https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205938
Bug ID: 205938 Summary: [ext2fs][patch][panic] EXT4: reading mmaped file causes panic because struct buf leaks Product: Base System Version: 11.0-CURRENT Hardware: Any OS: Any Status: New Keywords: crash, patch Severity: Affects Many People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: damjan....@gmail.com CC: freebsd...@freebsd.org Created attachment 165127 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=165127&action=edit Fix a kernel panic when reading mmaped files from EXT4 Calling mmap() on any sizeable file on an EXT4 filesystem, and then attempting to read that memory (can be easily tested using the "cmp file file" tool), causes a reproducible kernel panic: userret: returning with the following locks held: exclusive lockmgr bufwait (bufwait) r = 0 (0xfffffe001d90c220) locked @ /usr/src/sys/kern/vfs_bio.c:1454 panic: witness_warn cpuid = 0 KDB: stack backtrace: db_trace_self_wrapper() at db_trace-self_wrapper+0x2b/frame 0xfffffe002b7e67f0 vpanic() at vpanic+0x182/frame 0xfffffe002b7e6870 kassert_panic() at kassert_panic+0x126/frame 0xfffffe002b7e68e0 witness_warn() at witness_warn+0x3c6/frame 0xfffffe002b7e69b0 userret() at userret+0x98/frame 0xfffffe002b7e69e0 trap() at trap+0x3f4/frame 0xfffffe002b7e6bf0 calltrap() at calltrap+0x8/frame 0xfffffe002b7e6bf0 --- trap 0xc, rip = 0x4019c0, rsp = 0x7fffffffe940, rbp = 0x7ffffffffeea30 --- KDB: enter: panic [ thread pid 909 tid 100082 ] Stopped at kdb_enter+0x3b: movq $0,kdb_why The problem comes from ext4_bmapext() in sys/fs/ext2fs/ext2_bmap.c never calling brelse(), meaning the "struct buf" returned in path.ep_bp from ext4_ext_find_extent() is never released/unlocked, something userret() catches later and panics from. The attached patch always calls brelse(path.ep_bp), fixing reading EXT4 files using mmap(). This affects all versions of FreeBSD. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ freebsd-bugs@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"