Bug 272856 - cd9660_rrip_loop() can call bread() without brelse()
Summary: cd9660_rrip_loop() can call bread() without brelse()
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-31 21:36 UTC by Robert Morris
Modified: 2023-08-08 18:14 UTC (History)
2 users (show)

See Also:

Attachments
a gzipped cd9660 image that causes bread() to be called w/o brelse() (17.05 KB, application/x-gzip)
2023-07-31 21:36 UTC, Robert Morris 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2023-07-31 21:36:07 UTC 
Created attachment 243757 [details]
a gzipped cd9660 image that causes bread() to be called w/o brelse()

cd9660_rrip_loop() in sys/fs/cd9660/cd9660_rrip.c says:

        while (1) {
            ...;
                            || bread(ana->imp->im_devvp,
                                     ana->iso_ce_blk <<
                                     (ana->imp->im_bshift - DEV_BSHIFT),
                                     ana->imp->logical_block_size, NOCRED, &bp))
            ...;
        }
        if (bp)
                brelse(bp);

The brelse(bp) is outside the loop; if the loop bread()s twice, a
block is left locked.

I've attached a demo image:

# gunzip cd7a.iso.gz
# mdconfig cd7a.iso
# mount_cd9660 /dev/md0 /mnt
panic: userret: Returning with 1 locks held
panic() at panic+0x26
userret() at userret+0xf4
syscallret() at syscallret+0xa0
ecall_handler() at ecall_handler+0x22
do_trap_user() at do_trap_user+0xf2
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- syscall (378, FreeBSD ELF64, nmount)
Comment 1 commit-hook freebsd_committer freebsd_triage 2023-07-31 23:58:54 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=fa3cf6cdc68cb6d6f2c440f2653258d68eae1015

commit fa3cf6cdc68cb6d6f2c440f2653258d68eae1015
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-07-31 22:55:13 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-07-31 22:55:13 +0000

    cd9660: do not leak buffers in cd9660_rrip_loop()

    Reported by:     Robert Morris <rtm@lcs.mit.edu>
    PR:     272856
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week

 sys/fs/cd9660/cd9660_rrip.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)
Comment 2 commit-hook freebsd_committer freebsd_triage 2023-08-07 01:00:42 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=746c8f0cd7061bcda4bb68cb612827288459bee6

commit 746c8f0cd7061bcda4bb68cb612827288459bee6
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-07-31 22:55:13 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2023-08-07 00:48:45 +0000

    cd9660: do not leak buffers in cd9660_rrip_loop()

    PR:     272856

    (cherry picked from commit fa3cf6cdc68cb6d6f2c440f2653258d68eae1015)

 sys/fs/cd9660/cd9660_rrip.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)
Comment 3 commit-hook freebsd_committer freebsd_triage 2023-08-08 18:14:03 UTC 
A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=2030f99a9aac92b06e16f0f21a3307df8ee90acd

commit 2030f99a9aac92b06e16f0f21a3307df8ee90acd
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-07-31 22:55:13 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-08-08 18:12:29 +0000

    cd9660: do not leak buffers in cd9660_rrip_loop()

    PR:     272856

    (cherry picked from commit fa3cf6cdc68cb6d6f2c440f2653258d68eae1015)
    (cherry picked from commit 746c8f0cd7061bcda4bb68cb612827288459bee6)

 sys/fs/cd9660/cd9660_rrip.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)