NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
kern/55026: crash in mount(2) when mounting dk(4)
>Number: 55026
>Category: kern
>Synopsis: crash in mount(2) when mounting dk(4)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Thu Feb 27 03:45:00 +0000 2020
>Originator: Shoichi Yamaguchi
>Release: NetBSD-8
>Organization:
Internet Initiative Japan Inc.
>Environment:
>Description:
I encountered the following uvm_fault on a NetBSD-8 host.
It seems to reference a NULL pointer that is provided in dklastclose().
09:39:26uvm_fault(0xfffffe80a547b4e0, 0x0, 1) -> e
09:39:26fatal page fault in supervisor mode
09:39:26trap type 6 code 0 rip 0xffffffff80692397 cs 0x8 rflags 0x10213 cr2 0x84 ilevel 0 rsp 0xffff800056687aa0
09:39:26curlwp 0xfffffe80a1e7a680 pid 5369.1 lowest kstack 0xffff8000566822c0
09:39:26trapframe 0xffff8000566879b0
09:39:26rip 0xffffffff80692397 rsp 0xffff800056687aa0 rfl 0x0000000000010213
09:39:26rdi 0x0000000000000000 rsi 0x0000000000000000 rdx 0xffffffffffffffff
09:39:26rcx 0x0000000000000000 r8 0xfffffe80bf25c108 r9 0x0000000000000000
09:39:26r10 0xffffffff8cda60d0 r11 0x0000000000000000 r12 0x0000000000000000
09:39:26r13 0xffffffffffffffff r14 0x0000000000000001 r15 0x0000000000006000
09:39:26rbp 0xffff800056687af0 rbx 0x0000000000000000 rax 0xfffffe80bf25e008
09:39:26cs 0x0008 ds 0x0000 es 0xfd30 fs 0x0005 gs 0x6199 ss 0x0010
09:39:26panic: trap
09:39:26cpu3: suspending other CPUs...
09:39:26cpu3: suspended other CPUs...
09:39:26cpu3: Begin traceback...
09:39:260x804e8c99: netbsd:db_panic+0xb6
09:39:260x8063b642: netbsd:vpanic+0x140
09:39:260x8063b6ff: netbsd:snprintf
09:39:260x80231302: netbsd:trap+0xa9b
09:39:26--- trap (number 6) ---
09:39:260x80692397: netbsd:VOP_LOCK+0x2e
09:39:260x8068aca7: netbsd:vn_lock+0x11
09:39:260x8068b7a3: netbsd:vn_close+0x20
09:39:260x806a11ea: netbsd:dklastclose+0x65
09:39:260x806991ca: netbsd:spec_close+0x26d
09:39:260x80691090: netbsd:VOP_CLOSE+0x38
09:39:260x8057a109: netbsd:msdosfs_mount+0x367
09:39:260x8067f196: netbsd:VFS_MOUNT+0x51
09:39:260x8067ca44: netbsd:mount_domount+0x122
09:39:260x80681a34: netbsd:do_sys_mount+0x2b3
09:39:260x80681f42: netbsd:sys___mount50+0x33
09:39:260x8024fc21: netbsd:syscall+0x1d1
>How-To-Repeat:
>Fix:
I have checked that the following patch fixes this.
diff --git a/sys/dev/dkwedge/dk.c b/sys/dev/dkwedge/dk.c
index 150471552fb..5d6bd213680 100644
--- a/sys/dev/dkwedge/dk.c
+++ b/sys/dev/dkwedge/dk.c
@@ -1152,21 +1152,23 @@ dkopen(dev_t dev, int flags, int fmt, struct lwp *l)
static int
dklastclose(struct dkwedge_softc *sc)
{
- int error = 0, doclose;
+ struct vnode *vp;
+ int error = 0;
- doclose = 0;
+ vp = NULL;
if (sc->sc_parent->dk_rawopens > 0) {
- if (--sc->sc_parent->dk_rawopens == 0)
- doclose = 1;
+ if (--sc->sc_parent->dk_rawopens == 0) {
+ KASSERT(sc->sc_parent->dk_rawvp != NULL);
+ vp = sc->sc_parent->dk_rawvp;
+ sc->sc_parent->dk_rawvp = NULL;
+ }
}
mutex_exit(&sc->sc_parent->dk_rawlock);
mutex_exit(&sc->sc_dk.dk_openlock);
- if (doclose) {
- KASSERT(sc->sc_parent->dk_rawvp != NULL);
- dk_close_parent(sc->sc_parent->dk_rawvp, FREAD | FWRITE);
- sc->sc_parent->dk_rawvp = NULL;
+ if (vp) {
+ dk_close_parent(vp, FREAD | FWRITE);
}
return error;
Home |
Main Index |
Thread Index |
Old Index