kern/38889: Crash on open/mmap/close of block device

[ad%netbsd.org@localhost]

>Number:         38889
>Category:       kern
>Synopsis:       Crash on open/mmap/close of block device
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Jun 08 13:55:00 +0000 2008
>Originator:     Andrew Doran
>Release:        4.99.64
>Organization:
The NetBSD Project
>Environment:
i386
>Description:
trap type 6 code 0 eip c04edb13 cs 8 eflags 10246 cr2 1008 ilevel 0
kernel: supervisor trap page fault, code=0
Stopped in pid 315.1 (a.out) at netbsd:spec_close+0x53: cmpl    0x8(%eax),%esi
db{4}> bt
spec_close(d0325a28,20002,d0325a3c,c04e3018,d003a010,c0819640,d003a010,1,ce1e6c0
0,1) at netbsd:spec_close+0x53
VOP_CLOSE(d003a010,1,ce1e6c00,d0398f28,0,cf65d080,d0325a7c,c04e3902,d003a010,1) 
a
t netbsd:VOP_CLOSE+0x6c
vn_close(d003a010,1,ce1e6c00,1,d0398f28,d0398f3c,d0325acc,c045760d,cf65d080,0) a
t netbsd:vn_close+0x4e
vn_closefile(cf65d080,0,d0325acc,c0456c32,d03486c0,0,d0398f28,0,d0398f28,c0a8c66
6) at netbsd:vn_closefile+0x22
closef(cf65d080,3,ffffffff,d02f1179,d0325b00,d03579ac,cff84e08,d02fb758,ce1e6c00
,cf65d080) at netbsd:closef+0x5d
fd_close(3,0,d0325bc8,c0470011,d02f100c,ffffffff,14,1,d02f1004,d0325bc8) at netb
sd:fd_close+0x124
fd_free(d02f1004,0,d0325bc8,ffffffff,cf654400,1,0,d02f1018,0,d0398f28) at netbsd
:fd_free+0x98
exit1(d035b9c0,8b,d0325bfc,c047c86c,c4f58000,1,1,c04772e5,d035bb4c,3f) at netbsd
:exit1+0x1aa
sigexit(d035b9c0,b,b,0,c50fdf90,0,d035bb3c,0,0,0) at netbsd:sigexit+0x1cc
postsig(b,d0325d00,0,0,1,d0381070,b,d0325d00,d035b9c0,d0325d30) at netbsd:postsi
g+0xfd
lwp_userret(d035b9c0,d0325d00,1,0,d035b9c0,bbafc000,cf65d080,0,d035b9c0,c0a8a91c
) at netbsd:lwp_userret+0x148
trap() at netbsd:trap+0x95d
--- trap (number 6) ---
0x8048815:
db{4}> show vnode d003a010
OBJECT 0xd003a010: locked=0, pgops=0xc0816020, npages=0, refs=2

VNODE flags 2000038<MAPPED,MPSAFE,LOCKSWORK,SOFTDEP>
mp 0xcf347600 numoutput 0 size 0x0 writesize 0x0
data 0xd003b360 writecount 0 holdcnt 0
tag VT_UFS(1) type VBLK(3) mount 0xcf347600 typedata 0xcfe93ef0
v_lock 0xd003a0b0 v_vnlock 0xd003a0b0

db{4}> whatis 0xcfe93ef0
0xcfe93ef0 is 0xcfe93ef0+0 in POOL 'kmem-20' (allocated)
0xcfe93ef0 is 0xcfe93dc0+304 in VMEM 'kmem' (allocated)
0xcfe93ef0 is 0xcfe92000+7920 from VMMAP 0xc0b250a0
db{4}> x/Lx 0xcfe93ef0,20
0xcfe93ef0:     d002f0bd    1000        0           10000       1000        0

vp->v_specnode->sn_dev == 0x1000, which is crazy. In decimal it is
4096, which is the size that the attached test program tries to
mmap(). Perhaps a pointer is being misused?

The next link (sn_next) is garbage:

db{4}> whatis d002f0bd
0xd002f0bd is 0xd002f000+189 in POOL 'kvakernel' (allocated)
0xd002f0bd is 0xd002f0bc+1 in POOL 'vnodepl' (allocated)
0xd002f0bd is 0xcffff000+196797 from VMMAP 0xc0b250a0
db{4}> show vnode d002f0bd
OBJECT 0xd002f0bd: locked=0, pgops=0xc08160, npages=0, refs=-1610612736

VNODE flags 30020000<LAYER>
mp 0xcf3476 numoutput 0 size 0x0 writesize 0x0
data 0xd0031d writecount 0 holdcnt 0
tag UNKNOWN(0) type UNKNOWN(16777216) mount 0xcf3476 typedata 0x4cfead9
v_lock 0xd002f15d v_vnlock 0xf8d002f1

So it appears the entire specnode_t has been corrupted.

>How-To-Repeat:
#include <unistd.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <sys/mman.h>

main()
{
        char *p;
        int fd;


        fd = open("/dev/wd0g", O_RDONLY);
        if (fd < 0)
                err(1, "open");
        p = mmap(NULL, 4096, PROT_READ, MAP_FILE, fd, 0);
        if (p == MAP_FAILED)
                err(1, "mmap");
        printf("first byte %d\n", *p);
        if (close(fd) < 0)
                err(1, "close");
        printf("and again %d\n", *p);
}

>Fix:
Not known.