kern/39155: Invalid parameter to turnstile_exit in rw_downgrade

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/39155: Invalid parameter to turnstile_exit in rw_downgrade
From: ws%tools.de@localhost
Date: Wed, 16 Jul 2008 17:05:00 +0000 (UTC)

>Number:         39155
>Category:       kern
>Synopsis:       Invalid parameter to turnstile_exit in rw_downgrade
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Jul 16 17:05:00 +0000 2008
>Originator:     Wolfgang Solfrank
>Release:        NetBSD 4.99.62
>Organization:
Tools GmbH
>Environment:
System: NetBSD sdsl.tools.de 4.99.62 NetBSD 4.99.62 (sdsl1) #2: Wed Jul 16 
17:42:32 MEST 2008 
ws%sdsl.tools.de@localhost:/src/obj/sys/arch/i386/compile/sdsl1 i386
Architecture: i386
Machine: i386
>Description:

The two calls to turnstile_exit in rw_downgrade in file kern_rwlock.c
supply invalid parameters to that routine.

>How-To-Repeat:

As rw_downgrade is used rather rarely in the current kernel,
you can provoke the fault by applying the patches in PR 38456.
Once in a while you'll suffer from a panic like this:

panic: LOCKDEBUG
Begin traceback...
lockdebug_abort1(c0d43700,c0d46620,c0a15513,c0a15525,1) at 
netbsd:lockdebug_abort1+0x8d
lockdebug_abort(c0d3c200,c0c84d64,c0a15513,c0a15525,0) at 
netbsd:lockdebug_abort+0x4b
mutex_abort(c0d3c200,c0a15513,c0a15525,0,0) at netbsd:mutex_abort+0x42
mutex_vector_exit(c0d3c200,cf81026f,1b,cf810260,cf661928) at 
netbsd:mutex_vector_exit+0x58
turnstile_exit(cf661928,cf81026f,1b,0,0) at netbsd:turnstile_exit+0x25
rw_downgrade(c0d2ecc0,c0c84ae0,1,18,bfbfe47c) at netbsd:rw_downgrade+0x252
ipf_findtoken(5,64,cf810260,c034725c,5) at netbsd:ipf_findtoken+0x148
fr_state_ioctl(cf873c34,c034725c,1,64,cf810260) at netbsd:fr_state_ioctl+0x43f
fr_ioctlswitch(2,cf873c34,c034725c,1,64) at netbsd:fr_ioctlswitch+0xc8
iplioctl(2c02,c034725c,cf873c34,1,cf810260) at netbsd:iplioctl+0x141
cdev_ioctl(2c02,c034725c,cf873c34,1,cf810260) at netbsd:cdev_ioctl+0x6d
spec_ioctl(cf873adc,cf810260,c0a222c0,cf30c250,c034725c) at 
netbsd:spec_ioctl+0xc1
VOP_IOCTL(cf30c250,c034725c,cf873c34,1,cf601180) at netbsd:VOP_IOCTL+0x6d
vn_ioctl(cf6e1bc0,c034725c,cf873c34,34,0) at netbsd:vn_ioctl+0x234
sys_ioctl(cf810260,cf873d04,cf873cfc,cf873d00,c0561d90) at 
netbsd:sys_ioctl+0x32e
syscall(cf873d48,b3,ab,1f,bfbf001f) at netbsd:syscall+0x16a
End traceback...

>Fix:
Index: kern_rwlock.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_rwlock.c,v
retrieving revision 1.22
diff -u -r1.22 kern_rwlock.c
--- kern_rwlock.c       28 Apr 2008 20:24:03 -0000      1.22
+++ kern_rwlock.c       16 Jul 2008 16:19:11 -0000
@@ -638,7 +638,7 @@
 
                        new = RW_READ_INCR | RW_HAS_WAITERS | RW_WRITE_WANTED;
                        next = rw_cas(rw, owner, new);
-                       turnstile_exit(ts);
+                       turnstile_exit(rw);
                        if (__predict_true(next == owner))
                                break;
                } else {
@@ -658,7 +658,7 @@
                                turnstile_wakeup(ts, TS_READER_Q, rcnt, NULL);
                                break;
                        }
-                       turnstile_exit(ts);
+                       turnstile_exit(rw);
                }
        }

Prev by Date: Re: bin/38493: no good audio with cdplay
Next by Date: Re: bin/38493: no good audio with cdplay
Previous by Thread: Re: bin/39154 (new bind does not compile on netbsd-4/shark)
Next by Thread: PR/38493 CVS commit: src/usr.bin/cdplay
Indexes:

Home | Main Index | Thread Index | Old Index