Bug in the unmounting code

Kris Kennaway kris at obsecurity.org
Sat Apr 21 02:13:52 UTC 2007


On Fri, Apr 20, 2007 at 06:51:11PM -0700, Maxim Sobolev wrote:
> Hi,
> 
> I have noticed that there is a bug in unmounting code which could make
> filesystem unmountable when its parent filesystem has been forcefully
> unmounted. Following is quick way to reproduce the problem:
> 
> [sobomax at pioneer ~]$ sudo mkdir -p /tmp/1/2
> [sobomax at pioneer ~]$ sudo mkdir /tmp/3
> [sobomax at pioneer ~]$ sudo mount_nullfs /tmp/1 /tmp/3
> [sobomax at pioneer ~]$ sudo mount_nullfs /tmp/1 /tmp/3/2
> [sobomax at pioneer ~]$ sudo umount -f /tmp/3
> [sobomax at pioneer ~]$ sudo mount -v
> /tmp/1 on /tmp/3/2 (nullfs, local, fsid 03ff000202000000)
> [sobomax at pioneer ~]$ sudo umount 03ff000202000000
> umount: unmount of /tmp/3/2 failed: No such file or directory
> umount: retrying using path instead of file system ID
> umount: unmount of /tmp/3/2 failed: No such file or directory

Thanks for tracking this down, I have seen (and reported) these
unmountable filesystems myself but had not found a way to reproduce
it.

Kris

> Investigation has revealed that in this case vn_lock() call fails with
> ENOENT due to the following piece of code:
> 
> vn_lock()
> [...]
>                 if (error == 0 && vp->v_iflag & VI_DOOMED &&
>                     (flags & LK_RETRY) == 0) {
>                         VOP_UNLOCK(vp, 0, td);
>                         error = ENOENT;
>                         break;
>                 }
> [...]
> 
> Addition of LK_RETRY flag fixed the problem, but my knowledge of VFS is
> quite limited so that I would appreciate if somebody could verify that
> the fix below won't have any undesirable effects.
> 
> -Maxim
> 
> --- vfs_mount.c 2007/04/21 01:40:53     1.1
> +++ vfs_mount.c 2007/04/21 01:41:09
> @@ -1155,7 +1155,7 @@
>                 mnt_gen_r = mp->mnt_gen;
>                 VI_LOCK(coveredvp);
>                 vholdl(coveredvp);
> -               error = vn_lock(coveredvp, LK_EXCLUSIVE | LK_INTERLOCK, td);
> +               error = vn_lock(coveredvp, LK_EXCLUSIVE | LK_INTERLOCK |
> LK_RETRY, td);
>                 vdrop(coveredvp);
>                 /*
>                  * Check for mp being unmounted while waiting for the
> 
> 
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20070421/f19bd801/attachment.pgp


More information about the freebsd-current mailing list