breakage in kern_event.c

To: current-users%netbsd.org@localhost
Subject: breakage in kern_event.c
From: Paul Goyette <paul%whooppee.com@localhost>
Date: Fri, 12 May 2017 07:37:01 +0800 (+08)

Rev 1.90 seems to have introduced the following panic - easilyreproducible by executing "cd /usr/tests/kernel/kqueue ; atf-runt_proc2"


Here's the result:
kernel/kqueue/t_proc2 (67/699): 1 test cases
    proc2: uvm_fault(0xfffffe803f52d178, 0x0, 1) -> e
fatal page fault in supervisor mode

trap type 6 code 0 rip 0xffffffff809350b1 cs 0x8 rflags 0x202 cr2 0x40ilevel 0 rsp 0xfffffe800386cc60

curlwp 0xfffffe803fa4f5a0 pid 6224.1 lowest kstack 0xfffffe80038692c0
panic: trap
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x140
snprintf() at netbsd:snprintf
trap() at netbsd:trap+0xc6b
--- trap (number 6) ---
kqueue_register() at netbsd:kqueue_register+0x45a
filt_proc() at netbsd:filt_proc+0x154
knote() at netbsd:knote+0x40
fork1() at netbsd:fork1+0x670
sys_fork() at netbsd:sys_fork+0x32
syscall() at netbsd:syscall+0x1d8
--- syscall (number 2) ---
7b4a186ddf5a:
cpu0: End traceback...


A quick check shows that rev 1.90 replaced

 #ifdef DIAGNOSTIC
 				printf("%s: event not supported for file type"
 				    " %d\n", __func__, fp ? fp->f_type : -1);
 #endif

with

 #ifdef DIAGNOSTIC
 				printf("%s: event not supported for file type"
 				    " %d (error %d)\n", __func__,
 				    ((file_t *)kn->kn_obj)->f_type, error);
 #endif

The intent seems tobe to use the "real" fp value for finding andprinting the file type.

However, it appears that kn->kn_obj is earlier initialized to fp, so iffp could be NULL, then kn->kn_obj can also be NULL. (See line 978)

The revised code no longer makes a check for NULL, so instead of justprinting file type -1, it panics when dereferencing the pointer.


:(




+------------------+--------------------------+----------------------------+
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:          |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at whooppee dot com   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd dot org |
+------------------+--------------------------+----------------------------+

Prev by Date: Automated report: NetBSD-current/i386 build success
Next by Date: daily CVS update output
Previous by Thread: disabling mediaopts for if_wm(4)
Next by Thread: DRM error in cpt_serr_int_handler, failure to boot NetBSD 7.99.71
Indexes:

Home | Main Index | Thread Index | Old Index