Re: kern/38889

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,ad%netbsd.org@localhost
Subject: Re: kern/38889
From: Martin Husemann <martin%duskware.de@localhost>
Date: Sun, 20 May 2012 19:25:02 +0000 (UTC)

The following reply was made to PR kern/38889; it has been noted by GNATS.

From: Martin Husemann <martin%duskware.de@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/38889
Date: Sun, 20 May 2012 21:23:42 +0200

 The specnode is apparently overwritten by uvm_ra_request(), which is called
 from uvm_get (sys/uvm/uvm_vnode.c:174):

         if ((access_type & VM_PROT_WRITE) == 0 && (flags & PGO_LOCKED) == 0) {
                 vn_ra_allocctx(vp);
                 uvm_ra_request(vp->v_ractx, advice, uobj, offset,
                     *npagesp << PAGE_SHIFT);
         }

 While vn_ra_allcoctx() tests for vp->v_type == VREG, uvm_ra_request does
 not. In this case v_ractx (overlaid via a union) is the same pointer as
 v_specnode, and uvm_ra_request has no chance to check for the vnode type
 any more.

 It is not obvious to me if the damage happens right in uvm_ra_request or
 later during the read handling, but this seems to be the start of it all.
 The test program does not trigger the bug any more, if the access to the 
 mmaped pages is commented out, and I verified nothing in miscfs/specfs is
 overwriting the value inside the specnode.

 Chuck?

 Martin

Prev by Date: Re: port-sparc64/46461: Sun E450 drops to DDB on boot of 6.0_BETA
Next by Date: Re: kern/38889
Previous by Thread: Re: kern/38889
Next by Thread: Re: kern/38889
Indexes:

Home | Main Index | Thread Index | Old Index