NetBSD Problem Report #55026
From www@netbsd.org Thu Feb 27 03:42:41 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 3745C1A9213
for <gnats-bugs@gnats.NetBSD.org>; Thu, 27 Feb 2020 03:42:41 +0000 (UTC)
Message-Id: <20200227034240.056021A9217@mollari.NetBSD.org>
Date: Thu, 27 Feb 2020 03:42:39 +0000 (UTC)
From: s-yamaguchi@iij.ad.jp
Reply-To: s-yamaguchi@iij.ad.jp
To: gnats-bugs@NetBSD.org
Subject: crash in mount(2) when mounting dk(4)
X-Send-Pr-Version: www-1.0
>Number: 55026
>Category: kern
>Synopsis: crash in mount(2) when mounting dk(4)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Thu Feb 27 03:45:00 +0000 2020
>Closed-Date: Fri Apr 24 19:02:01 +0000 2020
>Last-Modified: Fri Apr 24 19:02:01 +0000 2020
>Originator: Shoichi Yamaguchi
>Release: NetBSD-8
>Organization:
Internet Initiative Japan Inc.
>Environment:
>Description:
I encountered the following uvm_fault on a NetBSD-8 host.
It seems to reference a NULL pointer that is provided in dklastclose().
09:39:26uvm_fault(0xfffffe80a547b4e0, 0x0, 1) -> e
09:39:26fatal page fault in supervisor mode
09:39:26trap type 6 code 0 rip 0xffffffff80692397 cs 0x8 rflags 0x10213 cr2 0x84 ilevel 0 rsp 0xffff800056687aa0
09:39:26curlwp 0xfffffe80a1e7a680 pid 5369.1 lowest kstack 0xffff8000566822c0
09:39:26trapframe 0xffff8000566879b0
09:39:26rip 0xffffffff80692397 rsp 0xffff800056687aa0 rfl 0x0000000000010213
09:39:26rdi 0x0000000000000000 rsi 0x0000000000000000 rdx 0xffffffffffffffff
09:39:26rcx 0x0000000000000000 r8 0xfffffe80bf25c108 r9 0x0000000000000000
09:39:26r10 0xffffffff8cda60d0 r11 0x0000000000000000 r12 0x0000000000000000
09:39:26r13 0xffffffffffffffff r14 0x0000000000000001 r15 0x0000000000006000
09:39:26rbp 0xffff800056687af0 rbx 0x0000000000000000 rax 0xfffffe80bf25e008
09:39:26cs 0x0008 ds 0x0000 es 0xfd30 fs 0x0005 gs 0x6199 ss 0x0010
09:39:26panic: trap
09:39:26cpu3: suspending other CPUs...
09:39:26cpu3: suspended other CPUs...
09:39:26cpu3: Begin traceback...
09:39:260x804e8c99: netbsd:db_panic+0xb6
09:39:260x8063b642: netbsd:vpanic+0x140
09:39:260x8063b6ff: netbsd:snprintf
09:39:260x80231302: netbsd:trap+0xa9b
09:39:26--- trap (number 6) ---
09:39:260x80692397: netbsd:VOP_LOCK+0x2e
09:39:260x8068aca7: netbsd:vn_lock+0x11
09:39:260x8068b7a3: netbsd:vn_close+0x20
09:39:260x806a11ea: netbsd:dklastclose+0x65
09:39:260x806991ca: netbsd:spec_close+0x26d
09:39:260x80691090: netbsd:VOP_CLOSE+0x38
09:39:260x8057a109: netbsd:msdosfs_mount+0x367
09:39:260x8067f196: netbsd:VFS_MOUNT+0x51
09:39:260x8067ca44: netbsd:mount_domount+0x122
09:39:260x80681a34: netbsd:do_sys_mount+0x2b3
09:39:260x80681f42: netbsd:sys___mount50+0x33
09:39:260x8024fc21: netbsd:syscall+0x1d1
>How-To-Repeat:
>Fix:
I have checked that the following patch fixes this.
diff --git a/sys/dev/dkwedge/dk.c b/sys/dev/dkwedge/dk.c
index 150471552fb..5d6bd213680 100644
--- a/sys/dev/dkwedge/dk.c
+++ b/sys/dev/dkwedge/dk.c
@@ -1152,21 +1152,23 @@ dkopen(dev_t dev, int flags, int fmt, struct lwp *l)
static int
dklastclose(struct dkwedge_softc *sc)
{
- int error = 0, doclose;
+ struct vnode *vp;
+ int error = 0;
- doclose = 0;
+ vp = NULL;
if (sc->sc_parent->dk_rawopens > 0) {
- if (--sc->sc_parent->dk_rawopens == 0)
- doclose = 1;
+ if (--sc->sc_parent->dk_rawopens == 0) {
+ KASSERT(sc->sc_parent->dk_rawvp != NULL);
+ vp = sc->sc_parent->dk_rawvp;
+ sc->sc_parent->dk_rawvp = NULL;
+ }
}
mutex_exit(&sc->sc_parent->dk_rawlock);
mutex_exit(&sc->sc_dk.dk_openlock);
- if (doclose) {
- KASSERT(sc->sc_parent->dk_rawvp != NULL);
- dk_close_parent(sc->sc_parent->dk_rawvp, FREAD | FWRITE);
- sc->sc_parent->dk_rawvp = NULL;
+ if (vp) {
+ dk_close_parent(vp, FREAD | FWRITE);
}
return error;
>Release-Note:
>Audit-Trail:
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/55026: crash in mount(2) when mounting dk(4)
Date: Thu, 27 Feb 2020 06:21:53 -0000 (UTC)
s-yamaguchi@iij.ad.jp writes:
>I have checked that the following patch fixes this.
The patch looks correct. I'm curious under what conditions you
triggered that race condition. Any details?
--
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: Shoichi YAMAGUCHI <s-yamaguchi@iij.ad.jp>
To: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Cc: s-yamaguchi@iij.ad.jp
Subject: Re: kern/55026: crash in mount(2) when mounting dk(4)
Date: Thu, 27 Feb 2020 16:57:03 +0900
> The patch looks correct. I'm curious under what conditions you
> triggered that race condition. Any details?
I had ran a lot(10~15) of my program to manipulate a file when the
race condition appeared.The program do the program do mount(),
open(), close() and unmount() each time.
Perhaps,the condition may depends on a environment because
it was appeared on ESXi 6.7, but not appeared on qemu on Fedora 30.
>
> --
> --
> Michael van Elst
> Internet: mlelstv@serpens.de
> "A potential Snark may lurk in every tree."
>
>
--
Internet Initiative Japan Inc.
Device Engineering Section,
Product Development Department,
Product Division
Shoichi Yamaguchi <s-yamaguchi@iij.ad.jp>
From: mlelstv@serpens.de (Michael van Elst)
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/55026: crash in mount(2) when mounting dk(4)
Date: Thu, 27 Feb 2020 10:42:23 -0000 (UTC)
s-yamaguchi@iij.ad.jp (Shoichi YAMAGUCHI) writes:
>I had ran a lot(10~15) of my program to manipulate a file when the
>race condition appeared.The program do the program do mount(),
>open(), close() and unmount() each time.
Yes. That's extreme enough to explain that you hit the race condition :-)
--
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: "Shoichi YAMAGUCHI" <yamaguchi@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55026 CVS commit: src/sys/dev/dkwedge
Date: Fri, 28 Feb 2020 06:01:23 +0000
Module Name: src
Committed By: yamaguchi
Date: Fri Feb 28 06:01:23 UTC 2020
Modified Files:
src/sys/dev/dkwedge: dk.c
Log Message:
Update sc->sc_parent->dk_rawvp while the lock named dk_rawlock held
to prevent a race condition
Fixes PR kern/55026
OKed by mlelstv@, thanks
To generate a diff of this commit:
cvs rdiff -u -r1.97 -r1.98 src/sys/dev/dkwedge/dk.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->needs-pullups
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 21 Apr 2020 17:21:13 +0000
State-Changed-Why:
Will request pullups later. Thanks for the patch.
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: maya@NetBSD.org
State-Changed-When: Fri, 24 Apr 2020 13:37:15 +0000
State-Changed-Why:
pullup-9 #850, pullup-8 #1541
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55026 CVS commit: [netbsd-8] src/sys/dev/dkwedge
Date: Fri, 24 Apr 2020 16:15:24 +0000
Module Name: src
Committed By: martin
Date: Fri Apr 24 16:15:24 UTC 2020
Modified Files:
src/sys/dev/dkwedge [netbsd-8]: dk.c
Log Message:
Pull up following revision(s) (requested by maya in ticket #1541):
sys/dev/dkwedge/dk.c: revision 1.98
Update sc->sc_parent->dk_rawvp while the lock named dk_rawlock held
to prevent a race condition
Fixes PR kern/55026
OKed by mlelstv@, thanks
To generate a diff of this commit:
cvs rdiff -u -r1.96 -r1.96.6.1 src/sys/dev/dkwedge/dk.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/55026 CVS commit: [netbsd-9] src/sys/dev/dkwedge
Date: Fri, 24 Apr 2020 17:42:53 +0000
Module Name: src
Committed By: martin
Date: Fri Apr 24 17:42:53 UTC 2020
Modified Files:
src/sys/dev/dkwedge [netbsd-9]: dk.c
Log Message:
Pull up following revision(s) (requested by maya in ticket #850):
sys/dev/dkwedge/dk.c: revision 1.98
Update sc->sc_parent->dk_rawvp while the lock named dk_rawlock held
to prevent a race condition
Fixes PR kern/55026
OKed by mlelstv@, thanks
To generate a diff of this commit:
cvs rdiff -u -r1.97.8.2 -r1.97.8.3 src/sys/dev/dkwedge/dk.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Fri, 24 Apr 2020 19:02:01 +0000
State-Changed-Why:
pullups done
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.