kern/56410: panic when accessing double same-source same-destination union

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/56410: panic when accessing double same-source same-destination union
From: наб <nabijaczleweli%nabijaczleweli.xyz@localhost>
Date: Sun, 19 Sep 2021 13:35:01 +0000 (UTC)

>Number:         56410
>Category:       kern
>Synopsis:       panic when accessing double same-source same-destination union
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Sep 19 13:35:00 +0000 2021
>Originator:     nabijaczleweli
>Release:        NetBSD 9.2
>Environment:
System: NetBSD netbsd-dev 9.2 NetBSD 9.2 (GENERIC) #0: Wed May 12 13:15:55 UTC 2021 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
Given:
	/dev/dk0 on / type ffs (local)
	/dev/ld1 on /usr/pkgsrc type ffs (local)
	tmpfs on /tmp type tmpfs (local)
	kernfs on /kern type kernfs (local)
	ptyfs on /dev/pts type ptyfs (local)
	procfs on /proc type procfs (local)
	tmpfs on /var/shm type tmpfs (local)
	<above>:/tmp/a on /tmp/b type union (local)
	<above>:/tmp/a on /tmp/b type union (local)

Any access of /tmp/b (including umount) panics:
-- >8 --
netbsd-dev# crash -M netbsd.0.core -N netbsd.0
Crash version 9.2, image version 9.2.
System panicked: lock error: Reader / writer lock: rw_vector_enter,350: locking against myself: lock 0xc5ff1750 cpu 0 lwp 0xc4e87b40
Backtrace from time of crash is available.
crash> bt
_KERNEL_OPT_NARCNET(0,104,c011ae85,8,c06ac2e2,c103ab75,0,104,c1053f1c,dd2bfb88) at 0
_KERNEL_OPT_NARCNET(104,0,c1053f1c,dd2bfb88,0,c4e87b44,c5ff1750,dd2bfb7c,c08e2871,c1053f1c) at 0
vpanic(c1053f1c,dd2bfb88,dd2bfba4,c08dc4ed,c1053f1c,c105209a,c0f38924,15e,c1050d93,c5ff1750) at vpanic+0x13d
snprintf(c1053f1c,c105209a,c0f38924,15e,c1050d93,c5ff1750,0,c4e87b40,dd2bfbc0,c08b849a) at snprintf
lockdebug_abort(c0f38924,15e,c5ff1750,c1286d4c,c1050d93,dd2bfc2c,c08b8750,c528e558,c5341001,c0931e80) at lockdebug_abort+0xd6
rw_abort.constprop.3(c528e558,c5341001,c0931e80,c527dcc0,c47f4040,dd2bfcb0,c0940fb5,c5ff1750,0,0) at rw_abort.constprop.3+0x39
rw_vector_enter(c5ff1750,0,c602e088,dd2bfc58,c07c8b87,dd2bfc4c,c0f3b12c,c5ff169c,20001,dd2bfc78) at rw_vector_enter+0x28b
genfs_lock(dd2bfc4c,c0f3b12c,c5ff169c,20001,dd2bfc78,c07c8c52,c4d173e4,1,20001,1) at genfs_lock+0x4c
union_lock1(c4d173e4,1,20001,1,10,c5295000,dd2bfca4,c093aedb,dd2bfc8c,dd2bfdac) at union_lock1+0x2e
union_lock(dd2bfc8c,dd2bfdac,c602e088,c0f3b12c,c602e088,20001,20001,c602e088,c53484e4,dd2bfcbc) at union_lock+0x81
VOP_LOCK(c602e088,20001,dd2bfd84,dd2bfcdc,dd2bfd70,c07c7e4d,c602e088,20001,0,ffffffff) at VOP_LOCK+0x61
vn_lock(c602e088,20001,0,ffffffff,ffffffff,c602e088,c4ee7000,0,c4ee7000,0) at vn_lock+0x1a
union_getattr(dd2bfd84,c0940fb5,c08e3856,c0f3b4c8,c602e14c,dd2bfdac,c53387c0,dd2bfeb4,dd2bfe40,c0933422) at union_getattr+0xe7
VOP_GETATTR(c602e14c,dd2bfdac,c53387c0,2,1ed,2,0,0,ab01,0) at VOP_GETATTR+0x37
vn_stat(c602e14c,dd2bfeb4,0,c53402c0,0,c53402c0,c5341000,c4d1e3f4,0,c602e14c) at vn_stat+0x38
do_sys_statat(c4e87b40,ffffff9c,bfbf1ac0,0,dd2bfeb4,c08e0da2,6,0,c08e0d3e,0) at do_sys_statat+0x67
sys___lstat50(c4e87b40,dd2bff68,dd2bff60,dd2be080,c4fa98ac,dd2bff60,1b9,dd2bff68,0,0) at sys___lstat50+0x39
syscall() at syscall+0x127
--- syscall (number 441) ---
ba4d27b7:
-- >8 --

This is similar to #4597, but that deals with recursive unions
(and is from 1997 (not that it matters, because that still panics?)).

Kernel (though this is the official GENERIC from the media) and coredump
can be found at:
  https://lfs.nabijaczleweli.xyz/0010-NetBSD-double-double-union-panic

>How-To-Repeat:
	mkdir a b
	mount -t union a b
	mount -t union a b
	umount b

--ifggbhxzead5hj3w
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEfWlHToQCjFzAxEFjvP0LAY0mWPEFAmFHPFMACgkQvP0LAY0m
WPG0dQ//dfP1yb3WV2ZvsIQC4hHWVVjA8RVX694JhcvUvxKjXuBn330fiq5mONcr
Lu+K8GlLjuL59JDoMHu43G4PLhQVHGJhadJ/iGaKLt/1484oWMqJJHQAC5Zzft1a
h+4JJwsiDJzTQH1y2PeqTOQFB4gM3s8rDoMVBdHRygcg3o1/jEVltlRsgpYOdK6w
fVqW0bq3UH4DsjjbnzhZ8vD4UeQYEhF1yJCMX1y+0wNUokILp5N3dW73uE6PdD/F
eFg3BG6Spi/Pg4giliYMiWW7xMdDeMZad9oJqxSC8b9/onk4YXeVenKs8IkbdeL9
7+8hDS9rwXUqmEp8Yl2JA1p3GkTqcX2JeAi3snSnBjO7jjE3MM8Twmbd6LiFcd7d
VRYQDy11GRV2F0RaUwh5ock9giiOFYhducb4mJBoURL4QLyWPD0aOcIqohZfV8sK
TTqxkKQubG661uBMXWx1hJElGCQwAqsyD7D2FFT2CgAVW4wnTNpg+66aSkhMBGLJ
Ux75FIBB/h5wnjJG8nHqaaCK2lnxigRm2f0k6l8Mp7jN2hxwdD/FIhxoQE6YZKPy
nswEDtLvGLtjROIpzIi3l/odKvl8pKNb79qcSTvSIyK/bx73n/FPp8FelFWlZL9t
whhFoBzooNqIOnjXz55+AL0ugQ0wXghgSYajFQDB7d+oCk3pxkc=
=RPFM
-----END PGP SIGNATURE-----

--ifggbhxzead5hj3w--

>Fix:

Unknown
>Unformatted:
 --ifggbhxzead5hj3w
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

Prev by Date: Re: port-sparc64/51647 (deadlock in NFS client with UDP (IPv4) on sparc64)
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: port-sparc64/51647 (deadlock in NFS client with UDP (IPv4) on sparc64)
Next by Thread: Re: toolchain/56288 (./build.sh tools does not work on Apple M1 Macs (#2) due to gcc build)
Indexes:

Home | Main Index | Thread Index | Old Index