https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272856
Bug ID: 272856
Summary: cd9660_rrip_loop() can call bread() without brelse()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Created attachment 243757
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=243757&action=edit
a gzipped cd9660 image that causes bread() to be called w/o brelse()
cd9660_rrip_loop() in sys/fs/cd9660/cd9660_rrip.c says:
while (1) {
...;
|| bread(ana->imp->im_devvp,
ana->iso_ce_blk <<
(ana->imp->im_bshift - DEV_BSHIFT),
ana->imp->logical_block_size, NOCRED,
&bp))
...;
}
if (bp)
brelse(bp);
The brelse(bp) is outside the loop; if the loop bread()s twice, a
block is left locked.
I've attached a demo image:
# gunzip cd7a.iso.gz
# mdconfig cd7a.iso
# mount_cd9660 /dev/md0 /mnt
panic: userret: Returning with 1 locks held
panic() at panic+0x26
userret() at userret+0xf4
syscallret() at syscallret+0xa0
ecall_handler() at ecall_handler+0x22
do_trap_user() at do_trap_user+0xf2
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (378, FreeBSD ELF64, nmount)
--
You are receiving this mail because:
You are the assignee for the bug.
