kern/40688: opening /dev/ptyp1 panics

[uebayasi%tombi.co.jp@localhost]

>Number:         40688
>Category:       kern
>Synopsis:       opening /dev/ptyp1 panics
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 19 06:40:01 +0000 2009
>Originator:     Masao Uebayashi
>Release:        NetBSD 5.99.7
>Organization:
        Tombi Inc.
>Environment:
System: NetBSD  5.99.7 NetBSD 5.99.7 (GOLDTOWN) #14: Thu Feb 19 15:27:33 JST 
2009  
uebayasi%sidebeach.uebayasi.my.domain@localhost:/src/netbsd/work.tty/i386/obj/sys/arch/i386/compile/GOLDTOWN
 i386
Architecture: x86
Machine: i386
>Description:
        If I open /dev/ptyp1 with cu, kernel panics.  The cause is ptcopen()
        doesn't initialize the associated t_dev.  Later ptyioctl() calls
        ptcwakeup(), look for empty pt_softc, then NULL deref.

>How-To-Repeat:
        # type cu
        cu is /usr/bin/cu
        # ls -l /dev/ptyp1
        crw-rw-rw-  1 root  wheel  6, 1 Feb 18 16:54 /dev/ptyp1
        # cu -l /dev/ptyp1
        uvm_fault(0xcc2c0d00, 0, 1) -> 0xe
        fatal page fault in supervisor mode
        trap type 6 code 0 eip c060e032 cs 8 eflags 10286 cr2 8 ilevel 8
        panic: trap
        Begin traceback...
        uvm_fault(0xcc2c0d00, 0, 1) -> 0xe
        fatal page fault in supervisor mode
        trap type 6 code 0 eip c025b721 cs 8 eflags 10246 cr2 0 ilevel 8
        panic: trap

>Fix:
        I've not understood tty / pty.  I'd want to fix this properly. :)