netbsd-bugs: kern/29724: deadbeaf dereference in flush_inodedep

Subject: kern/29724: deadbeaf dereference in flush_inodedep_deps
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <yamt@mwd.biglobe.ne.jp>
List: netbsd-bugs
Date: 03/17/2005 14:33:00

>Number:         29724
>Category:       kern
>Synopsis:       deadbeaf dereference in flush_inodedep_deps
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Mar 17 14:33:00 +0000 2005
>Originator:     YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
>Release:        NetBSD 2.99.16
>Organization:

>Environment:
	
	
System: NetBSD kaeru 2.99.16 NetBSD 2.99.16 (build.kaeru.nodebug) #9: Thu Mar 17 21:57:50 JST 2005 takashi@kaeru:/home/takashi/work/kernel/build.kaeru.nodebug i386
Architecture: i386
Machine: i386
>Description:
	i got the following on my nfs server.

	it seems "adp" got deadbeaf, when iterating inodedep->id_inoupdt
	in flush_inodedep_deps.

uvm_fault(0xc08645c0, 0xdeadb000, 0, 1) -> 0xe
kernel: page fault trap, code=0
Stopped in pid 109.1 (nfsd) at  netbsd:flush_inodedep_deps+0xd4:        testb   $
0x8,0xc(%ebx)
db{1}> bt
flush_inodedep_deps(c1f94800,4c8bbb,cc59fa9c,c0329c12,c07fcab0,0,cc59fa9c) at ne
tbsd:flush_inodedep_deps+0xd4
softdep_sync_metadata(cc59fb94,c079fc00,1aa,286,ce26a114,0,0) at netbsd:soft
dep_sync_metadata+0x64
ffs_full_fsync(cc59fb94,4c8bbb,cc59fb7c,c032fb42,0,19a,cc59fb1c) at netbsd:f
fs_full_fsync+0x156
ffs_fsync(cc59fb94,36d863d8,c03c5a37,0,c063b4e0,ce26a114,df3b0a2c) at netbs
d:ffs_fsync+0x50
VOP_FSYNC(ce26a114,df3b0a2c,1,0,0,169,0) at netbsd:VOP_FSYNC+0x51
nfsrv_commit(df3b09a8,c309a000,cc5a956c,cc59fdc8,cc5a956c,0,1) at netbsd:nf
srv_commit+0x421
nfssvc_nfsd(cc59fe24,804a320,cc5516b8,c0807e80,cc2c33f8,cc2c16c0,cc59ff1c) a
t netbsd:nfssvc_nfsd+0x39b
sys_nfssvc(cc5516b8,cc59ff64,cc59ff5c,0,282,c07fa0c4,0) at netbsd:sys_nfssv
c+0x362
syscall_plain() at netbsd:syscall_plain+0xa0
--- syscall (number 155) ---
0xbdb56a8b:
db{1}> sh r
ds          0x10
es          0x10
fs          0x30
gs          0x10
edi         0x2
esi         0
ebp         0xcc59fa5c
ebx         0xdeadbeef
edx         0
ecx         0xc15ad800
eax         0xce18ec10
eip         0xc032a118  flush_inodedep_deps+0xd4
cs          0x8
eflags      0x10282
esp         0xcc59fa44
ss          0x10
netbsd:flush_inodedep_deps+0xd4:        testb   $0x8,0xc(%ebx)

>How-To-Repeat:
>Fix:

>Unformatted: