Bug 148687

Summary:

[geom] gpart prints invalid partition number when destroying uncommitted slice/partition.

Product:

Base System

Reporter:

Rebecca Cran <bcran>

Component:

kern

Assignee:

Andrey V. Elsukov <ae>

Status:

Closed FIXED

Severity:

Affects Only Me

Priority:

Normal

Version:

Unspecified

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
gpart.log	none
g_part.diff	none

Description Rebecca Cran freebsd_committer

2010-07-16 18:40:07 UTC

	After using the feature which allows the creation of slices and 
partitions to be undone within gpart, deleting a freebsd partition results in 
geom printing a large negative number instead of "1".

How-To-Repeat: gpart create -s mbr -f x da0
gpart add -t freebsd -f x da0
gpart create -s bsd -f x da0s1
gpart destroy da0s1
gpart delete -i 1 da0

A log of the output is attached.

Comment 1 Bruce Cran freebsd_committer

2010-07-16 19:14:58 UTC

State Changed
From-To: open->open

This actually appears to be kernel memory corruption: soon afterwards  
I found that gpart was crashing with a segmentation fault and I then  
got a panic, apparently within bcopy called from the ipi nmi handler. 
After rebooting I found that the first few sectors of the disk had  
been overwritten with the contents of random files from my main disk. 
found that contents from some scripts were on da0.

Comment 2 Bruce Cran freebsd_committer

2010-07-16 19:20:10 UTC

Responsible Changed
From-To: freebsd-bugs->freebsd-geom

Geom PR.

Comment 3 Andrey V. Elsukov freebsd_committer

2010-07-17 07:36:28 UTC

Responsible Changed
From-To: freebsd-geom->ae

Take.

Comment 4 Andrey V. Elsukov 2010-07-17 08:08:55 UTC

Hi, Bruce

can you test following patch?

-- 
WBR, Andrey V. Elsukov

Comment 5 Andrey V. Elsukov freebsd_committer

2010-07-19 15:53:59 UTC

State Changed
From-To: open->feedback

feedback requested.

Comment 6 Rebecca Cran freebsd_committer

2010-07-21 17:02:11 UTC

On Sat, 17 Jul 2010 11:08:55 +0400
"Andrey V. Elsukov" <bu7cher@yandex.ru> wrote:

> can you test following patch?

For some reason I'm unable to replicate the problem now, with a new
build of sources from HEAD without the patch.

-- 
Bruce

Comment 7 dfilter service freebsd_committer

2010-07-23 07:30:16 UTC

Author: ae
Date: Fri Jul 23 06:30:01 2010
New Revision: 210401
URL: http://svn.freebsd.org/changeset/base/210401

Log:
  Prevent access after free to table entry in case when
  user deletes partition that not yet created (changes doesn't
  committed to disk).
  
  PR:		148687
  Approved by:	mav (mentor)
  MFC after:	7 days

Modified:
  head/sys/geom/part/g_part.c

Modified: head/sys/geom/part/g_part.c
==============================================================================
--- head/sys/geom/part/g_part.c	Fri Jul 23 06:01:30 2010	(r210400)
+++ head/sys/geom/part/g_part.c	Fri Jul 23 06:30:01 2010	(r210401)
@@ -830,14 +830,6 @@ g_part_ctl_delete(struct gctl_req *req, 
 		entry->gpe_pp = NULL;
 	}
 
-	if (entry->gpe_created) {
-		LIST_REMOVE(entry, gpe_entry);
-		g_free(entry);
-	} else {
-		entry->gpe_modified = 0;
-		entry->gpe_deleted = 1;
-	}
-
 	if (pp != NULL)
 		g_wither_provider(pp, ENXIO);
 
@@ -850,6 +842,14 @@ g_part_ctl_delete(struct gctl_req *req, 
 		gctl_set_param(req, "output", sbuf_data(sb), sbuf_len(sb) + 1);
 		sbuf_delete(sb);
 	}
+
+	if (entry->gpe_created) {
+		LIST_REMOVE(entry, gpe_entry);
+		g_free(entry);
+	} else {
+		entry->gpe_modified = 0;
+		entry->gpe_deleted = 1;
+	}
 	return (0);
 }
 
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Comment 8 Andrey V. Elsukov freebsd_committer

2010-07-23 07:39:47 UTC

State Changed
From-To: feedback->patched

Patched in HEAD.

Comment 9 dfilter service freebsd_committer

2010-07-30 08:31:11 UTC

Author: ae
Date: Fri Jul 30 07:30:57 2010
New Revision: 210634
URL: http://svn.freebsd.org/changeset/base/210634

Log:
  MFC r210401:
    Prevent access after free to table entry in case when
    user deletes partition that not yet created (changes doesn't
    committed to disk).
  
    PR:		148687
  
  Approved by:	mav (mentor)

Modified:
  stable/8/sys/geom/part/g_part.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)
  stable/8/sys/dev/xen/xenpci/   (props changed)

Modified: stable/8/sys/geom/part/g_part.c
==============================================================================
--- stable/8/sys/geom/part/g_part.c	Fri Jul 30 06:06:33 2010	(r210633)
+++ stable/8/sys/geom/part/g_part.c	Fri Jul 30 07:30:57 2010	(r210634)
@@ -829,14 +829,6 @@ g_part_ctl_delete(struct gctl_req *req, 
 		entry->gpe_pp = NULL;
 	}
 
-	if (entry->gpe_created) {
-		LIST_REMOVE(entry, gpe_entry);
-		g_free(entry);
-	} else {
-		entry->gpe_modified = 0;
-		entry->gpe_deleted = 1;
-	}
-
 	if (pp != NULL)
 		g_wither_provider(pp, ENXIO);
 
@@ -849,6 +841,14 @@ g_part_ctl_delete(struct gctl_req *req, 
 		gctl_set_param(req, "output", sbuf_data(sb), sbuf_len(sb) + 1);
 		sbuf_delete(sb);
 	}
+
+	if (entry->gpe_created) {
+		LIST_REMOVE(entry, gpe_entry);
+		g_free(entry);
+	} else {
+		entry->gpe_modified = 0;
+		entry->gpe_deleted = 1;
+	}
 	return (0);
 }
 
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Comment 10 Andrey V. Elsukov freebsd_committer

2010-07-30 09:03:22 UTC

State Changed
From-To: patched->closed

Merged to stable/8.