From owner-freebsd-current@FreeBSD.ORG Sat Nov 26 02:56:22 2005 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4BF2B16A41F for ; Sat, 26 Nov 2005 02:56:22 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00DCF43D5D for ; Sat, 26 Nov 2005 02:56:22 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id D67CB1A3C27; Fri, 25 Nov 2005 18:56:21 -0800 (PST) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id AA9525158D; Fri, 25 Nov 2005 21:56:20 -0500 (EST) Date: Fri, 25 Nov 2005 21:56:20 -0500 From: Kris Kennaway To: Csaba Henk Message-ID: <20051126025620.GA62284@xor.obsecurity.org> References: <20051125214738.GL2911@beastie.creo.hu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="GvXjxJ+pjyke8COw" Content-Disposition: inline In-Reply-To: <20051125214738.GL2911@beastie.creo.hu> User-Agent: Mutt/1.4.2.1i Cc: freebsd-current@freebsd.org Subject: Re: double close strikes panic if md attaching a corrupt file X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2005 02:56:22 -0000 --GvXjxJ+pjyke8COw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 25, 2005 at 10:47:38PM +0100, Csaba Henk wrote: > Hi! >=20 > Imagine the following: >=20 > You have a corrupt file (so that you can open it, but when you try reading > from it, it returns EIO). Pretty common with crappy optical media. >=20 > You try "mdconfig -a -t vnode" on it. >=20 > This will lead to a call to xmdioctl() such that mdio->md_type is=20 > MD_VNODE. So you get the following call chain: >=20 > xmdioctl -> mdcreate_vnode -> mdsetcred -> VOP_READ >=20 > VOP_READ returns EIO. This error value will be propagated to mdcreate_vno= de, > who will then feel like vn_close-ing the vnode, and propagate the error > further. >=20 > Now we got back to xmdioctl, who will call for mddestroy because of the e= rror. > mddestroy still sees the vnode, and will vn_close it again. >=20 > This will yield a "negative refcount" panic. >=20 > Two different ideas for fixing this: >=20 > 1. Don't vn_close in mdcreate_vnode when there is an error. > 2. Not just vn_close in mdcreate_vnode upon error but also > nullify the sc->vnode field. >=20 > I attach two patches, they realize the above ideas, respectively. > Note that I didn't test either. You probably should do so ;-) This isn't the easiest thing for someone to test without such corrupted media. Kris --GvXjxJ+pjyke8COw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDh87UWry0BWjoQKURAkLaAKD+8ZxrnxY45FFi3euFE5SMcNYy1QCeOoex txVeD1J4RBeKR7xW7Sh5+DM= =PrDQ -----END PGP SIGNATURE----- --GvXjxJ+pjyke8COw--