tech-kern: bugs introduced by ktrace-lwp merge

Subject: bugs introduced by ktrace-lwp merge
To: None <tech-kern@netbsd.org>
From: Pavel Cahyna <pcah8322@artax.karlin.mff.cuni.cz>
List: tech-kern
Date: 01/14/2006 23:45:24
Hello,

I noticed that the ktrace-lwp merge changed semantics in a probably
unexpected way at least for files:

arch/x86/x86/bus_dma.c
fs/msdosfs/msdosfs_vnops.c
ufs/ext2fs/ext2fs_readwrite.c

Before, the code carefully validated uio->uio_procp it it is not NULL
before dereferencing it. Now, the code does p = uio->uio_lwp->l_proc
instead, which can dereference a NULL uio->uio_lwp without checking. (I
assume that the semnantics of NULL uio_lwp is the same as for NULL
uio_procp before.)

See also the thread "ext2fs_write crashing" for actual bug reports against
ext2fs and msdosfs.

I don't know yet how the change in arch/x86/x86/bus_dma.c would be triggered.

I propose following (untested - I don't use -current much) patch.

Pavel Cahyna

Index: arch/x86/x86/bus_dma.c
===================================================================
RCS file: /home/pavel/cvs/src/sys/arch/x86/x86/bus_dma.c,v
retrieving revision 1.27
diff -u -u -r1.27 bus_dma.c
--- arch/x86/x86/bus_dma.c	24 Dec 2005 20:07:42 -0000	1.27
+++ arch/x86/x86/bus_dma.c	14 Jan 2006 22:27:50 -0000
@@ -946,7 +946,7 @@
 	int i;
 
 	iov = uio->uio_iov;
-	p = uio->uio_lwp->l_proc;
+	p = uio->uio_lwp ? uio->uio_lwp->l_proc : NULL;
 	cp = buf;
 	resid = n;
 
Index: fs/msdosfs/msdosfs_vnops.c
===================================================================
RCS file: /home/pavel/cvs/src/sys/fs/msdosfs/msdosfs_vnops.c,v
retrieving revision 1.24
diff -u -u -r1.24 msdosfs_vnops.c
--- fs/msdosfs/msdosfs_vnops.c	11 Dec 2005 12:24:25 -0000	1.24
+++ fs/msdosfs/msdosfs_vnops.c	14 Jan 2006 22:27:50 -0000
@@ -561,7 +561,7 @@
 	vsize_t bytelen;
 	off_t oldoff;
 	struct uio *uio = ap->a_uio;
-	struct proc *p = uio->uio_lwp->l_proc;
+	struct proc *p = uio->uio_lwp ? uio->uio_lwp->l_proc : NULL;
 	struct vnode *vp = ap->a_vp;
 	struct denode *dep = VTODE(vp);
 	struct msdosfsmount *pmp = dep->de_pmp;
Index: ufs/ext2fs/ext2fs_readwrite.c
===================================================================
RCS file: /home/pavel/cvs/src/sys/ufs/ext2fs/ext2fs_readwrite.c,v
retrieving revision 1.40
diff -u -u -r1.40 ext2fs_readwrite.c
--- ufs/ext2fs/ext2fs_readwrite.c	11 Dec 2005 12:25:25 -0000	1.40
+++ ufs/ext2fs/ext2fs_readwrite.c	14 Jan 2006 22:29:13 -0000
@@ -281,7 +281,7 @@
 	 * Maybe this should be above the vnode op call, but so long as
 	 * file servers have no limits, I don't think it matters.
 	 */
-	p = uio->uio_lwp->l_proc;
+	p = uio->uio_lwp ? uio->uio_lwp->l_proc : NULL;
 	if (vp->v_type == VREG && p &&
 	    uio->uio_offset + uio->uio_resid >
 	    p->p_rlimit[RLIMIT_FSIZE].rlim_cur) {