Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 15 Feb 2003 15:36:39 +1100
From:      Tim Robbins <tjr@FreeBSD.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/48291: mmap()'d regions of smbfs files behave incorrectly after close()
Message-ID:  <20030215153639.A53449@dilbert.robbins.dropbear.id.au>
next in thread | raw e-mail | index | archive | help 

>Number:         48291
>Category:       kern
>Synopsis:       mmap()'d regions of smbfs files behave incorrectly after close()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 14 20:40:10 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Tim Robbins
>Release:        FreeBSD 4.7-RELEASE-p4 i386
>Organization:
The FreeBSD Project
>Environment:
System: FreeBSD 4.7 and 5.0 are both affected

>Description:

If a file on a smbfs mount is opened, part of it mapped in to memory with
mmap(), then the descriptor closed, reads and writes to/from the mapped
region will fail and cause a segmentation fault.

This behaviour is incorrect according to SUSv3:
(System Interfaces volume, Issue 6, page 773)
25284 The mmap( ) function shall add an extra reference to the file
      associated with the file descriptor
25285 fildes which is not removed by a subsequent close( ) on that file
      descriptor. This reference shall be
25286 removed when there are no more mappings to the file.

.. and breaks applications, such as gcc (cpp0) and thttpd.

>How-To-Repeat:

Try to compile GNU bash 2.05b on a smbfs mount, or try to serve files
off a smbfs share with thttpd.

>Fix:

The smbfs_close() vnode op is closing the file on the server, which
causes smbfs_getpages()/smbfs_putpages() to try to perform operations
with an invalid file handle.

There are two possible solutions:

(a) Don't close the file handle on the server in smbfs_close();
    let smbfs_inactive() close it instead.

(b) Reopen the file in smbfs_getpages() and smbfs_putpages(), write
    to it, then close it. This solution has a much higher overhead
    but it seems to be what Linux smbfs does.

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030215153639.A53449>