[issue1777] vn panic: Freeing already free credential! 0xdef403f8

Sat Jun 5 15:14:39 PDT 2010

On Sat, Jun 05, 2010 at 12:26:47PM -0700, Matthew Dillon wrote:
> 
> :The vn structure appears to NOT be corrupt.  Seems like a race if
> :vn->sc_cred goes from NULL to non-NULL between frame 6 and 5.  Could
> :this be related to my recent link_elf change (setting p to proc0 if p
> :is NULL)?
> :
> :Joe
> 
>     Hmm.  If devfs is racing access to that field then try changing the
>     vnsetcred() code around a bit to this:
> 
> 	struct ucred *ocred
> 	...
> 
> 
>         /*
>          * Set credits in our softc
>          */
>         ocred = vn->sc_cred;
>         vn->sc_cred = crdup(cred);
>         if (ocred)
>                 crfree(ocred);
> 
>     If the race is more involved then that (assuming it is a race), we
>     may have to call crhold() and friends whenever we use vn->sc_cred.
> 

Sam,

Please try this patch.  I was able to vnconfig a file following the
vkernel manpage without a panic.  This isn't likely a long term
solution but will hopefully allow you to proceed with your GSoC work
in a vkernel.  If you see this panic again let me know and I'll work
on implementing the crhold() et al. calls as Matt suggested.

Thanks,
Joe

diff --git a/sys/dev/disk/vn/vn.c b/sys/dev/disk/vn/vn.c
index 95bcf44..9f45281 100644
--- a/sys/dev/disk/vn/vn.c
+++ b/sys/dev/disk/vn/vn.c
@@ -697,7 +697,7 @@ vnsetcred(struct vn_softc *vn, struct ucred *cred)
 	 * Set credits in our softc
 	 */
 
-	if (vn->sc_cred)
+	if (vn->sc_cred && vn->sc_cred->cr_ref > 0)
 		crfree(vn->sc_cred);
 	vn->sc_cred = crdup(cred);
 


