Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

breakage in kern_event.c

Rev 1.90 seems to have introduced the following panic - easily reproducible by executing "cd /usr/tests/kernel/kqueue ; atf-run t_proc2"

Here's the result:
kernel/kqueue/t_proc2 (67/699): 1 test cases
    proc2: uvm_fault(0xfffffe803f52d178, 0x0, 1) -> e
fatal page fault in supervisor mode
trap type 6 code 0 rip 0xffffffff809350b1 cs 0x8 rflags 0x202 cr2 0x40 ilevel 0 rsp 0xfffffe800386cc60
curlwp 0xfffffe803fa4f5a0 pid 6224.1 lowest kstack 0xfffffe80038692c0
panic: trap
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x140
snprintf() at netbsd:snprintf
trap() at netbsd:trap+0xc6b
--- trap (number 6) ---
kqueue_register() at netbsd:kqueue_register+0x45a
filt_proc() at netbsd:filt_proc+0x154
knote() at netbsd:knote+0x40
fork1() at netbsd:fork1+0x670
sys_fork() at netbsd:sys_fork+0x32
syscall() at netbsd:syscall+0x1d8
--- syscall (number 2) ---
cpu0: End traceback...

A quick check shows that rev 1.90 replaced

 				printf("%s: event not supported for file type"
 				    " %d\n", __func__, fp ? fp->f_type : -1);


 				printf("%s: event not supported for file type"
 				    " %d (error %d)\n", __func__,
 				    ((file_t *)kn->kn_obj)->f_type, error);

The intent seems tobe to use the "real" fp value for finding and printing the file type.

However, it appears that kn->kn_obj is earlier initialized to fp, so if fp could be NULL, then kn->kn_obj can also be NULL. (See line 978)

The revised code no longer makes a check for NULL, so instead of just printing file type -1, it panics when dereferencing the pointer.


| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:          |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at whooppee dot com   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd dot org |

Home | Main Index | Thread Index | Old Index