From owner-freebsd-bugs@FreeBSD.ORG  Wed Jul 18 19:46:52 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: bugs@freebsd.org
Delivered-To: freebsd-bugs@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 0E06616A402
	for <bugs@freebsd.org>; Wed, 18 Jul 2007 19:46:52 +0000 (UTC)
	(envelope-from brde@optusnet.com.au)
Received: from mail03.syd.optusnet.com.au (mail03.syd.optusnet.com.au
	[211.29.132.184])
	by mx1.freebsd.org (Postfix) with ESMTP id 8AF6D13C4BA
	for <bugs@freebsd.org>; Wed, 18 Jul 2007 19:46:51 +0000 (UTC)
	(envelope-from brde@optusnet.com.au)
Received: from besplex.bde.org (c220-239-235-248.carlnfd3.nsw.optusnet.com.au
	[220.239.235.248])
	by mail03.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	l6IJkmTa006777
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <bugs@freebsd.org>; Thu, 19 Jul 2007 05:46:49 +1000
Date: Thu, 19 Jul 2007 05:46:18 +1000 (EST)
From: Bruce Evans <brde@optusnet.com.au>
X-X-Sender: bde@besplex.bde.org
To: bugs@freebsd.org
Message-ID: <20070719051755.U1463@besplex.bde.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: 
Subject: a null pointer panic due to clobbered bufobjs
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2007 19:46:52 -0000

Repeated read-only mounting of a single device (to the same or different
mount points) now seems to work, but each mount clobbers the previous
mount's setting of the device vnode's bufobj.  See g_vfs_open() and
ffs_mount().  The clobbered bufobj even seems to work, since it remains
pointing to essential an alias of the clobbered data.  But then on
unmount of the ultimate clobberer, the bufobj is left pointing to
garbage (mainly in bo->bo_private when that is freed via a different
pointer to it).

This causes things like the following to panic on a null pointer in
g_io_request():

 	# mount -o ro /dev/mumble /mnt
 	# mount -o ro /dev/mumble /mnt
 	# umount /mnt        # unmount one so that other can be remounted rw
 			     # no way to control which one gets unmounted (?),
 			     # but it is apparently the last one
 	# umount -u -o noro /mnt

but the following seems to work:

 	# mount -o ro /dev/mumble /mnt
 	# mount -o ro /dev/mumble /mnt1   # diferent mount point for control
 	# umount /mnt        # unmount first one
 	# mount -u -o noro /mnt1

Bruce