From owner-freebsd-bugs@FreeBSD.ORG Fri Aug 26 21:50:02 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 478CE16A41F for ; Fri, 26 Aug 2005 21:50:02 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C09F043D49 for ; Fri, 26 Aug 2005 21:50:01 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7QLo1uH048584 for ; Fri, 26 Aug 2005 21:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7QLo1Zw048582; Fri, 26 Aug 2005 21:50:01 GMT (envelope-from gnats) Resent-Date: Fri, 26 Aug 2005 21:50:01 GMT Resent-Message-Id: <200508262150.j7QLo1Zw048582@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Andreas Longwitz Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE64416A41F for ; Fri, 26 Aug 2005 21:46:49 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAEE043D45 for ; Fri, 26 Aug 2005 21:46:49 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j7QLkm1Y038874 for ; Fri, 26 Aug 2005 21:46:48 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id j7QLkmt7038873; Fri, 26 Aug 2005 21:46:48 GMT (envelope-from nobody) Message-Id: <200508262146.j7QLkmt7038873@www.freebsd.org> Date: Fri, 26 Aug 2005 21:46:48 GMT From: Andreas Longwitz To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: kern/85329: vinum dumpconfig destroys openmask and let FreeBSD 4.11 Stable crash X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Aug 2005 21:50:02 -0000 >Number: 85329 >Category: kern >Synopsis: vinum dumpconfig destroys openmask and let FreeBSD 4.11 Stable crash >Confidential: no >Severity: critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Aug 26 21:50:01 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Andreas Longwitz >Release: >Organization: Data Service Stockelsdorf, Germany >Environment: 4.11-STABLE FreeBSD 4.11-STABLE #0: Thu Aug 4 00:39:17 CEST 2005 root@bsdmhs.longwitz:/usr/obj/usr/src/sys/BSDMHS i386 >Description: The byte ds_openmask is handled by the routines dsopen/dsclose in subr_diskslice.c and stores the partitions used on the disk. If e.g. the diskslice da1s1 on the system is completely used by vinum, then disklist->lh_first->d_slice->dss_slices[2].ds_openmask = 0x80, because vinum sets this bit for the h-partition from open_drive. Now running vinum dumpconfig da1s1 clears the highest bit in the openmask-byte, because the vinum program (/usr/src/sbin/vinum/list.c) opens and - with program end - closes the device "/dev/da1s1h". Now running again vinum dumpconfig da1s1 lets the kernel (dsopen in subr_diskslice.c) think, that the disk has gone: ssp = *sspp; need_init = !dsisopen(ssp); <-- openmask = 0! if (ssp != NULL && need_init) dsgone(sspp); In dsgone memory used by vinum - especially the disklabel - is freed and if there is some activity on the vinum disk at this time the system crashes immediately, otherwise it crashes some time later. The dumps look like the one described in kern/52916 and kern/58391. The first hint of the problem I describe here was given in kern/74915. >How-To-Repeat: On FreeBSD 4.11 Stable give vinum a whole disk and run twice vinum dumpconfig for this disk. If you e.g. copy a big file on the vinum disk during this test, the system panics. Please set a breakpoint at dsgone to avoid the crash. >Fix: It seems to me, that the kernel is not aware of vinum, because vinum opens the disk not with the open-syscall. I don't know how to fix this. >Release-Note: >Audit-Trail: >Unformatted: