netbsd-bugs: kern/1540: union FS botches namei/link locking protocols

Subject: kern/1540: union FS botches namei/link locking protocols
To: None <gnats-bugs@gnats.netbsd.org>
From: John Kohl <jtk@kolvir.arlington.ma.us>
List: netbsd-bugs
Date: 09/28/1995 21:31:21

>Number:         1540
>Category:       kern
>Synopsis:       union FS botches namei/link locking protocols
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 28 21:50:02 1995
>Last-Modified:
>Originator:     John Kohl
>Organization:
NetBSD Kernel Hackers `R` Us
>Release:        -current as of 1995/09/28
>Environment:
	
System: NetBSD pattern 1.0A NetBSD 1.0A (PATTERN) #136: Wed Sep 27 22:44:27 EDT 1995 jtk@pattern:/u1/NetBSD-current/src/sys/arch/i386/compile/PATTERN i386


>Description:
	The union file system botches the locking protocols between
namei and directory modification routines.  Namei returns the directory
locked, and it's supposed to remain locked until the VOP_LINK() call [or
other directory-modifying call] gets to edit the directory.

The union_link() routine unlocks and relocks the directory without
revalidating state that might have been stored in the locked directory
by the lookup routine.

This can lead to a panic of the sort:

panic: ufs_direnter2: compact2
Stopped at      _Debugger+0x4:  leave
db> tr    
_Debugger(f8119dc4,f81807bf,f9e21c74,10,f9e21d0c) at _Debugger+0x4
_panic(f81807bf) at _panic+0x3b
_ufs_direnter2(f8817d80,f9e21d30,f880e700,f8810700,f87c0500) at _ufs_direnter2+
0x2dd
_ufs_direnter(f87c0500,f8817d80,f9e21f20,f8836600,f8817d80) at _ufs_direnter+0x
91
_ufs_link(f9e21eb0,f9e21ee8,f9e21f20,f7bfd758,0) at _ufs_link+0x1b5
_union_link(f9e21ee8,f7bfd740,f8810700,8,f9e21efc) at _union_link+0x16b
_link(f8810700,f9e21f84,f9e21f7c,0,21c92) at _link+0x131
_syscall() at _syscall+0x239
--- syscall (number 9) ---
0x1003e2bf:
db> 

which arises because ufs_direnter2 expected available insertion space to
be locked in the directory.

>How-To-Repeat:
Create a union FS situation with a file "pms.c" in the underlying layer.
Go there.  then:
	ln pms.c pms.c.orig
This will probably hit the bug for you.

>Fix:
	relookup after dropping/reacquiring the directory lock if we
need to do a union_copyup.  I'll work on some code later.

>Audit-Trail:
>Unformatted: