NetBSD Problem Report #44370
From Wolfgang.Stukenbrock@nagler-company.com Tue Jan 11 11:39:15 2011
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 73BD763B89A
for <gnats-bugs@gnats.NetBSD.org>; Tue, 11 Jan 2011 11:39:15 +0000 (UTC)
Message-Id: <20110111113907.822631E80CE@test-s0.nagler-company.com>
Date: Tue, 11 Jan 2011 12:39:07 +0100 (CET)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: lfs_markv may free kernel-lock too much
X-Send-Pr-Version: 3.95
>Number: 44370
>Category: kern
>Synopsis: lfs_markv may free kernel-lock too much
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Jan 11 11:40:00 +0000 2011
>Closed-Date: Mon Oct 07 06:09:16 +0000 2013
>Last-Modified: Mon Oct 07 06:09:16 +0000 2013
>Originator: Dr. Wolfgang Stukenbrock
>Release: NetBSD 5.1
>Organization:
Dr. Nagler & Company GmbH
>Environment:
System: NetBSD test-s0 4.0 NetBSD 4.0 (NSW-WS) #0: Tue Aug 17 17:28:09 CEST 2010 wgstuken@test-s0:/usr/src/sys/arch/amd64/compile/NSW-WS amd64
Architecture: x86_64
Machine: amd64
>Description:
lfs_markv() is called with kernel lock aquired and the caller releases the kernel lock
in any case after return from lfs_markv().
remark: I've found no call to this routine outside of /usr/src/sys/ufs/lfs/lfs_syscalls.c where
this routine is located too.
Accedently in one error case (label "err3:") lfs_markv() will free the kernel lock itself.
In case of this error the kernel lock may be freed for a caller that has aquired the lock before,
resulting in unsynchronized access to critical portions.
>How-To-Repeat:
Found by a look into the source while searching for a deadlock that seems to be relatd
to the kernel lock.
>Fix:
not shure ...
either remove the unlock at "err3:" label
or all calls to lfs_markv() should evaluate a return value to determine that
the kernel lock has already freed
Perhaps someone else should have a look at this.
>Release-Note:
>Audit-Trail:
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44370 CVS commit: src/sys/ufs/lfs
Date: Mon, 7 Oct 2013 05:19:23 +0000
Module Name: src
Committed By: dholland
Date: Mon Oct 7 05:19:23 UTC 2013
Modified Files:
src/sys/ufs/lfs: lfs_syscalls.c
Log Message:
Remove stray KERNEL_UNLOCK_ONE() in error path of lfs_markv().
From Wolfgang Stukenbrock in PR 44370.
This error path is only reachable if lfs_markv is handed an out of
range inode number, so it's unlikely that it gets tickled very often.
It isn't clear to me that we need the kernel lock in here at all, as
the path to lfs_markv that's actually used at this point (via fcntl)
doesn't take it. But, one thing at a time.
To generate a diff of this commit:
cvs rdiff -u -r1.148 -r1.149 src/sys/ufs/lfs/lfs_syscalls.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 07 Oct 2013 06:09:16 +0000
State-Changed-Why:
fixed, thanks.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.