From owner-freebsd-fs  Tue Dec 11  9:32:20 2001
Delivered-To: freebsd-fs@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP
	id 075A937C180; Tue, 11 Dec 2001 09:30:33 -0800 (PST)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 585B914C57; Tue, 11 Dec 2001 18:30:31 +0100 (CET)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Stefan.Esser@o-tel-o.de
Cc: freebsd-gnats-submit@FreeBSD.org, fs@freebsd.org
Subject: Re: kern/32681: Reproducable PANIC in -stable
References: <200112111500.fBBF04J48329@freefall.freebsd.org>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 11 Dec 2001 18:30:30 +0100
In-Reply-To: <200112111500.fBBF04J48329@freefall.freebsd.org>
Message-ID: <xzpwuztu0jt.fsf@flood.ping.uio.no>
Lines: 29
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-fs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-fs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-fs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-fs>
X-Loop: FreeBSD.org

Stefan.Esser@o-tel-o.de writes:
> In order to check for the presence of some process %PID%, nessusd performs an
> opendir("/proc/%PID%"), which can lead to a panic in fstafs(), if the
> corresponding process just finishes just before the call to fstatfs ...

Ah, OK, I see.  First, if nessus needs to check for the existence of a
process with a given PID, it should kill(pid, 0) instead of relying on
procfs.  Second, the problem seems to be insufficient locking -
possibly in pseudofs, but equally possibly in the VFS system.  When a
process terminates, pseudofs automatically reclaims all vnodes
associated with it, which leads to an obvious race condition which can
only be avoided through proper locking.

Looking at the pseudofs code, it doesn't seem to be at fault.  When
the process exits, pfs_exit() removes all vnodes associated with it
from pseudofs' vnode cache, and vgone()s them.

I'm starting to think that the race might be in namei(), actually -
since the namei() call from fstatfs() succeeds, it means namei() found
a vnode, but that vnode's v_mount is NULL, which means it's been
reclaimed, which can't happen if it's referenced (can it?), and
namei() is supposed to reference the vnode before it returns it.  My
bet is that there is a small race between namei() finding a vnode and
referencing it, but I'm getting out of my depth.  Does anybody else
have any ideas?

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-fs" in the body of the message