode on
the inode after it had been inadvertantly freed.  The best I've
found so far is in the ssh source there is the code:

	/* Releases the tty.  Its ownership is returned to root,
	  and permissions to 0666. */
	void
	pty_release(const char *ttyname)
	{
		if (chown(ttyname, (uid_t) 0, (gid_t) 0) < 0)
			...
		if (chmod(ttyname, (mode_t) 0666) < 0)
			...

The inode looked as if a VOP_SETATTR to gid root, uid root, mode 666
had succeeded even though the inode was already free. That explains
the lack of IFMT bits in the mode argument to ffs_freefile().

Kris, if it's not too awkward to make changes to the cluster kernels,
could you try applying the following extra sanity check to ufs_chmod?
This should attempt to catch the bug a little bit earlier by detecting
an attempt to VOP_SETATTR a free inode.

Ian

Index: ufs_vnops.c
===================================================================
RCS file: /dump/FreeBSD-CVS/src/sys/ufs/ufs/ufs_vnops.c,v
retrieving revision 1.131.2.7
diff -u -r1.131.2.7 ufs_vnops.c
--- ufs_vnops.c	5 Feb 2002 18:35:04 -0000	1.131.2.7
+++ ufs_vnops.c	26 Feb 2002 02:28:02 -0000
@@ -570,6 +570,8 @@
 		if (!groupmember(ip->i_gid, cred) && (mode & ISGID))
 			return (EPERM);
 	}
+	if (ip->i_mode == 0)
+		panic("ufs_chmod: free inode");
 	ip->i_mode &= ~ALLPERMS;
 	ip->i_mode |= (mode & ALLPERMS);
 	ip->i_flag |= IN_CHANGE;

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-fs" in the body of the message