kern/98064: Crash with FIFOs (named pipes) and truncate()
Bruce Evans
bde at zeta.org.au
Mon May 29 07:10:42 PDT 2006
The following reply was made to PR kern/98064; it has been noted by GNATS.
From: Bruce Evans <bde at zeta.org.au>
To: Maxim Konovalov <maxim at macomnet.ru>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: kern/98064: Crash with FIFOs (named pipes) and truncate()
Date: Tue, 30 May 2006 00:04:23 +1000 (EST)
On Mon, 29 May 2006, Maxim Konovalov wrote:
>> I have used used the following fixes in this area for many years. They
>> make truncate() on a fifo and some other file types always succeed
>> instead of wandering off into UFS_TRUNCATE() (which is always (?)
>> ffs_truncate()) and tending to cause panics there.
> [...]
>
> Why doesn't RELENG_4 suffer from this? The code of ufs_setattr() is
> very similar there.
Hmm, my fixes are for ~5.2 and they may be unnecessary there too. I don't
remember noticing this particular problem. Perhaps some changes in -current
resulted in ffs_update() doing more and happening to do something bad.
Unfortunately, the PR doesn't contain much debugging info so it isn't
clear that the problem is in ffs_update().
I just found another problem. ffs_truncate() panics for read-only file
systems. The unpatched ufs_setattr() only returns early for read-only
file systems in the VREG, VLNK and VDIR cases. So ffs_truncate() on a
fifo on a read-only file system can apparently very easily panic.
The panic in ffs_truncate() is strangely placed after doing some things,
both null things and things that attempt to write to the file system.
These things are mainly:
- handling extended attributes. I don't understand the details.
- the !IO_NORMAL case (whatever that is). Returns success without checking
for read-only.
- new size too large. Returns failure early.
- a subcase of the VLNK case. Attempts to write even to read-only file
systems. Such writes are handled bogusly at lower levels and hopefully
don't reach the disks (I use printfs to detect these and others. Most
involve setting file times for read-only file systems or directives
to set file times that aren't handled properly on changing from rw
to ro. Here there is a file size change so not writing to disk might
cause more serious problems). Returns early. In my previous reply
I said that the VLNK case is unreachable and it panics if DIAGNOSTIC
is configured. Actually, only a subcase of the subcase panics.
- null truncates (ones which don't change the size). These are not quite
null. They attempt to set the file times even for read-only file
systems. Such writes are handled bogusly as above. Returns early.
If ffs_update() gets through these things without returning, it always
panics in the read-only case. The test program truncates to a nonzero
length, presumably to get past the null truncate case, and its panic
is not for the read-only case so it must be getting past the panic for
that too.
Bruce
More information about the freebsd-bugs
mailing list