NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/38889

The following reply was made to PR kern/38889; it has been noted by GNATS.

From: Martin Husemann <>
Subject: Re: kern/38889
Date: Sun, 20 May 2012 21:23:42 +0200

 The specnode is apparently overwritten by uvm_ra_request(), which is called
 from uvm_get (sys/uvm/uvm_vnode.c:174):
         if ((access_type & VM_PROT_WRITE) == 0 && (flags & PGO_LOCKED) == 0) {
                 uvm_ra_request(vp->v_ractx, advice, uobj, offset,
                     *npagesp << PAGE_SHIFT);
 While vn_ra_allcoctx() tests for vp->v_type == VREG, uvm_ra_request does
 not. In this case v_ractx (overlaid via a union) is the same pointer as
 v_specnode, and uvm_ra_request has no chance to check for the vnode type
 any more.
 It is not obvious to me if the damage happens right in uvm_ra_request or
 later during the read handling, but this seems to be the start of it all.
 The test program does not trigger the bug any more, if the access to the 
 mmaped pages is commented out, and I verified nothing in miscfs/specfs is
 overwriting the value inside the specnode.

Home | Main Index | Thread Index | Old Index