DragonFlyBSD

On Tue, Jan 17, 2012 at 10:30:04AM -0800, Thomas Nikolajsen via Redmine wrote:

Issue #2276 has been reported by Thomas Nikolajsen.

----------------------------------------
Bug #2276: umount mfs crash - Fatal trap 12
http://bugs.dragonflybsd.org/issues/2276

Using fresh master (January 17th 2012),
umount of mfs mount crashes system.

This happens every time; core dump avail on request.

I cannot reproduce this. Can you please make the core available and write
the exact sequence of commands you use to make your system crash ?

--
Francois Tigeot

Core dump uploaded to leaf: ~thomas/crash/38

1. mount mfs file system, and umount i again
   mkdir /boot/tmp2
   mount -t mfs -o -s=655360 swap /boot/tmp2
   umount /boot/tmp2

Core dump for x86_64 uploaded to leaf: ~thomas/crash/1

Same procedure to reproduce;
here kernel crashes with trap 9.

Here's the problem:
MFS's mfs_start() routine is not like other filesystems; the userland mount_mfs enters the mfs_start routine and processes copyin/copyout requests to transfer data into its userland mmap-ed region. When it returns after either being signalled or the filesystem being unmounted, the mount structure is not valid.

Unfortunately, sys_unmount() already kfree-d the mount structure; both the accounting init and MPUNLOCK in vfs_vfsops.c:vfs_start() are not safe; they are accessing the mountpoint after it is freed.

This should be fixed by commit f39f7550bfabac2d1290b91a0e5c6c37d276bca7.