Subject: Re: ccd(4): kernel memory corruption?
To: None <email@example.com>
From: Quentin Garnier <firstname.lastname@example.org>
Date: 06/26/2007 12:59:36
Content-Type: text/plain; charset=us-ascii
On Tue, Jun 26, 2007 at 12:04:10PM +0200, Jukka Salmi wrote:
> Note the stange characters where I would have expected "/dev/wd1e".
> I added some debug printfs to ccdioctl() in sys/dev/ccd.c and noticed
> that *(ccio->ccio_disks+1) is NULL even if ccio->ccio_ndisks is 2,
> causing cpp to contain garbage, but I'm not familiar with kernel
> code to find the problem.
This is a nice bug. What ccdioctl does wrong is passing cpp[i] to
dk_lookup, because it's a userspace pointer and dk_lookup does ND_INIT()
on it with UIO_SYSSPACE. My tentative explanation is that the kernel
sometimes sleeps when resolving the first name, and when it comes back,
the userspace is different and UIO_SYSSPACE will not have the effect of
having the relevant pages replaced with the correct ones. And as those
pointers come from argv, they're unlikely to ever fault. I might be
completely wrong about how the second component is corrupted, but the
UIO_SYSSPACE part is a bug nonetheless.
There are 3 users of dk_lookup: ccd, cgd and raidframe. cgd is in the
same situation as ccd, I'm unsure about raidframe.
If you don't use the latter, can you try simply changing UIO_SYSSPACE
into UIO_USERSPACE in dev/dksubr.c:dk_lookup()?
Quentin Garnier - email@example.com - cube@NetBSD.org
"You could have made it, spitting out benchmarks
Owe it to yourself not to fail"
Amplifico, Spitting Out Benchmarks, Hometakes Vol. 2, 2005.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (NetBSD)
-----END PGP SIGNATURE-----