[Bug 205938] [ext2fs][patch][panic] EXT4: reading mmaped file causes panic because struct buf leaks

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jan 5 23:53:26 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205938

            Bug ID: 205938
           Summary: [ext2fs][patch][panic] EXT4: reading mmaped file
                    causes panic because struct buf leaks
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Keywords: crash, patch
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: damjan.jov at gmail.com
                CC: freebsd-fs at FreeBSD.org

Created attachment 165127
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165127&action=edit
Fix a kernel panic when reading mmaped files from EXT4

Calling mmap() on any sizeable file on an EXT4 filesystem, and then attempting
to read that memory (can be easily tested using the "cmp file file" tool),
causes a reproducible kernel panic:

userret: returning with the following locks held:
exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe001d90c220) locked @
/usr/src/sys/kern/vfs_bio.c:1454
panic: witness_warn
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace-self_wrapper+0x2b/frame 0xfffffe002b7e67f0
vpanic() at vpanic+0x182/frame 0xfffffe002b7e6870
kassert_panic() at kassert_panic+0x126/frame 0xfffffe002b7e68e0
witness_warn() at witness_warn+0x3c6/frame 0xfffffe002b7e69b0
userret() at userret+0x98/frame 0xfffffe002b7e69e0
trap() at trap+0x3f4/frame 0xfffffe002b7e6bf0
calltrap() at calltrap+0x8/frame 0xfffffe002b7e6bf0
--- trap 0xc, rip = 0x4019c0, rsp = 0x7fffffffe940, rbp = 0x7ffffffffeea30 ---
KDB: enter: panic
[ thread pid 909 tid 100082 ]
Stopped at      kdb_enter+0x3b: movq    $0,kdb_why


The problem comes from ext4_bmapext() in sys/fs/ext2fs/ext2_bmap.c never
calling brelse(), meaning the "struct buf" returned in path.ep_bp from
ext4_ext_find_extent() is never released/unlocked, something userret() catches
later and panics from.

The attached patch always calls brelse(path.ep_bp), fixing reading EXT4 files
using mmap().

This affects all versions of FreeBSD.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

More information about the freebsd-fs mailing list