Mailing List Archive

From:: Martin Pieuchot <mpi@openbsd.org>
Subject:: Re: Don't unlock vnode(9) in fifo_read() and fifo_write()
To:: Vitaliy Makkoveev <mvs@openbsd.org>
Cc:: tech@openbsd.org
Date:: Thu, 18 Apr 2024 11:42:09 +0200

Download raw body.

Thread

2024-04-16 14:30 Claudio Jeker:
Don't unlock vnode(9) in fifo_read() and fifo_write()
- 2024-04-17 15:33 Vitaliy Makkoveev:
  Don't unlock vnode(9) in fifo_read() and fifo_write()
- - 2024-04-18 09:42 Martin Pieuchot:
    Don't unlock vnode(9) in fifo_read() and fifo_write()
  - - 2024-04-18 09:52 Claudio Jeker:
      Don't unlock vnode(9) in fifo_read() and fifo_write()
    - - 2024-04-18 11:07 Martin Pieuchot:
        Don't unlock vnode(9) in fifo_read() and fifo_write()

On 17/04/24(Wed) 18:33, Vitaliy Makkoveev wrote:
> On Tue, Apr 16, 2024 at 04:30:08PM +0200, Claudio Jeker wrote:
> > On Tue, Apr 16, 2024 at 04:15:05PM +0300, Vitaliy Makkoveev wrote:
> > > I suspect syzkaller reported panics [1] and [2] happened because sockets
> > > were closed due vnode(9) lock release.

How did you come to this conclusion?

The bug is a NULL dereference:

uvm_fault(0xfffffd806d2c9780, 0x8, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at      fifo_write+0x4e:        movq    0x8(%rax),%r12

I don't have the same assembly here, but the offset 0x8 seems to correspond
the `a_uio' field.   So the argument passed to fifo_write() is NULL.

How can it be NULL?

2024-04-16 14:30 Claudio Jeker:
Don't unlock vnode(9) in fifo_read() and fifo_write()
- 2024-04-17 15:33 Vitaliy Makkoveev:
  Don't unlock vnode(9) in fifo_read() and fifo_write()
- - 2024-04-18 09:42 Martin Pieuchot:
    Don't unlock vnode(9) in fifo_read() and fifo_write()
  - - 2024-04-18 09:52 Claudio Jeker:
      Don't unlock vnode(9) in fifo_read() and fifo_write()
    - - 2024-04-18 11:07 Martin Pieuchot:
        Don't unlock vnode(9) in fifo_read() and fifo_write()