From nobody@FreeBSD.org  Fri Aug 26 21:46:49 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EE64416A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 26 Aug 2005 21:46:49 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BAEE043D45
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 26 Aug 2005 21:46:49 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j7QLkm1Y038874
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 26 Aug 2005 21:46:48 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j7QLkmt7038873;
	Fri, 26 Aug 2005 21:46:48 GMT
	(envelope-from nobody)
Message-Id: <200508262146.j7QLkmt7038873@www.freebsd.org>
Date: Fri, 26 Aug 2005 21:46:48 GMT
From: Andreas Longwitz <longwitz@incore.de>
To: freebsd-gnats-submit@FreeBSD.org
Subject: vinum dumpconfig destroys openmask and let FreeBSD 4.11 Stable crash
X-Send-Pr-Version: www-2.3

>Number:         85329
>Category:       kern
>Synopsis:       [vinum] vinum dumpconfig destroys openmask and let FreeBSD 4.11 Stable crash
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 26 21:50:01 GMT 2005
>Closed-Date:    Fri Dec 01 13:36:57 GMT 2006
>Last-Modified:  Fri Dec 01 13:36:57 GMT 2006
>Originator:     Andreas Longwitz
>Release:        
>Organization:
Data Service Stockelsdorf, Germany
>Environment:
4.11-STABLE FreeBSD 4.11-STABLE #0: Thu Aug  4 00:39:17 CEST 2005     root@bsdmhs.longwitz:/usr/obj/usr/src/sys/BSDMHS  i386
   
>Description:
The byte ds_openmask is handled by the routines dsopen/dsclose in
subr_diskslice.c and stores the partitions used on the disk. If e.g.
the diskslice da1s1 on the system is completely used by vinum, then 
  disklist->lh_first->d_slice->dss_slices[2].ds_openmask = 0x80,
because vinum sets this bit for the h-partition from open_drive.

Now running 
  vinum dumpconfig da1s1
clears the highest bit in the openmask-byte, because the vinum
program (/usr/src/sbin/vinum/list.c) opens and - with program end -
closes the device "/dev/da1s1h". 

Now running again
  vinum dumpconfig da1s1
lets the kernel (dsopen in subr_diskslice.c) think, that the disk has gone:
       ssp = *sspp;
       need_init = !dsisopen(ssp);    <-- openmask = 0!
       if (ssp != NULL && need_init)
               dsgone(sspp);

In dsgone memory used by vinum - especially the disklabel -
is freed and if there is some activity on the vinum disk
at this time the system crashes immediately, otherwise it crashes
some time later.

The dumps look like the one described in kern/52916 and kern/58391.
The first hint of the problem I describe here was given in kern/74915. 

>How-To-Repeat:
On FreeBSD 4.11 Stable give vinum a whole disk and run twice
vinum dumpconfig for this disk. If you e.g. copy a big file on the
vinum disk during this test, the system panics. Please set a
breakpoint at dsgone to avoid the crash.       
>Fix:
It seems to me, that the kernel is not aware of vinum, because
vinum opens the disk not with the open-syscall. I don't know how
to fix this.     
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: ceri 
State-Changed-When: Fri Nov 4 20:00:07 GMT 2005 
State-Changed-Why:  
If this bug only exists in vinum as it exists in 4.x and early 5.x then 
it basically isn't going to get fixed.  Can it be reproduced under the 
gvinum currently in use? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=85329 
State-Changed-From-To: feedback->closed 
State-Changed-By: ceri 
State-Changed-When: Fri Dec 1 13:36:41 UTC 2006 
State-Changed-Why:  
Feedback timeout. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=85329 
>Unformatted:
