From owner-freebsd-bugs Wed Jul 19 11:09:44 1995 Return-Path: bugs-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.11/8.6.6) id LAA04073 for bugs-outgoing; Wed, 19 Jul 1995 11:09:44 -0700 Received: from blob.best.net (blob.best.net [204.156.128.88]) by freefall.cdrom.com (8.6.11/8.6.6) with ESMTP id LAA04060 for ; Wed, 19 Jul 1995 11:09:37 -0700 Received: (dillon@localhost) by blob.best.net (8.6.12/8.6.5) id LAA07002; Wed, 19 Jul 1995 11:09:16 -0700 Date: Wed, 19 Jul 1995 11:09:16 -0700 From: Matt Dillon Message-Id: <199507191809.LAA07002@blob.best.net> To: Kirk McKusick Cc: davidg@root.com, bugs@freebsd.org Subject: Re: possible ffs_vget() race condition Sender: bugs-owner@freebsd.org Precedence: bulk I've got some kernel printf()'s in the two critical code areas along with my fix so by this time tomorrow I should know whether the hole is getting hit. Oh, there are also some pretty serious problems with the sysctl() stuff... mainly with all the list traversals the sysctl()'s do without locking and the copyout's inside the loops (which can block, causing the list being traverse and most specifically the 'current' item to be ripped out from under sysctl())... I had to stop using pstat -T because of the problem (it would crash the machine every couple of hours). Since I absolutely need ps, I wound up patched the proc stuff sysctl's adding a lock count to the process structure which the exit/zombie code blocks on, but haven't posted the patches because the whole sysctl thing really needs a good going over to solve the problems. -Matt : To: arch@FreeBSD.org : cc: dillon@blob.best.net : Subject: possible ffs_vget() race condition : From: David Greenman : Reply-To: davidg@Root.COM : Date: Wed, 19 Jul 1995 06:52:48 -0700 : : Any comments, Kirk? : : -DG : :This is a bug. I believe that the correct fix is to use a non-blocking :malloc. If it fails, then do a blocking malloc, a free, and then restart :with another call to ufs_ihashget. If another vnode has showed up while :you were blocked in getnewvnode or malloc, free the previously allocated :vnode, and return the one found by ufs_ihashget. : : ~Kirk :