double close strikes panic if md attaching a corrupt file
Kris Kennaway
kris at obsecurity.org
Sat Nov 26 02:56:22 GMT 2005
On Fri, Nov 25, 2005 at 10:47:38PM +0100, Csaba Henk wrote:
> Hi!
>
> Imagine the following:
>
> You have a corrupt file (so that you can open it, but when you try reading
> from it, it returns EIO). Pretty common with crappy optical media.
>
> You try "mdconfig -a -t vnode" on it.
>
> This will lead to a call to xmdioctl() such that mdio->md_type is
> MD_VNODE. So you get the following call chain:
>
> xmdioctl -> mdcreate_vnode -> mdsetcred -> VOP_READ
>
> VOP_READ returns EIO. This error value will be propagated to mdcreate_vnode,
> who will then feel like vn_close-ing the vnode, and propagate the error
> further.
>
> Now we got back to xmdioctl, who will call for mddestroy because of the error.
> mddestroy still sees the vnode, and will vn_close it again.
>
> This will yield a "negative refcount" panic.
>
> Two different ideas for fixing this:
>
> 1. Don't vn_close in mdcreate_vnode when there is an error.
> 2. Not just vn_close in mdcreate_vnode upon error but also
> nullify the sc->vnode field.
>
> I attach two patches, they realize the above ideas, respectively.
> Note that I didn't test either.
You probably should do so ;-) This isn't the easiest thing for someone
to test without such corrupted media.
Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20051125/7622e516/attachment.bin
More information about the freebsd-current
mailing list