[Bug 205938] [ext2fs][patch][panic] EXT4: reading mmaped file causes panic because struct buf leaks
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Jan 5 23:53:26 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205938
Bug ID: 205938
Summary: [ext2fs][patch][panic] EXT4: reading mmaped file
causes panic because struct buf leaks
Product: Base System
Version: 11.0-CURRENT
Hardware: Any
OS: Any
Status: New
Keywords: crash, patch
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: damjan.jov at gmail.com
CC: freebsd-fs at FreeBSD.org
Created attachment 165127
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165127&action=edit
Fix a kernel panic when reading mmaped files from EXT4
Calling mmap() on any sizeable file on an EXT4 filesystem, and then attempting
to read that memory (can be easily tested using the "cmp file file" tool),
causes a reproducible kernel panic:
userret: returning with the following locks held:
exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe001d90c220) locked @
/usr/src/sys/kern/vfs_bio.c:1454
panic: witness_warn
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace-self_wrapper+0x2b/frame 0xfffffe002b7e67f0
vpanic() at vpanic+0x182/frame 0xfffffe002b7e6870
kassert_panic() at kassert_panic+0x126/frame 0xfffffe002b7e68e0
witness_warn() at witness_warn+0x3c6/frame 0xfffffe002b7e69b0
userret() at userret+0x98/frame 0xfffffe002b7e69e0
trap() at trap+0x3f4/frame 0xfffffe002b7e6bf0
calltrap() at calltrap+0x8/frame 0xfffffe002b7e6bf0
--- trap 0xc, rip = 0x4019c0, rsp = 0x7fffffffe940, rbp = 0x7ffffffffeea30 ---
KDB: enter: panic
[ thread pid 909 tid 100082 ]
Stopped at kdb_enter+0x3b: movq $0,kdb_why
The problem comes from ext4_bmapext() in sys/fs/ext2fs/ext2_bmap.c never
calling brelse(), meaning the "struct buf" returned in path.ep_bp from
ext4_ext_find_extent() is never released/unlocked, something userret() catches
later and panics from.
The attached patch always calls brelse(path.ep_bp), fixing reading EXT4 files
using mmap().
This affects all versions of FreeBSD.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-fs
mailing list