[Bug 272856] cd9660_rrip_loop() can call bread() without brelse()
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272856] cd9660_rrip_loop() can call bread() without brelse()"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272856] cd9660_rrip_loop() can call bread() without brelse()"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272856] cd9660_rrip_loop() can call bread() without brelse()"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272856] cd9660_rrip_loop() can call bread() without brelse()"
- Reply: bugzilla-noreply_a_freebsd.org: "[Bug 272856] cd9660_rrip_loop() can call bread() without brelse()"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 31 Jul 2023 21:36:07 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272856
Bug ID: 272856
Summary: cd9660_rrip_loop() can call bread() without brelse()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Created attachment 243757
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=243757&action=edit
a gzipped cd9660 image that causes bread() to be called w/o brelse()
cd9660_rrip_loop() in sys/fs/cd9660/cd9660_rrip.c says:
while (1) {
...;
|| bread(ana->imp->im_devvp,
ana->iso_ce_blk <<
(ana->imp->im_bshift - DEV_BSHIFT),
ana->imp->logical_block_size, NOCRED,
&bp))
...;
}
if (bp)
brelse(bp);
The brelse(bp) is outside the loop; if the loop bread()s twice, a
block is left locked.
I've attached a demo image:
# gunzip cd7a.iso.gz
# mdconfig cd7a.iso
# mount_cd9660 /dev/md0 /mnt
panic: userret: Returning with 1 locks held
panic() at panic+0x26
userret() at userret+0xf4
syscallret() at syscallret+0xa0
ecall_handler() at ecall_handler+0x22
do_trap_user() at do_trap_user+0xf2
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (378, FreeBSD ELF64, nmount)
--
You are receiving this mail because:
You are the assignee for the bug.