From nobody@FreeBSD.org  Fri Aug  8 13:05:53 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AFB9B106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  8 Aug 2008 13:05:53 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 9DB6E8FC17
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  8 Aug 2008 13:05:53 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m78D5qP9029318
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 8 Aug 2008 13:05:52 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m78D5qdW029317;
	Fri, 8 Aug 2008 13:05:52 GMT
	(envelope-from nobody)
Message-Id: <200808081305.m78D5qdW029317@www.freebsd.org>
Date: Fri, 8 Aug 2008 13:05:52 GMT
From: Nejc Skoberne <nejc@skoberne.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Running ktrace/kdump in jail leads to stale jails
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         126368
>Category:       kern
>Synopsis:       [jail] Running ktrace/kdump in jail leads to stale jails
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 08 13:10:02 UTC 2008
>Closed-Date:    Tue Jan 05 23:35:05 UTC 2010
>Last-Modified:  Tue Jan  5 23:40:02 UTC 2010
>Originator:     Nejc Skoberne
>Release:        7-STABLE
>Organization:
>Environment:
FreeBSD server.domain.com 7.0-STABLE FreeBSD 7.0-STABLE #3: Mon Aug  4 10:28:12 CEST 2008     root@server.domain.com:/usr/src/sys/amd64/compile/ARLEQUIN  amd64
>Description:
Looks like running ktrace and (or?) kdump in jail isn't a very good idea. When trying to make "/etc/rc.d/jail stop jailname", the jail looks it is stopped, but the entry remains when listing jails with "jls". If the jail is run again, there will be two entries in jls output.
>How-To-Repeat:
1. Run ktrace/kdump in a jail,
2. /etc/rc.d/jail stop
3. jls output still contains the entry for that jail.
4. if running /etc/rc.d/jail start, there will be two entries for the same jail, the "broken" one will not work.
>Fix:


>Release-Note:
>Audit-Trail:

From: "Mateusz Guzik" <mjguzik@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/126368: Running ktrace/kdump in jail leads to stale jails
Date: Fri, 8 Aug 2008 16:47:49 +0200

 ------=_Part_50034_12786102.1218206869075
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 Hi,
 
 the same problems exists in CURRENT. It seems that ktr_writerequest()
 calls crhold() on credentials, but doesn't free it when exiting.
 Attached patch (simple crfree() before return) fixes this problem (at
 least for me :>).
 
 Thanks,
 --
 Mateusz Guzik
 
 ------=_Part_50034_12786102.1218206869075
 Content-Type: application/octet-stream; name=kern_ktrace.diff
 Content-Transfer-Encoding: base64
 X-Attachment-Id: f_fjmwvn4l0
 Content-Disposition: attachment; filename=kern_ktrace.diff
 
 LS0tIHN5cy9rZXJuL2tlcm5fa3RyYWNlLmMub3JpZwkyMDA4LTA4LTA4IDE2OjM3OjQ1LjAwMDAw
 MDAwMCArMDIwMAorKysgc3lzL2tlcm4va2Vybl9rdHJhY2UuYwkyMDA4LTA4LTA4IDE2OjM4OjIx
 LjAwMDAwMDAwMCArMDIwMApAQCAtOTMzLDEwICs5MzMsMTEgQEAKIAkJZXJyb3IgPSBWT1BfV1JJ
 VEUodnAsICZhdWlvLCBJT19VTklUIHwgSU9fQVBQRU5ELCBjcmVkKTsKIAlWT1BfVU5MT0NLKHZw
 LCAwLCB0ZCk7CiAJdm5fZmluaXNoZWRfd3JpdGUobXApOwogCXZyZWxlKHZwKTsKIAlWRlNfVU5M
 T0NLX0dJQU5UKHZmc2xvY2tlZCk7CisJY3JmcmVlKGNyZWQpOwogCWlmICghZXJyb3IpCiAJCXJl
 dHVybjsKIAkvKgogCSAqIElmIGVycm9yIGVuY291bnRlcmVkLCBnaXZlIHVwIHRyYWNpbmcgb24g
 dGhpcyB2bm9kZS4gIFdlIGRlZmVyCiAJICogYWxsIHRoZSB2cmVsZSgpJ3Mgb24gdGhlIHZub2Rl
 IHVudGlsIGFmdGVyIHdlIGFyZSBmaW5pc2hlZCB3YWxraW5nCg==
 ------=_Part_50034_12786102.1218206869075--

From: "Mateusz Guzik" <mjguzik@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/126368: Running ktrace/kdump in jail leads to stale jails
Date: Fri, 8 Aug 2008 16:57:15 +0200

 I hate gmail. The patch looks like this:
 
 --- sys/kern/kern_ktrace.c.orig	2008-08-08 16:37:45.000000000 +0200
 +++ sys/kern/kern_ktrace.c	2008-08-08 16:38:21.000000000 +0200
 @@ -933,10 +933,11 @@
  		error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
  	VOP_UNLOCK(vp, 0, td);
  	vn_finished_write(mp);
  	vrele(vp);
  	VFS_UNLOCK_GIANT(vfslocked);
 +	crfree(cred);
  	if (!error)
  		return;
  	/*
  	 * If error encountered, give up tracing on this vnode.  We defer
  	 * all the vrele()'s on the vnode until after we are finished walking
 
 Thanks,
 --
 Mateusz Guzik
Responsible-Changed-From-To: freebsd-bugs->freebsd-jail 
Responsible-Changed-By: kris 
Responsible-Changed-When: Fri Aug 8 15:36:29 UTC 2008 
Responsible-Changed-Why:  
Looks like a simple patch to review 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126368 

From: "Mateusz Guzik" <mjguzik@gmail.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/126368: Running ktrace/kdump in jail leads to stale jails
Date: Fri, 8 Aug 2008 19:30:22 +0200

 Err, I made a mistake. crfree() will be called in case of failure
 (loop starting at line 959), so the following patch should be ok:
 
 --- sys/kern/kern_ktrace.c.orig	2008-08-08 16:37:45.000000000 +0200
 +++ sys/kern/kern_ktrace.c	2008-08-08 19:25:16.000000000 +0200
 @@ -933,12 +933,14 @@
  		error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
  	VOP_UNLOCK(vp, 0, td);
  	vn_finished_write(mp);
  	vrele(vp);
  	VFS_UNLOCK_GIANT(vfslocked);
 -	if (!error)
 +	if (!error) {
 +		crfree(cred);
  		return;
 +	}
  	/*
  	 * If error encountered, give up tracing on this vnode.  We defer
  	 * all the vrele()'s on the vnode until after we are finished walking
  	 * the various lists to avoid needlessly holding locks.
  	 */

From: =?ISO-8859-2?Q?Nejc_=A9koberne?= <nejc@skoberne.net>
To: bug-followup@FreeBSD.org, nejc@skoberne.net
Cc:  
Subject: Re: kern/126368: [jail] Running ktrace/kdump in jail leads to stale
 jails
Date: Sun, 10 Aug 2008 10:12:48 +0200

 I have tried the submitted patch but I think it behaves strangely. I still
 see the stale jail, but only for about a minute after I have stopped it.
 After that, "jls" doesn't display the jail anymore. This about-one-minute
 delay is not present if I don't "ktrace" in the jail.

From: =?ISO-8859-2?Q?Nejc_=A9koberne?= <nejc@skoberne.net>
To: bug-followup@FreeBSD.org, nejc@skoberne.net
Cc:  
Subject: Re: kern/126368: [jail] Running ktrace/kdump in jail leads to stale
 jails
Date: Sun, 10 Aug 2008 10:47:51 +0200

 Sorry, please ignore the previous post, my problem of "the delay" seems to
 be unrelated with "ktrace-in-jail" issue. I guess this patch fixes the problem
 after all.
Responsible-Changed-From-To: freebsd-jail->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sat Nov 29 17:38:17 UTC 2008 
Responsible-Changed-Why:  
I'll track this; I thought it was patched already but I'll look. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126368 
State-Changed-From-To: open->patched 
State-Changed-By: bz 
State-Changed-When: Wed Dec 3 15:58:32 UTC 2008 
State-Changed-Why:  
Was patched in HEAD with r185583. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126368 

From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: bug-followup@FreeBSD.org, nejc@skoberne.net
Cc:  
Subject: Re: kern/126368: [jail] Running ktrace/kdump in jail leads to stale
 jails
Date: Wed, 3 Dec 2008 15:58:14 +0000 (UTC)

 On Sat, 29 Nov 2008, Nejc Skoberne wrote:
 
 Hi,
 
 > As I wrote on August 10:
 >
 > "Sorry, please ignore the previous post, my problem of "the delay" seems to
 > be unrelated with "ktrace-in-jail" issue. I guess this patch fixes the problem
 > after all."
 >
 > So I think you don't need to look again ...
 
 well there is (rather was for HEAD) a credential reference leak there.
 And also some other stuff that had looked strange and ...
 
 See http://svn.freebsd.org/changeset/base/185583
 
 /bz
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/126368: commit references a PR
Date: Wed, 18 Mar 2009 12:25:54 +0000 (UTC)

 Author: bz
 Date: Wed Mar 18 12:25:40 2009
 New Revision: 189957
 URL: http://svn.freebsd.org/changeset/base/189957
 
 Log:
   MFC r185583:
   
     Fix a credential reference leak. [1]
   
     Close subtle but relatively unlikely race conditions when
     propagating the vnode write error to other active sessions
     tracing to the same vnode, without holding a reference on
     the vnode anymore. [2]
   
     PR:           kern/126368 [1]
     Submitted by: rwatson [2]
     Reviewed by:  kib, rwatson
 
 Modified:
   stable/7/sys/   (props changed)
   stable/7/sys/contrib/pf/   (props changed)
   stable/7/sys/dev/cxgb/   (props changed)
   stable/7/sys/kern/kern_ktrace.c
 
 Modified: stable/7/sys/kern/kern_ktrace.c
 ==============================================================================
 --- stable/7/sys/kern/kern_ktrace.c	Wed Mar 18 11:30:47 2009	(r189956)
 +++ stable/7/sys/kern/kern_ktrace.c	Wed Mar 18 12:25:40 2009	(r189957)
 @@ -907,12 +907,7 @@ ktr_writerequest(struct thread *td, stru
  	 */
  	mtx_lock(&ktrace_mtx);
  	vp = td->td_proc->p_tracevp;
 -	if (vp != NULL)
 -		VREF(vp);
  	cred = td->td_proc->p_tracecred;
 -	if (cred != NULL)
 -		crhold(cred);
 -	mtx_unlock(&ktrace_mtx);
  
  	/*
  	 * If vp is NULL, the vp has been cleared out from under this
 @@ -921,9 +916,13 @@ ktr_writerequest(struct thread *td, stru
  	 */
  	if (vp == NULL) {
  		KASSERT(cred == NULL, ("ktr_writerequest: cred != NULL"));
 +		mtx_unlock(&ktrace_mtx);
  		return;
  	}
 +	VREF(vp);
  	KASSERT(cred != NULL, ("ktr_writerequest: cred == NULL"));
 +	crhold(cred);
 +	mtx_unlock(&ktrace_mtx);
  
  	kth = &req->ktr_header;
  	datalen = data_lengths[(u_short)kth->ktr_type & ~KTR_DROP];
 @@ -963,18 +962,26 @@ ktr_writerequest(struct thread *td, stru
  		error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
  	VOP_UNLOCK(vp, 0, td);
  	vn_finished_write(mp);
 -	vrele(vp);
 -	VFS_UNLOCK_GIANT(vfslocked);
 -	if (!error)
 +	crfree(cred);
 +	if (!error) {
 +		vrele(vp);
 +		VFS_UNLOCK_GIANT(vfslocked);
  		return;
 +	}
 +	VFS_UNLOCK_GIANT(vfslocked);
 +
  	/*
  	 * If error encountered, give up tracing on this vnode.  We defer
  	 * all the vrele()'s on the vnode until after we are finished walking
  	 * the various lists to avoid needlessly holding locks.
 +	 * NB: at this point we still hold the vnode reference that must
 +	 * not go away as we need the valid vnode to compare with. Thus let
 +	 * vrele_count start at 1 and the reference will be freed
 +	 * by the loop at the end after our last use of vp.
  	 */
  	log(LOG_NOTICE, "ktrace write failed, errno %d, tracing stopped\n",
  	    error);
 -	vrele_count = 0;
 +	vrele_count = 1;
  	/*
  	 * First, clear this vnode from being used by any processes in the
  	 * system.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bz 
State-Changed-When: Tue Jan 5 23:34:15 UTC 2010 
State-Changed-Why:  
RELENG_6 has now been fixed as well. 7.2-R and later have it as well. 
Thanks a lot for reporting and the intial patch. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126368 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/126368: commit references a PR
Date: Tue,  5 Jan 2010 23:33:42 +0000 (UTC)

 Author: bz
 Date: Tue Jan  5 23:33:29 2010
 New Revision: 201625
 URL: http://svn.freebsd.org/changeset/base/201625
 
 Log:
   MFC r185583:
   
     Fix a credential reference leak. [1]
   
     Close subtle but relatively unlikely race conditions when
     propagating the vnode write error to other active sessions
     tracing to the same vnode, without holding a reference on
     the vnode anymore. [2]
   
   PR:		kern/126368 [1]
   Submitted by:	rwatson [2]
   Reviewed by:	kib, rwatson (head)
 
 Modified:
   stable/6/sys/kern/kern_ktrace.c
 Directory Properties:
   stable/6/sys/   (props changed)
   stable/6/sys/contrib/pf/   (props changed)
   stable/6/sys/dev/cxgb/   (props changed)
 
 Modified: stable/6/sys/kern/kern_ktrace.c
 ==============================================================================
 --- stable/6/sys/kern/kern_ktrace.c	Tue Jan  5 23:26:45 2010	(r201624)
 +++ stable/6/sys/kern/kern_ktrace.c	Tue Jan  5 23:33:29 2010	(r201625)
 @@ -891,12 +891,7 @@ ktr_writerequest(struct thread *td, stru
  	 */
  	mtx_lock(&ktrace_mtx);
  	vp = td->td_proc->p_tracevp;
 -	if (vp != NULL)
 -		VREF(vp);
  	cred = td->td_proc->p_tracecred;
 -	if (cred != NULL)
 -		crhold(cred);
 -	mtx_unlock(&ktrace_mtx);
  
  	/*
  	 * If vp is NULL, the vp has been cleared out from under this
 @@ -905,9 +900,13 @@ ktr_writerequest(struct thread *td, stru
  	 */
  	if (vp == NULL) {
  		KASSERT(cred == NULL, ("ktr_writerequest: cred != NULL"));
 +		mtx_unlock(&ktrace_mtx);
  		return;
  	}
 +	VREF(vp);
  	KASSERT(cred != NULL, ("ktr_writerequest: cred == NULL"));
 +	crhold(cred);
 +	mtx_unlock(&ktrace_mtx);
  
  	kth = &req->ktr_header;
  	datalen = data_lengths[(u_short)kth->ktr_type & ~KTR_DROP];
 @@ -947,18 +946,26 @@ ktr_writerequest(struct thread *td, stru
  		error = VOP_WRITE(vp, &auio, IO_UNIT | IO_APPEND, cred);
  	VOP_UNLOCK(vp, 0, td);
  	vn_finished_write(mp);
 -	vrele(vp);
 -	mtx_unlock(&Giant);
 -	if (!error)
 +	crfree(cred);
 +	if (!error) {
 +		vrele(vp);
 +		mtx_unlock(&Giant);
  		return;
 +	}
 +	mtx_unlock(&Giant);
 +
  	/*
  	 * If error encountered, give up tracing on this vnode.  We defer
  	 * all the vrele()'s on the vnode until after we are finished walking
  	 * the various lists to avoid needlessly holding locks.
 +	 * NB: at this point we still hold the vnode reference that must
 +	 * not go away as we need the valid vnode to compare with. Thus let
 +	 * vrele_count start at 1 and the reference will be freed
 +	 * by the loop at the end after our last use of vp.
  	 */
  	log(LOG_NOTICE, "ktrace write failed, errno %d, tracing stopped\n",
  	    error);
 -	vrele_count = 0;
 +	vrele_count = 1;
  	/*
  	 * First, clear this vnode from being used by any processes in the
  	 * system.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
