From nobody@FreeBSD.org  Tue Aug 31 10:49:13 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B9DAB10656A9
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 31 Aug 2010 10:49:13 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id A9D9C8FC1C
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 31 Aug 2010 10:49:13 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o7VAnD9a048258
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 31 Aug 2010 10:49:13 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o7VAnD8Z048257;
	Tue, 31 Aug 2010 10:49:13 GMT
	(envelope-from nobody)
Message-Id: <201008311049.o7VAnD8Z048257@www.freebsd.org>
Date: Tue, 31 Aug 2010 10:49:13 GMT
From: Gleb Kurtsou <gk@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch][tmpfs] Source directory vnode can disappear before locking it in tmpfs_rename
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         150143
>Category:       kern
>Synopsis:       [patch][tmpfs] Source directory vnode can disappear before locking it in tmpfs_rename
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-fs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 31 10:50:02 UTC 2010
>Closed-Date:    Tue Sep 07 22:49:36 UTC 2010
>Last-Modified:  Tue Sep  7 22:50:01 UTC 2010
>Originator:     Gleb Kurtsou
>Release:        FreeBSD 9.0-CURRENT
>Organization:
>Environment:
>Description:
Source directory vnode can disappear before locking it in tmpfs_rename.

Fixes panic triggered by blogbench.

Also note that fdvp vnode locking order may be incorrect in tmpfs_rename, and thus rename is deadlock prone. It was initially incorrect, possible solution could be to lock all necessary vnodes similarly to ufs, but it seems not to work well with tmpfs.
>How-To-Repeat:

>Fix:
Patch attached, tested by Ivan Voras

Patch attached with submission follows:

commit 82d1664e6831dbc44d380170ed5590ff67113749
Author: Gleb Kurtsou <gleb.kurtsou@gmail.com>
Date:   Thu Aug 12 13:05:17 2010 +0300

    tmpfs: Source entry can disappear before we lock fdvp in tmpfs_rename()
    
    Fixes panic triggered by blogbench

diff --git a/fs/tmpfs/tmpfs_vnops.c b/fs/tmpfs/tmpfs_vnops.c
index ef54e5e..117700b 100644
--- a/fs/tmpfs/tmpfs_vnops.c
+++ b/fs/tmpfs/tmpfs_vnops.c
@@ -991,10 +991,14 @@ tmpfs_rename(struct vop_rename_args *v)
 	fnode = VP_TO_TMPFS_NODE(fvp);
 	de = tmpfs_dir_lookup(fdnode, fnode, fcnp);
 
-	/* Avoid manipulating '.' and '..' entries. */
+	/* Entry can disappear before we lock fdvp,
+	 * also avoid manipulating '.' and '..' entries. */
 	if (de == NULL) {
-		MPASS(fvp->v_type == VDIR);
-		error = EINVAL;
+		if ((fcnp->cn_flags & ISDOTDOT) != 0 ||
+		    (fcnp->cn_namelen == 1 && fcnp->cn_nameptr[0] == '.'))
+			error = EINVAL;
+		else
+			error = ENOENT;
 		goto out_locked;
 	}
 	MPASS(de->td_node == fnode);


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-fs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Sep 6 07:07:55 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=150143 
State-Changed-From-To: open->closed 
State-Changed-By: ivoras 
State-Changed-When: Tue Sep 7 22:48:23 UTC 2010 
State-Changed-Why:  
Committed. r212305. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=150143 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/150143: commit references a PR
Date: Tue,  7 Sep 2010 22:41:09 +0000 (UTC)

 Author: ivoras
 Date: Tue Sep  7 22:40:45 2010
 New Revision: 212305
 URL: http://svn.freebsd.org/changeset/base/212305
 
 Log:
   Avoid "Entry can disappear before we lock fdvp" panic.
   
   PR:		150143
   Submitted by:	Gleb Kurtsou <gk at FreeBSD.org>
   Pretty sure it won't blow up: mckusick
   MFC after:	2 weeks
 
 Modified:
   head/sys/fs/tmpfs/tmpfs_vnops.c
 
 Modified: head/sys/fs/tmpfs/tmpfs_vnops.c
 ==============================================================================
 --- head/sys/fs/tmpfs/tmpfs_vnops.c	Tue Sep  7 21:28:45 2010	(r212304)
 +++ head/sys/fs/tmpfs/tmpfs_vnops.c	Tue Sep  7 22:40:45 2010	(r212305)
 @@ -981,10 +981,14 @@ tmpfs_rename(struct vop_rename_args *v)
  	fnode = VP_TO_TMPFS_NODE(fvp);
  	de = tmpfs_dir_lookup(fdnode, fnode, fcnp);
  
 -	/* Avoid manipulating '.' and '..' entries. */
 +	/* Entry can disappear before we lock fdvp,
 +	 * also avoid manipulating '.' and '..' entries. */
  	if (de == NULL) {
 -		MPASS(fvp->v_type == VDIR);
 -		error = EINVAL;
 +		if ((fcnp->cn_flags & ISDOTDOT) != 0 ||
 +		    (fcnp->cn_namelen == 1 && fcnp->cn_nameptr[0] == '.'))
 +			error = EINVAL;
 +		else
 +			error = ENOENT;
  		goto out_locked;
  	}
  	MPASS(de->td_node == fnode);
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
