Peter Jeremy
2004-Feb-22 15:07 UTC
NULL pointer dereference in sys/ufs/ffs/ffs_softdep.c:acquire_lock()
Whilst verifying the keyboard panic functionalityon a 4.9p1 system, I
got an unexpected second panic within the softupdates code whilst
syncing. A quick check of the code in -STABLE suggests that the same
behaviour exists there. A backtrace of the crashdump is at the end of
this email.
The problem is a line:
266 lk->lkt_held = CURPROC->p_pid;
with CURPROC (=== curproc) being NULL.
Studying the code, it appears it is quite normal for curproc to be
NULL during task switching ad a quick check suggests curproc is NULL
when the idle "process" is running.
I believe that normally when acquire_lock() is called, there will be
a valid process context, so this would only seem to affect filesystem
syncing during a panic. In this case, the fix would seem to be
(whitespace corrupted):
diff -u -r1.72.2.13 kern_shutdown.c
--- sys/kern/kern_shutdown.c 31 Aug 2003 00:16:28 -0000 1.72.2.13
+++ sys/kern/kern_shutdown.c 22 Feb 2004 23:01:04 -0000
@@ -232,6 +232,10 @@
waittime = 0;
printf("\nsyncing disks... ");
+ /* make sure curproc is valid to make softupdates happy */
+ if (curproc == NULL)
+ SET_CURPROC(&proc0);
+
sync(&proc0, NULL);
/*
-----------
panic: Forced by the panic key
syncing disks...
Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x30
fault code = supervisor read, page not present
instruction pointer = 0x8:0xc022e528
stack pointer = 0x10:0xc02c499c
frame pointer = 0x10:0xc02c49a4
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, def32 1, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
interrupt mask = net tty bio cam
trap number = 12
panic: page fault
Uptime: 2m52s
dumping to dev #ad/0x20001, offset 166080
dump ata0: resetting devices .. done
96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70
69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 4
3 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17
16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
---
#0 dumpsys () at /mnt/rpc/src/sys/kern/kern_shutdown.c:487
487 if (dumping++) {
(kgdb) where
#0 dumpsys () at /mnt/rpc/src/sys/kern/kern_shutdown.c:487
#1 0xc01792a8 in boot (howto=260) at /mnt/rpc/src/sys/kern/kern_shutdown.c:316
#2 0xc01796f5 in panic (fmt=0xc02bb8ac "%s")
at /mnt/rpc/src/sys/kern/kern_shutdown.c:595
#3 0xc02737fc in trap_fatal (frame=0xc02c495c, eva=48)
at /mnt/rpc/src/sys/i386/i386/trap.c:974
#4 0xc0273499 in trap_pfault (frame=0xc02c495c, usermode=0, eva=48)
at /mnt/rpc/src/sys/i386/i386/trap.c:867
#5 0xc027300b in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16, tf_edi = 0,
tf_esi = -1054074880, tf_ebp = -1070839388, tf_isp = -1070839416,
tf_ebx = -1070741316, tf_edx = 6864960, tf_ecx = -937835584, tf_eax = 0,
tf_trapno = 12, tf_err = 0, tf_eip = -1071454936, tf_cs = 8,
tf_eflags = 66054, tf_esp = -1054074880, tf_ss = -1054074880})
at /mnt/rpc/src/sys/i386/i386/trap.c:466
#6 0xc022e528 in acquire_lock (lk=0xc02dc8bc)
at /mnt/rpc/src/sys/ufs/ffs/ffs_softdep.c:266
#7 0xc0232778 in softdep_update_inodeblock (ip=0xc12c1800, bp=0xc30a5ff0,
waitfor=0) at /mnt/rpc/src/sys/ufs/ffs/ffs_softdep.c:3813
#8 0xc022d62a in ffs_update (vp=0xc819c3c0, waitfor=0)
at /mnt/rpc/src/sys/ufs/ffs/ffs_inode.c:106
#9 0xc0235ca2 in ffs_sync (mp=0xc1263a00, waitfor=2, cred=0xc0614600,
p=0xc03003c0) at /mnt/rpc/src/sys/ufs/ffs/ffs_vfsops.c:1025
#10 0xc01aaf6b in sync (p=0xc03003c0, uap=0x0)
at /mnt/rpc/src/sys/kern/vfs_syscalls.c:577
#11 0xc0179042 in boot (howto=256) at /mnt/rpc/src/sys/kern/kern_shutdown.c:235
#12 0xc01796f5 in panic (fmt=0xc02b5fa3 "Forced by the panic key")
at /mnt/rpc/src/sys/kern/kern_shutdown.c:595
#13 0xc02621eb in scgetc (sc=0xc02ffc80, flags=2)
at /mnt/rpc/src/sys/dev/syscons/syscons.c:3175
#14 0xc025eeed in sckbdevent (thiskbd=0xc02f8720, event=0, arg=0xc02ffc80)
at /mnt/rpc/src/sys/dev/syscons/syscons.c:617
#15 0xc02569cf in atkbd_intr (kbd=0xc02f8720, arg=0x0)
at /mnt/rpc/src/sys/dev/kbd/atkbd.c:464
#16 0xc027e434 in atkbd_isa_intr (arg=0xc02f8720)
at /mnt/rpc/src/sys/isa/atkbd_isa.c:140
#17 0xc01755df in idle_poll () at /mnt/rpc/src/sys/kern/kern_poll.c:270
--
Peter Jeremy