From e823ddb3b0703e034615fc8c62fdec0d5924e649 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Tue, 27 Jan 2015 22:14:26 +0100 Subject: [PATCH] devmnt: handle rpc buffer exhaustion on mntflushalloc() this bug happens when the kernel runs out of mount rpc buffers when allocating a flush rpc. in this case, mntflushalloc() will errorjump out of mountio() leaving the currently in flight rpc in the mount. the caller of mountrpc()/mountio() frees the rpc thats still queued in the mount leaving to interesting results. for the fix, we add a waserror() arround mntflushalloc() and handle the error case like a mount rpc failure which will properly dequeue the rpc's in flight. --- sys/src/9/port/devmnt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/src/9/port/devmnt.c b/sys/src/9/port/devmnt.c index 9c3470068..5ed55b3fb 100644 --- a/sys/src/9/port/devmnt.c +++ b/sys/src/9/port/devmnt.c @@ -774,7 +774,7 @@ mountio(Mnt *m, Mntrpc *r) while(waserror()) { if(m->rip == up) mntgate(m); - if(strcmp(up->errstr, Eintr) != 0){ + if(strcmp(up->errstr, Eintr) != 0 || waserror()){ r = mntflushfree(m, r); switch(r->request.type){ case Tremove: @@ -786,6 +786,7 @@ mountio(Mnt *m, Mntrpc *r) nexterror(); } r = mntflushalloc(r, m->msize); + poperror(); } lock(m);