kern/53850: mount(2) with MNT_UNION | MNT_UPDATE will lead to panic

[n54%gmx.com@localhost]

>Number:         53850
>Category:       kern
>Synopsis:       mount(2) with MNT_UNION | MNT_UPDATE will lead to panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 10 03:45:00 +0000 2019
>Originator:     Kamil Rytarowski
>Release:        NetBSD 8.99.30 amd64
>Organization:
TNF
>Environment:
NetBSD chieftec 8.99.30 NetBSD 8.99.30 (GENERIC) #0: Tue Jan  8 00:25:54 CET 2019  root@chieftec:/public/netbsd-root/sys/arch/amd64/compile/GENERIC amd64
>Description:
Updating a mounted partition to MNT_UNION will lead to a panic.


# ls /et[ 116.5603135] uvm_fault(0xfffffab9a2ca4cf8, 0x0, 1) -> e           
[ 116.5603135] fatal page fault in supervisor mode                              
[ 116.5603135] trap type 6 code 0 rip 0xffffffff80df7d10 cs 0x8 rflags 0x286 cr2
 0x24 ilevel 0 rsp 0xffffd88029ec8e00                                           
[ 116.5603135] curlwp 0xfffffab9a2be7600 pid 444.1 lowest kstack 0xffffd88029ec5
2c0                                                                             
kernel: page fault trap, code=0                                                 
Stopped in pid 444.1 (ksh) at   netbsd:vref+0x10:       movl    24(%rax),%eax   
db{0}> bt                                                                       
vref() at netbsd:vref+0x10                                                      
vn_readdir() at netbsd:vn_readdir+0x251                                         
sys___getdents30() at netbsd:sys___getdents30+0x96                              
sy_call() at netbsd:sy_call+-0x29911d                                           
sy_invoke() at netbsd:sy_invoke+0xd5                                            
syscall() at netbsd:syscall+0xff                                                
--- syscall (number 390) ---                                                    
731778d0310a:                                                                   
db{0}>    

https://nxr.netbsd.org/xref/src/sys/kern/vfs_vnops.c#523

    522 
    523 	if (count == auio.uio_resid && (vp->v_vflag & VV_ROOT) &&
    524 	    (vp->v_mount->mnt_flag & MNT_UNION)) {
    525 		struct vnode *tvp = vp;
    526 		vp = vp->v_mount->mnt_vnodecovered;
    527 		vref(vp);    /// <-- vp is NULLVP
    528 		mutex_enter(&fp->f_lock);
    529 		fp->f_vnode = vp;
    530 		fp->f_offset = 0;
    531 		mutex_exit(&fp->f_lock);
    532 		vrele(tvp);
    533 		goto unionread;
    534 	}
    535 	*done = count - auio.uio_resid;
    536 	return error;
    537 }
>How-To-Repeat:
#include <sys/param.h>
#include <sys/types.h>
#include <sys/mount.h>

int
main(int argc, char **argv)
{
        char A[1024];
        mount(NULL, "/", MNT_UNION | MNT_UPDATE, A, 0);
        return 0;
}

// trigger vn_readdir(), e.g. in ksh(1) <tab> completion of directories
>Fix:
N/A