From iedowse@maths.tcd.ie  Sun Mar 12 13:03:24 2000
Return-Path: <iedowse@maths.tcd.ie>
Received: from salmon.maths.tcd.ie (salmon.maths.tcd.ie [134.226.81.11])
	by hub.freebsd.org (Postfix) with SMTP id DA64137B849
	for <freebsd-gnats-submit@freebsd.org>; Sun, 12 Mar 2000 13:03:22 -0800 (PST)
	(envelope-from iedowse@maths.tcd.ie)
Received: from walton.maths.tcd.ie by salmon.maths.tcd.ie with SMTP
          id <aa00290@salmon>; 12 Mar 2000 21:03:18 +0000 (GMT)
Message-Id: <200003122103.aa08098@walton.maths.tcd.ie>
Date: Sun, 12 Mar 2000 21:03:18 +0000 (GMT)
From: iedowse@maths.tcd.ie
Sender: iedowse@maths.tcd.ie
Reply-To: iedowse@maths.tcd.ie
To: FreeBSD-gnats-submit@freebsd.org
Subject: msdosfs_rename and 'vrele: negative ref count'
X-Send-Pr-Version: 3.2

>Number:         17347
>Category:       kern
>Synopsis:       msdosfs_rename and 'vrele: negative ref count'
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    dwmalone
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 12 13:10:00 PST 2000
>Closed-Date:    Tue Jul 18 09:02:33 PDT 2000
>Last-Modified:  Tue Jul 18 09:03:24 PDT 2000
>Originator:     Ian Dowse
>Release:        FreeBSD 3.4-STABLE i386
>Organization:
		School of Mathematics
		Trinity College Dublin
>Environment:

	FreeBSD -current or -stable.

>Description:

	Certain error contitions cause msdosfs_rename() to decrement the
	vnode reference count on 'fdvp' more times than it should.

	In particular, an attempt to replace a non-empty directory
	vrele()'s 'fdvp' twice instead of once.

>How-To-Repeat:

	In an msdosfs directory type:

		mkdir -p a/a/b
		mv a/a .

	(the second line may need to be repeated a few times)

>Fix:
	The following patch appears to correct the problem, but it should
	be checked over by some filesystem guru. The idea of the change
	is to keep exactly one reference to 'fdvp' at all times. This
	allows the error backout code to to the right thing.

--- msdosfs_vnops.c.orig	Sun Mar 12 20:32:47 2000
+++ msdosfs_vnops.c	Sun Mar 12 20:33:49 2000
@@ -1098,7 +1098,6 @@
 	VOP_UNLOCK(fvp, 0, p);
 	if (VTODE(fdvp)->de_StartCluster != VTODE(tdvp)->de_StartCluster)
 		newparent = 1;
-	vrele(fdvp);
 	if (doingdirectory && newparent) {
 		if (error)	/* write access check above */
 			goto bad;
@@ -1166,7 +1165,8 @@
 		panic("msdosfs_rename: lost from startdir");
 	if (!newparent)
 		VOP_UNLOCK(tdvp, 0, p);
-	(void) relookup(fdvp, &fvp, fcnp);
+	if (relookup(fdvp, &fvp, fcnp) == 0)
+		vrele(fdvp);
 	if (fvp == NULL) {
 		/*
 		 * From name has disappeared.


>Release-Note:
>Audit-Trail:

From: "Jeremiah Gowdy" <jgowdy@home.com>
To: <freebsd-gnats-submit@FreeBSD.org>,
	"Ian Dowse" <iedowse@maths.tcd.ie>
Cc:  
Subject: Re: kern/17347: msdosfs_rename and 'vrele: negative ref count'
Date: Thu, 4 May 2000 09:41:19 -0700

 This patch completely fixed my problem with reguards to the kernel panics
 when trees of directory structure are moved or renamed on a FAT32 fs.  It
 completely solved my problems, and I've had no noticable adverse effects
 from the patch.  I recommend it be implemented asap, because this bug is a
 major flaw in the FAT32 support.
 
 
Responsible-Changed-From-To: freebsd-bugs->dwmalone 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Tue Jul 11 04:37:20 PDT 2000 
Responsible-Changed-Why:  
Local PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17347 
State-Changed-From-To: open->closed 
State-Changed-By: dwmalone 
State-Changed-When: Tue Jul 18 09:02:33 PDT 2000 
State-Changed-Why:  
Patch applied to HEAD and RELENG_4. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=17347 
>Unformatted:
