kern/59519: vn_read() leaks file* lock

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/59519: vn_read() leaks file* lock
From: bad%bsd.de@localhost
Date: Tue, 8 Jul 2025 12:25:00 +0000 (UTC)

>Number:         59519
>Category:       kern
>Synopsis:       vn_read() leaks file* lock
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jul 08 12:25:00 +0000 2025
>Originator:     Christoph Badura
>Release:        10.0, -current
>Organization:
The Code Reviews are Hard, Let's leak Locks Foundation
>Environment:
N/A
>Description:
sys/kern/vfs_vnops.c#673 in vn_read() acquires a mutex when it should release it.

        if (__predict_false(vp->v_type == VDIR) &&
            offset == &fp->f_offset && (flags & FOF_UPDATE_OFFSET) == 0)
                mutex_enter(&fp->f_lock);
        uio->uio_offset = *offset;
        if (__predict_false(vp->v_type == VDIR) &&
            offset == &fp->f_offset && (flags & FOF_UPDATE_OFFSET) == 0)
==>             mutex_enter(&fp->f_lock);

Obviously this should be a call to mutex_exit().

This was introduced on 2023-04-22 in r1.238:
https://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/vfs_vnops.c.diff?r1=1.237;r2=1.238

And pulled up to netbsd-10 shortly thereafter.

>How-To-Repeat:
Code inspection.
>Fix:
Obvious.
Needs pullup to -10.

Prev by Date: Re: toolchain/59512: atari crunched binaries from reproducable builds contain source dir paths
Next by Date: PR/59512 CVS commit: src
Previous by Thread: toolchain/59517: gdb sometimes randomly dumps core
Next by Thread: PR/59512 CVS commit: src
Indexes:

Home | Main Index | Thread Index | Old Index