From kato@eclogite.eps.nagoya-u.ac.jp  Sat Jun  1 22:01:17 1996
Received: from mail.barrnet.net (mail.barrnet.net [131.119.246.7])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA00433
          for <FreeBSD-gnats-submit@freebsd.org>; Sat, 1 Jun 1996 22:01:16 -0700 (PDT)
Received: from marble.eps.nagoya-u.ac.jp (marble.eps.nagoya-u.ac.jp [133.6.57.68]) by mail.barrnet.net (8.7.5/MAIL-RELAY-LEN) with ESMTP id WAA24311 for <FreeBSD-gnats-submit@freebsd.org>; Sat, 1 Jun 1996 22:01:09 -0700 (PDT)
Received: (from kato@localhost) by marble.eps.nagoya-u.ac.jp (8.7.4+2.6Wbeta6/3.3W9) id NAA01317; Sun, 2 Jun 1996 13:59:35 +0900 (JST)
Message-Id: <199606020459.NAA01317@marble.eps.nagoya-u.ac.jp>
Date: Sun, 2 Jun 1996 13:59:35 +0900 (JST)
From: kato@eclogite.eps.nagoya-u.ac.jp
Reply-To: kato@eclogite.eps.nagoya-u.ac.jp
To: FreeBSD-gnats-submit@freebsd.org
Subject: cluster_read() calls strategy routine without B_READ
X-Send-Pr-Version: 3.2

>Number:         1286
>Category:       kern
>Synopsis:       cluster_read() calls strategy routine without B_READ
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jun  1 22:10:01 PDT 1996
>Closed-Date:    Mon Oct 21 23:27:21 PDT 1996
>Last-Modified:  Mon Oct 21 23:28:00 PDT 1996
>Originator:     KATO Takenori
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
Dept. Earth Planet. Sci., Nagoya Univ.,  Nagoya, 464-01, Japan
>Environment:
FreeBSD-current with revision 1.35 of vfs_cluster.c.
FreeBSD-960501-SNAP may contain same problem.

>Description:

The allocbuf() set b_flags == (B_MALLOC | B_BUSY) in certain cases after
the change of vfs_bio.c on Mar 2.  The cruster_rbuild() contains:

	tbp = getblk(vp, lbn, size, 0, 0);
	if (tbp->b_flags & (B_CACHE|B_MALLOC))
		return tbp;

If getblk returns a buffer whose b_flags == B_MALLOC | B_BUSY,
cluster_rbuild() returns a buffer without B_READ.  Then cluster_read()
calls VOP_STRATEGY(), lower level routines assumes that the action is
writing, because B_READ is not set.

I realize this problem with CD-ROM access.  When I execute egrep */* 
for CD-ROM, I got the panic:
	panic: vwakeup: neg numoutput

In addition to above panic, this problem may have potential to crash
file system.
When strategy routine is called by cluster_read without B_READ, lower level
routine assumes writing, and writes wrong data into filesystem.

>How-To-Repeat:

1) mount CD-ROM
2) run egrep */* for CD-ROM

>Fix:
The following patch fix the problem.
---------- BEGIN ----------
*** vfs_cluster.c.ORIG	Sun Jun  2 02:25:51 1996
--- vfs_cluster.c	Sun Jun  2 02:26:04 1996
***************
*** 294,300 ****
  	}
  
  	tbp = getblk(vp, lbn, size, 0, 0);
! 	if (tbp->b_flags & (B_CACHE|B_MALLOC))
  	return tbp;
  
  	tbp->b_blkno = blkno;
--- 294,300 ----
  	}
  
  	tbp = getblk(vp, lbn, size, 0, 0);
! 	if (tbp->b_flags & B_CACHE)
  	return tbp;
  
  	tbp->b_blkno = blkno;
---------- END ----------

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: scrappy 
State-Changed-When: Mon Oct 21 22:49:00 PDT 1996 
State-Changed-Why:  

confirm status 

- there is a patch included, if someone wants to comment on it? 

State-Changed-From-To: feedback->closed 
State-Changed-By: scrappy 
State-Changed-When: Mon Oct 21 23:27:21 PDT 1996 
State-Changed-Why:  

Please close the problem report kern/1286, becasue it has been already 
fixed by the revision 1.36 of vfs_cluster.c. 

KATO Takenori <kato@eclogite.eps.nagoya-u.ac.jp> 
>Unformatted:
