Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 Nov 2005 21:56:20 -0500
From:      Kris Kennaway <kris@obsecurity.org>
To:        Csaba Henk <csaba-ml@creo.hu>
Cc:        freebsd-current@freebsd.org
Subject:   Re: double close strikes panic if md attaching a corrupt file
Message-ID:  <20051126025620.GA62284@xor.obsecurity.org>
In-Reply-To: <20051125214738.GL2911@beastie.creo.hu>
References:  <20051125214738.GL2911@beastie.creo.hu>
next in thread | previous in thread | raw e-mail | index | archive | help 

--GvXjxJ+pjyke8COw
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Nov 25, 2005 at 10:47:38PM +0100, Csaba Henk wrote:
> Hi!
>=20
> Imagine the following:
>=20
> You have a corrupt file (so that you can open it, but when you try reading
> from it, it returns EIO). Pretty common with crappy optical media.
>=20
> You try "mdconfig -a -t vnode" on it.
>=20
> This will lead to a call to xmdioctl() such that mdio->md_type is=20
> MD_VNODE. So you get the following call chain:
>=20
>  xmdioctl -> mdcreate_vnode -> mdsetcred -> VOP_READ
>=20
> VOP_READ returns EIO. This error value will be propagated to mdcreate_vno=
de,
> who will then feel like vn_close-ing the vnode, and propagate the error
> further.
>=20
> Now we got back to xmdioctl, who will call for mddestroy because of the e=
rror.
> mddestroy still sees the vnode, and will vn_close it again.
>=20
> This will yield a "negative refcount" panic.
>=20
> Two different ideas for fixing this:
>=20
> 1. Don't vn_close in mdcreate_vnode when there is an error.
> 2. Not just vn_close in mdcreate_vnode upon error but also
>    nullify the sc->vnode field.
>=20
> I attach two patches, they realize the above ideas, respectively.
> Note that I didn't test either.

You probably should do so ;-) This isn't the easiest thing for someone
to test without such corrupted media.

Kris

--GvXjxJ+pjyke8COw
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDh87UWry0BWjoQKURAkLaAKD+8ZxrnxY45FFi3euFE5SMcNYy1QCeOoex
txVeD1J4RBeKR7xW7Sh5+DM=
=PrDQ
-----END PGP SIGNATURE-----

--GvXjxJ+pjyke8COw--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051126025620.GA62284>