From Tor.Egge@idt.ntnu.no  Wed Oct 30 20:34:52 1996
Received: from pat.idt.unit.no (pat.idt.unit.no [129.241.103.5])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA24994
          for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 Oct 1996 20:34:51 -0800 (PST)
Received: from ikke.idt.unit.no (ikke.idt.unit.no [129.241.111.65]) by pat.idt.unit.no (8.7.5/8.7.3) with ESMTP id FAA18932 for <FreeBSD-gnats-submit@freebsd.org>; Thu, 31 Oct 1996 05:34:48 +0100 (MET)
Received: (from tegge@localhost) by ikke.idt.unit.no (8.7.6/8.7.3) id FAA00507; Thu, 31 Oct 1996 05:34:47 +0100 (MET)
Message-Id: <199610310434.FAA00507@ikke.idt.unit.no>
Date: Thu, 31 Oct 1996 05:34:47 +0100 (MET)
From: Tor Egge <Tor.Egge@idt.ntnu.no>
Reply-To: Tor.Egge@idt.ntnu.no
To: FreeBSD-gnats-submit@freebsd.org
Subject: rename() cause panic: page fault
X-Send-Pr-Version: 3.2

>Number:         1930
>Category:       kern
>Synopsis:       rename() cause panic: page fault
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bde
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 30 20:40:01 PST 1996
>Closed-Date:    Mon Nov 4 08:09:44 PST 1996
>Last-Modified:  Mon Nov  4 08:14:59 PST 1996
>Originator:     Tor Egge
>Release:        FreeBSD 2.2-CURRENT i386
>Organization:
Norwegian University of Science and Technology, Trondheim, Norway

>Environment:

FreeBSD ikke.idt.unit.no 2.2-CURRENT FreeBSD 2.2-CURRENT #0: Sat Oct 26 04:09:08 MET DST 1996     root@ikke.idt.unit.no:/usr/src/sys-UP/compile/TEGGE  i386

>Description:

	simultaneous calls to rename() with the same arguments 
	cause a system crash with the message panic: page fault

>How-To-Repeat:

	Run several instances of this script. 
	---
	#!/bin/sh
	mkdir loser
	while true
	do
	  touch loser/abc
	  mv loser/abc loser/def
	done
	---


>Fix:
>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: FreeBSD-gnats-submit@freebsd.org, Tor.Egge@idt.ntnu.no
Cc:  Subject: Re: kern/1930: rename() cause panic: page fault
Date: Fri, 1 Nov 1996 03:55:55 +1100

 >	simultaneous calls to rename() with the same arguments 
 >	cause a system crash with the message panic: page fault
 
 Try this fix.  I've spent a lot of time looking for the bug reported
 by the second printf and had forgotten about the problem with directories.
 
 There also seems to be a bunch of very rarely active bugs involving
 ufs_checkpath().  It seems to be possible for ufs_checkpath() to
 block and another process to rearrange the tree(s) so that rename()
 does bad things when it restarts.  I've verified this by faking a
 block in the VFS_VGET() operation in ufs_lookup.c and rearranging
 the trees using ordinary renames.
 
 Bruce
 
 diff -c2 ufs_vnops.c~ ufs_vnops.c
 *** ufs_vnops.c~	Fri Sep 20 13:17:29 1996
 --- ufs_vnops.c	Mon Oct 14 20:20:52 1996
 ***************
 *** 843,849 ****
   	}
   
 - 	/*
 - 	 * Check if just deleting a link name.
 - 	 */
   	if (tvp && ((VTOI(tvp)->i_flags & (IMMUTABLE | APPEND)) ||
   	    (VTOI(tdvp)->i_flags & APPEND))) {
 --- 848,851 ----
 ***************
 *** 851,857 ****
   		goto abortit;
   	}
   	if (fvp == tvp) {
   		if (fvp->v_type == VDIR) {
 ! 			error = EINVAL;
   			goto abortit;
   		}
 --- 853,876 ----
   		goto abortit;
   	}
 + 
 + 	/*
 + 	 * Check if just deleting a link name or if we've lost a race.
 + 	 * If another process completes the same rename after we've looked
 + 	 * up the source and have blocked looking up the target, then the
 + 	 * source and target inodes may be identical now although the
 + 	 * names were never linked.
 + 	 */
   	if (fvp == tvp) {
   		if (fvp->v_type == VDIR) {
 ! 			/*
 ! 			 * Linked directories are impossible, so we must
 ! 			 * have lost the race.  Pretend that the rename
 ! 			 * completed before the lookup.
 ! 			 */
 ! #define UFS_RENAME_DEBUG
 ! #ifdef UFS_RENAME_DEBUG
 ! 			printf("ufs_rename: fvp == tvp for directories\n");
 ! #endif
 ! 			error = ENOENT;
   			goto abortit;
   		}
 ***************
 *** 862,866 ****
   		vput(tvp);
   
 ! 		/* Delete source. */
   		vrele(fdvp);
   		vrele(fvp);
 --- 881,890 ----
   		vput(tvp);
   
 ! 		/*
 ! 		 * Delete source.  There is another race now that everything
 ! 		 * is unlocked, but this doesn't cause any new complications.
 ! 		 * Relookup() may find a file that is unrelated to the
 ! 		 * original one, or it may fail.  Too bad.
 ! 		 */
   		vrele(fdvp);
   		vrele(fvp);
 ***************
 *** 874,877 ****
 --- 898,907 ----
   		if (error == 0)
   			vrele(fdvp);
 + 		if (fvp == NULL) {
 + #ifdef UFS_RENAME_DEBUG
 + 			printf("ufs_rename: from name disappeared\n");
 + #endif
 + 			return (ENOENT);
 + 		}
   		return (VOP_REMOVE(fdvp, fvp, fcnp));
   	}

From: Tor Egge <Tor.Egge@idt.ntnu.no>
To: bde@zeta.org.au
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/1930: rename() cause panic: page fault
Date: Thu, 31 Oct 1996 21:08:30 +0100

 > >	simultaneous calls to rename() with the same arguments 
 > >	cause a system crash with the message panic: page fault
 > 
 > Try this fix.  I've spent a lot of time looking for the bug reported
 > by the second printf and had forgotten about the problem with directories.
 
 I now get the message 'ufs_rename: from name disappeared' instead of a
 system crash. Good work.
 
 - Tor Egge
State-Changed-From-To: open->closed 
State-Changed-By: bde 
State-Changed-When: Mon Nov 4 08:09:44 PST 1996 
State-Changed-Why:  
Fixed in rev.1.42 of ufs_vnops.c. 

Anyone want to test for this bug in other fs's?  msdosfs has 
more serious bugs nearby. 


Responsible-Changed-From-To: freebsd-bugs->bde 
Responsible-Changed-By: bde 
Responsible-Changed-When: Mon Nov 4 08:09:44 PST 1996 
Responsible-Changed-Why:  
No one else here seems to understand rename() any better. 
>Unformatted:
