Subject: Re: ccd(4): kernel memory corruption?
To: None <>
From: Quentin Garnier <>
List: current-users
Date: 06/26/2007 12:59:36
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 26, 2007 at 12:04:10PM +0200, Jukka Salmi wrote:
> Note the stange characters where I would have expected "/dev/wd1e".
> I added some debug printfs to ccdioctl() in sys/dev/ccd.c and noticed
> that *(ccio->ccio_disks+1) is NULL even if ccio->ccio_ndisks is 2,
> causing cpp[1] to contain garbage, but I'm not familiar with kernel
> code to find the problem.

This is a nice bug.  What ccdioctl does wrong is passing cpp[i] to
dk_lookup, because it's a userspace pointer and dk_lookup does ND_INIT()
on it with UIO_SYSSPACE.  My tentative explanation is that the kernel
sometimes sleeps when resolving the first name, and when it comes back,
the userspace is different and UIO_SYSSPACE will not have the effect of
having the relevant pages replaced with the correct ones.  And as those
pointers come from argv[], they're unlikely to ever fault.  I might be
completely wrong about how the second component is corrupted, but the
UIO_SYSSPACE part is a bug nonetheless.

There are 3 users of dk_lookup:  ccd, cgd and raidframe.  cgd is in the
same situation as ccd, I'm unsure about raidframe.

If you don't use the latter, can you try simply changing UIO_SYSSPACE
into UIO_USERSPACE in dev/dksubr.c:dk_lookup()?

Quentin Garnier - -
"You could have made it, spitting out benchmarks
Owe it to yourself not to fail"
Amplifico, Spitting Out Benchmarks, Hometakes Vol. 2, 2005.

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.6 (NetBSD)