Hi! Imagine the following: You have a corrupt file (so that you can open it, but when you try reading from it, it returns EIO). Pretty common with crappy optical media. You try "mdconfig -a -t vnode" on it. This will lead to a call to xmdioctl() such that mdio->md_type is MD_VNODE. So you get the following call chain: xmdioctl -> mdcreate_vnode -> mdsetcred -> VOP_READ VOP_READ returns EIO. This error value will be propagated to mdcreate_vnode, who will then feel like vn_close-ing the vnode, and propagate the error further. Now we got back to xmdioctl, who will call for mddestroy because of the error. mddestroy still sees the vnode, and will vn_close it again. This will yield a "negative refcount" panic. Two different ideas for fixing this: 1. Don't vn_close in mdcreate_vnode when there is an error. 2. Not just vn_close in mdcreate_vnode upon error but also nullify the sc->vnode field. I attach two patches, they realize the above ideas, respectively. Note that I didn't test either. Regards, Csaba
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:48 UTC