NetBSD Problem Report #40688

From uebayasi@tombi.co.jp  Thu Feb 19 06:36:21 2009
Return-Path: <uebayasi@tombi.co.jp>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 9A1E363B8C3
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 19 Feb 2009 06:36:21 +0000 (UTC)
Message-Id: <20090219063606.2F36B6D@singapore.tombi.co.jp>
Date: Thu, 19 Feb 2009 15:36:06 +0900 (JST)
From: uebayasi@tombi.co.jp
Reply-To: uebayasi@tombi.co.jp
To: gnats-bugs@gnats.NetBSD.org
Subject: opening /dev/ptyp1 panics
X-Send-Pr-Version: 3.95

>Number:         40688
>Category:       kern
>Synopsis:       opening /dev/ptyp1 panics
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    martin
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 19 06:40:01 +0000 2009
>Closed-Date:    Mon Jun 06 08:48:09 +0000 2011
>Last-Modified:  Mon Jun 06 08:50:02 +0000 2011
>Originator:     Masao Uebayashi
>Release:        NetBSD 5.99.7
>Organization:
	Tombi Inc.
>Environment:
System: NetBSD  5.99.7 NetBSD 5.99.7 (GOLDTOWN) #14: Thu Feb 19 15:27:33 JST 2009  uebayasi@sidebeach.uebayasi.my.domain:/src/netbsd/work.tty/i386/obj/sys/arch/i386/compile/GOLDTOWN i386
Architecture: x86
Machine: i386
>Description:
	If I open /dev/ptyp1 with cu, kernel panics.  The cause is ptcopen()
	doesn't initialize the associated t_dev.  Later ptyioctl() calls
	ptcwakeup(), look for empty pt_softc, then NULL deref.

>How-To-Repeat:
	# type cu
	cu is /usr/bin/cu
	# ls -l /dev/ptyp1
	crw-rw-rw-  1 root  wheel  6, 1 Feb 18 16:54 /dev/ptyp1
	# cu -l /dev/ptyp1
	uvm_fault(0xcc2c0d00, 0, 1) -> 0xe
	fatal page fault in supervisor mode
	trap type 6 code 0 eip c060e032 cs 8 eflags 10286 cr2 8 ilevel 8
	panic: trap
	Begin traceback...
	uvm_fault(0xcc2c0d00, 0, 1) -> 0xe
	fatal page fault in supervisor mode
	trap type 6 code 0 eip c025b721 cs 8 eflags 10246 cr2 0 ilevel 8
	panic: trap

>Fix:
	I've not understood tty / pty.  I'd want to fix this properly. :)

>Release-Note:

>Audit-Trail:
From: Antti Kantee <pooka@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/40688 CVS commit: src/tests/kernel
Date: Mon, 28 Jun 2010 19:04:00 +0000

 Module Name:	src
 Committed By:	pooka
 Date:		Mon Jun 28 19:04:00 UTC 2010

 Modified Files:
 	src/tests/kernel: Atffile Makefile
 Added Files:
 	src/tests/kernel/tty: Atffile Makefile t_pr.c

 Log Message:
 xfail test for kernel panicky in PR kern/40688


 To generate a diff of this commit:
 cvs rdiff -u -r1.2 -r1.3 src/tests/kernel/Atffile
 cvs rdiff -u -r1.4 -r1.5 src/tests/kernel/Makefile
 cvs rdiff -u -r0 -r1.1 src/tests/kernel/tty/Atffile \
     src/tests/kernel/tty/Makefile src/tests/kernel/tty/t_pr.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

Responsible-Changed-From-To: kern-bug-people->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Fri, 08 Apr 2011 20:09:40 +0000
Responsible-Changed-Why:
I think I have a fix


From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/40688 CVS commit: src/sys/kern
Date: Sat, 9 Apr 2011 06:34:06 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Sat Apr  9 06:34:06 UTC 2011

 Modified Files:
 	src/sys/kern: tty.c tty_pty.c

 Log Message:
 In ttymalloc() explicitly initialize t_dev to NODEV.
 In ptcwakeup() do not bother to wake up a client side if it has not been
 opened yet.
 The old code would spuriously wakeup the client minor(0) [i.e. ttyp0
 typically] or crash the kernel if that wasn't open, see PR kern/40688.
 (Old names used to match the PR and test case, adjust names for
 /dev/ptm[x] resp. /dev/pts/* accordingly)


 To generate a diff of this commit:
 cvs rdiff -u -r1.242 -r1.243 src/sys/kern/tty.c
 cvs rdiff -u -r1.124 -r1.125 src/sys/kern/tty_pty.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: martin@NetBSD.org
State-Changed-When: Sat, 09 Apr 2011 06:39:27 +0000
State-Changed-Why:
Should be fixed in -current


State-Changed-From-To: feedback->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Mon, 06 Jun 2011 08:48:09 +0000
State-Changed-Why:
Confirmed fixed, thanks!


From: Masao Uebayashi <uebayasi@gmail.com>
To: gnats-bugs@netbsd.org
Cc: martin@netbsd.org, netbsd-bugs@netbsd.org, gnats-admin@netbsd.org
Subject: Re: kern/40688 (opening /dev/ptyp1 panics)
Date: Mon, 6 Jun 2011 17:45:03 +0900

 It's surely fixed.  Thanks!

 On Sat, Apr 9, 2011 at 3:39 PM,  <martin@netbsd.org> wrote:
 > Synopsis: opening /dev/ptyp1 panics
 >
 > State-Changed-From-To: open->feedback
 > State-Changed-By: martin@NetBSD.org
 > State-Changed-When: Sat, 09 Apr 2011 06:39:27 +0000
 > State-Changed-Why:
 > Should be fixed in -current
 >
 >
 >
 >

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.