NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/39155: Invalid parameter to turnstile_exit in rw_downgrade

>Number:         39155
>Category:       kern
>Synopsis:       Invalid parameter to turnstile_exit in rw_downgrade
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 16 17:05:00 +0000 2008
>Originator:     Wolfgang Solfrank
>Release:        NetBSD 4.99.62
Tools GmbH
System: NetBSD 4.99.62 NetBSD 4.99.62 (sdsl1) #2: Wed Jul 16 
17:42:32 MEST 2008 i386
Architecture: i386
Machine: i386

The two calls to turnstile_exit in rw_downgrade in file kern_rwlock.c
supply invalid parameters to that routine.


As rw_downgrade is used rather rarely in the current kernel,
you can provoke the fault by applying the patches in PR 38456.
Once in a while you'll suffer from a panic like this:

Begin traceback...
lockdebug_abort1(c0d43700,c0d46620,c0a15513,c0a15525,1) at 
lockdebug_abort(c0d3c200,c0c84d64,c0a15513,c0a15525,0) at 
mutex_abort(c0d3c200,c0a15513,c0a15525,0,0) at netbsd:mutex_abort+0x42
mutex_vector_exit(c0d3c200,cf81026f,1b,cf810260,cf661928) at 
turnstile_exit(cf661928,cf81026f,1b,0,0) at netbsd:turnstile_exit+0x25
rw_downgrade(c0d2ecc0,c0c84ae0,1,18,bfbfe47c) at netbsd:rw_downgrade+0x252
ipf_findtoken(5,64,cf810260,c034725c,5) at netbsd:ipf_findtoken+0x148
fr_state_ioctl(cf873c34,c034725c,1,64,cf810260) at netbsd:fr_state_ioctl+0x43f
fr_ioctlswitch(2,cf873c34,c034725c,1,64) at netbsd:fr_ioctlswitch+0xc8
iplioctl(2c02,c034725c,cf873c34,1,cf810260) at netbsd:iplioctl+0x141
cdev_ioctl(2c02,c034725c,cf873c34,1,cf810260) at netbsd:cdev_ioctl+0x6d
spec_ioctl(cf873adc,cf810260,c0a222c0,cf30c250,c034725c) at 
VOP_IOCTL(cf30c250,c034725c,cf873c34,1,cf601180) at netbsd:VOP_IOCTL+0x6d
vn_ioctl(cf6e1bc0,c034725c,cf873c34,34,0) at netbsd:vn_ioctl+0x234
sys_ioctl(cf810260,cf873d04,cf873cfc,cf873d00,c0561d90) at 
syscall(cf873d48,b3,ab,1f,bfbf001f) at netbsd:syscall+0x16a
End traceback...

Index: kern_rwlock.c
RCS file: /cvsroot/src/sys/kern/kern_rwlock.c,v
retrieving revision 1.22
diff -u -r1.22 kern_rwlock.c
--- kern_rwlock.c       28 Apr 2008 20:24:03 -0000      1.22
+++ kern_rwlock.c       16 Jul 2008 16:19:11 -0000
@@ -638,7 +638,7 @@
                        new = RW_READ_INCR | RW_HAS_WAITERS | RW_WRITE_WANTED;
                        next = rw_cas(rw, owner, new);
-                       turnstile_exit(ts);
+                       turnstile_exit(rw);
                        if (__predict_true(next == owner))
                } else {
@@ -658,7 +658,7 @@
                                turnstile_wakeup(ts, TS_READER_Q, rcnt, NULL);
-                       turnstile_exit(ts);
+                       turnstile_exit(rw);

Home | Main Index | Thread Index | Old Index