From bruce@cran.org.uk  Fri Jul 16 17:34:18 2010
Return-Path: <bruce@cran.org.uk>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8DFED106564A
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 16 Jul 2010 17:34:18 +0000 (UTC)
	(envelope-from bruce@cran.org.uk)
Received: from queueout02-winn.ispmail.ntl.com (queueout02-winn.ispmail.ntl.com [81.103.221.56])
	by mx1.freebsd.org (Postfix) with ESMTP id 722128FC08
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 16 Jul 2010 17:34:13 +0000 (UTC)
Received: from know-smtpout-4.server.virginmedia.net ([62.254.123.4])
          by mtaout03-winn.ispmail.ntl.com
          (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP
          id <20100716170739.XXGK3075.mtaout03-winn.ispmail.ntl.com@know-smtpout-4.server.virginmedia.net>
          for <FreeBSD-gnats-submit@freebsd.org>;
          Fri, 16 Jul 2010 18:07:39 +0100
Received: from [86.31.3.93] (helo=bsdbook.nessbank)
	by know-smtpout-4.server.virginmedia.net with smtp (Exim 4.63)
	(envelope-from <bruce@cran.org.uk>)
	id 1OZoNq-0006AR-Jp
	for FreeBSD-gnats-submit@freebsd.org; Fri, 16 Jul 2010 18:07:35 +0100
Received: by bsdbook.nessbank (sSMTP sendmail emulation); Fri, 16 Jul 2010 18:07:49 +0100
Message-Id: <20100716170739.XXGK3075.mtaout03-winn.ispmail.ntl.com@know-smtpout-4.server.virginmedia.net>
Date: Fri, 16 Jul 2010 18:07:49 +0100
From: "Bruce Cran" <bruce@cran.org.uk>
Reply-To: Bruce Cran <bruce@cran.org.uk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [geom] gpart prints invalid partition number when destroying
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         148687
>Category:       kern
>Synopsis:       [geom] gpart prints invalid partition number when destroying uncommitted slice/partition.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    ae
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 16 17:40:07 UTC 2010
>Closed-Date:    Fri Jul 30 08:03:52 UTC 2010
>Last-Modified:  Fri Jul 30 08:03:52 UTC 2010
>Originator:     Bruce Cran
>Release:        FreeBSD 9.0-HEAD-20100715-JPSNAP amd64
>Organization:
>Environment:
System: FreeBSD bsdbook.nessbank 9.0-HEAD-20100715-JPSNAP FreeBSD 9.0-HEAD-20100715-JPSNAP #0: Thu Jul 15 06:37:19 UTC 2010 root@build-amd64-fbsd.allbsd.org:/usr/obj/usr/src/sys/GENERIC amd64


	
>Description:
	After using the feature which allows the creation of slices and 
partitions to be undone within gpart, deleting a freebsd partition results in 
geom printing a large negative number instead of "1". 
>How-To-Repeat:
gpart create -s mbr -f x da0
gpart add -t freebsd -f x da0
gpart create -s bsd -f x da0s1
gpart destroy da0s1
gpart delete -i 1 da0

A log of the output is attached.
>Fix:

	

--- gpart.log begins here ---
bsdbook# dmesg | grep da0
da0 at umass-sim0 bus 0 scbus1 target 0 lun 0
da0: <PEAK III Flash Drive 0.00> Removable Direct Access SCSI-2 device 
da0: 40.000MB/s transfers
da0: 1967MB (4030463 512 byte sectors: 255H 63S/T 250C)
bsdbook# gpart show da0
gpart: No such geom: da0.
bsdbook# gpart create -f x -s mbr da0
da0 created
bsdbook# gpart add -f x -t freebsd da0
da0s1 added
bsdbook# gpart create -f x -s bsd da0s1
da0s1 created
bsdbook# gpart destroy da0s1
da0s1 destroyed
bsdbook# gpart delete -i 1 da0
da0s-559038242 deleted
--- gpart.log ends here ---


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->open  
State-Changed-By: brucec 
State-Changed-When: Fri Jul 16 18:14:58 UTC 2010 
State-Changed-Why:  
This actually appears to be kernel memory corruption: soon afterwards  
I found that gpart was crashing with a segmentation fault and I then  
got a panic, apparently within bcopy called from the ipi nmi handler. 
After rebooting I found that the first few sectors of the disk had  
been overwritten with the contents of random files from my main disk. 
found that contents from some scripts were on da0. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148687 
Responsible-Changed-From-To: freebsd-bugs->freebsd-geom 
Responsible-Changed-By: brucec 
Responsible-Changed-When: Fri Jul 16 18:20:10 UTC 2010 
Responsible-Changed-Why:  
Geom PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148687 
Responsible-Changed-From-To: freebsd-geom->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Sat Jul 17 06:36:28 UTC 2010 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148687 

From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: bug-followup@FreeBSD.org, bruce@cran.org.uk
Cc: Marcel Moolenaar <marcel@freebsd.org>
Subject: Re: kern/148687: [geom] gpart prints invalid partition number when
 destroying uncommitted slice/partition.
Date: Sat, 17 Jul 2010 11:08:55 +0400

 This is a multi-part message in MIME format.
 --------------040202060703030200020507
 Content-Type: text/plain; charset=KOI8-R
 Content-Transfer-Encoding: 8bit
 
 Hi, Bruce
 
 can you test following patch?
 
 -- 
 WBR, Andrey V. Elsukov
 
 --------------040202060703030200020507
 Content-Type: text/plain;
  name="g_part.diff"
 Content-Transfer-Encoding: quoted-printable
 Content-Disposition: attachment;
  filename="g_part.diff"
 
 Index: g_part.c
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- g_part.c	(revision 209667)
 +++ g_part.c	(working copy)
 @@ -830,14 +830,6 @@
  		entry->gpe_pp =3D NULL;
  	}
 =20
 -	if (entry->gpe_created) {
 -		LIST_REMOVE(entry, gpe_entry);
 -		g_free(entry);
 -	} else {
 -		entry->gpe_modified =3D 0;
 -		entry->gpe_deleted =3D 1;
 -	}
 -
  	if (pp !=3D NULL)
  		g_wither_provider(pp, ENXIO);
 =20
 @@ -850,6 +842,14 @@
  		gctl_set_param(req, "output", sbuf_data(sb), sbuf_len(sb) + 1);
  		sbuf_delete(sb);
  	}
 +
 +	if (entry->gpe_created) {
 +		LIST_REMOVE(entry, gpe_entry);
 +		g_free(entry);
 +	} else {
 +		entry->gpe_modified =3D 0;
 +		entry->gpe_deleted =3D 1;
 +	}
  	return (0);
  }
 =20
 
 --------------040202060703030200020507--
State-Changed-From-To: open->feedback 
State-Changed-By: ae 
State-Changed-When: Mon Jul 19 14:53:59 UTC 2010 
State-Changed-Why:  
feedback requested. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148687 

From: Bruce Cran <bruce@cran.org.uk>
To: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Cc: bug-followup@FreeBSD.org, Marcel Moolenaar <marcel@freebsd.org>
Subject: Re: kern/148687: [geom] gpart prints invalid partition number when
 destroying uncommitted slice/partition.
Date: Wed, 21 Jul 2010 17:02:11 +0100

 On Sat, 17 Jul 2010 11:08:55 +0400
 "Andrey V. Elsukov" <bu7cher@yandex.ru> wrote:
 
 > can you test following patch?
 
 For some reason I'm unable to replicate the problem now, with a new
 build of sources from HEAD without the patch.
 
 -- 
 Bruce 
State-Changed-From-To: feedback->patched 
State-Changed-By: ae 
State-Changed-When: Fri Jul 23 06:39:47 UTC 2010 
State-Changed-Why:  
Patched in HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148687 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/148687: commit references a PR
Date: Fri, 23 Jul 2010 06:30:16 +0000 (UTC)

 Author: ae
 Date: Fri Jul 23 06:30:01 2010
 New Revision: 210401
 URL: http://svn.freebsd.org/changeset/base/210401
 
 Log:
   Prevent access after free to table entry in case when
   user deletes partition that not yet created (changes doesn't
   committed to disk).
   
   PR:		148687
   Approved by:	mav (mentor)
   MFC after:	7 days
 
 Modified:
   head/sys/geom/part/g_part.c
 
 Modified: head/sys/geom/part/g_part.c
 ==============================================================================
 --- head/sys/geom/part/g_part.c	Fri Jul 23 06:01:30 2010	(r210400)
 +++ head/sys/geom/part/g_part.c	Fri Jul 23 06:30:01 2010	(r210401)
 @@ -830,14 +830,6 @@ g_part_ctl_delete(struct gctl_req *req, 
  		entry->gpe_pp = NULL;
  	}
  
 -	if (entry->gpe_created) {
 -		LIST_REMOVE(entry, gpe_entry);
 -		g_free(entry);
 -	} else {
 -		entry->gpe_modified = 0;
 -		entry->gpe_deleted = 1;
 -	}
 -
  	if (pp != NULL)
  		g_wither_provider(pp, ENXIO);
  
 @@ -850,6 +842,14 @@ g_part_ctl_delete(struct gctl_req *req, 
  		gctl_set_param(req, "output", sbuf_data(sb), sbuf_len(sb) + 1);
  		sbuf_delete(sb);
  	}
 +
 +	if (entry->gpe_created) {
 +		LIST_REMOVE(entry, gpe_entry);
 +		g_free(entry);
 +	} else {
 +		entry->gpe_modified = 0;
 +		entry->gpe_deleted = 1;
 +	}
  	return (0);
  }
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/148687: commit references a PR
Date: Fri, 30 Jul 2010 07:31:11 +0000 (UTC)

 Author: ae
 Date: Fri Jul 30 07:30:57 2010
 New Revision: 210634
 URL: http://svn.freebsd.org/changeset/base/210634
 
 Log:
   MFC r210401:
     Prevent access after free to table entry in case when
     user deletes partition that not yet created (changes doesn't
     committed to disk).
   
     PR:		148687
   
   Approved by:	mav (mentor)
 
 Modified:
   stable/8/sys/geom/part/g_part.c
 Directory Properties:
   stable/8/sys/   (props changed)
   stable/8/sys/amd64/include/xen/   (props changed)
   stable/8/sys/cddl/contrib/opensolaris/   (props changed)
   stable/8/sys/contrib/dev/acpica/   (props changed)
   stable/8/sys/contrib/pf/   (props changed)
   stable/8/sys/dev/xen/xenpci/   (props changed)
 
 Modified: stable/8/sys/geom/part/g_part.c
 ==============================================================================
 --- stable/8/sys/geom/part/g_part.c	Fri Jul 30 06:06:33 2010	(r210633)
 +++ stable/8/sys/geom/part/g_part.c	Fri Jul 30 07:30:57 2010	(r210634)
 @@ -829,14 +829,6 @@ g_part_ctl_delete(struct gctl_req *req, 
  		entry->gpe_pp = NULL;
  	}
  
 -	if (entry->gpe_created) {
 -		LIST_REMOVE(entry, gpe_entry);
 -		g_free(entry);
 -	} else {
 -		entry->gpe_modified = 0;
 -		entry->gpe_deleted = 1;
 -	}
 -
  	if (pp != NULL)
  		g_wither_provider(pp, ENXIO);
  
 @@ -849,6 +841,14 @@ g_part_ctl_delete(struct gctl_req *req, 
  		gctl_set_param(req, "output", sbuf_data(sb), sbuf_len(sb) + 1);
  		sbuf_delete(sb);
  	}
 +
 +	if (entry->gpe_created) {
 +		LIST_REMOVE(entry, gpe_entry);
 +		g_free(entry);
 +	} else {
 +		entry->gpe_modified = 0;
 +		entry->gpe_deleted = 1;
 +	}
  	return (0);
  }
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: ae 
State-Changed-When: Fri Jul 30 08:03:22 UTC 2010 
State-Changed-Why:  
Merged to stable/8. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148687 
>Unformatted:
