NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/37706: Forced unmount of file systems is unsafe

>Number:         37706
>Category:       kern
>Synopsis:       Forced unmount of file systems is unsafe
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jan 06 13:10:00 +0000 2008
>Originator:     Andrew Doran
>Release:        4.99.48
The NetBSD Project
- Reference counting is not done for struct mount and it can disappear
  out from underneath code that is using it.

- Modification of vnode_t::v_op while v_usecount != 0 is unsafe because
  it's not known whether deadfs or the original file system code will
  be called. Additionally the original fs code could be unloaded from
  the system.
Code inspection.
For struct mount:

- Add reference counting to struct mount. Make struct mount
  persist until all references are removed.

- Replace lockmgr() 'handoff' trick used to access struct mount with
  reference counting and a rwlock.

- Have vnodes take references to struct mount.

- Have mounts reference the underlying file system type to prevent
  fs code from being unloaded.

- Have vfs_busy() return ENOENT for file systems in purgatory (this
  is done already in a slightly different way).

For vnode_t::v_op:

- Push locking back into file systems and store locks in the inode.

- Make VOP_RECLAIM() preserve the in-core inode structure if
  v_usecount > 1, but mark the structure as 'gone'.

- Make file system locks/gates return ENOENT if the inode is 'gone'.

Home | Main Index | Thread Index | Old Index