Date: Wed, 18 Jul 2012 13:50:03 GMT From: Jaakko Heinonen <jh@FreeBSD.org> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/169947: System crash via ioctl() on mdctl. Message-ID: <201207181350.q6IDo3j8046469@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/169947; it has been noted by GNATS. From: Jaakko Heinonen <jh@FreeBSD.org> To: Filip Palian <filip.palian@pjwstk.edu.pl> Cc: bug-followup@FreeBSD.org Subject: Re: misc/169947: System crash via ioctl() on mdctl. Date: Wed, 18 Jul 2012 16:33:39 +0300 On 2012-07-17, Filip Palian wrote: > User who has read permission on "/dev/mdctl" is able to crash the > system (also within the jail if only provided by devfs(.rules)) via > ioctl() handler in "/usr/src/sys/dev/md/md.c:1082". The crash occures > in function swap_release_by_cred() (swap_pager.c:285) called in > vm_object_deallocate() (md.c:1119). Some detailed information included > below. > > Patch attached with submission follows: > > #include <stdio.h> > #include <stdlib.h> I couldn't reproduce the problem with your test program on current or stable/9: $ ./mdtest.orig say goodnight... ioctl(MDIOCATTACH) failed: Invalid argument no +r no fun I tried to modify the test program with following changes but still no success. %%% --- mdtest.c 2012-07-18 16:13:34.000000000 +0300 +++ mdtest.c 2012-07-18 16:17:05.000000000 +0300 @@ -21,7 +21,8 @@ s.md_version = MDIOVERSION; // s.md_type = MD_SWAP; s.md_type = MD_PRELOAD; - s.md_options = MD_CLUSTER | MD_AUTOUNIT | MD_COMPRESS; + s.md_base = -1; + s.md_options = MD_AUTOUNIT; // typedef long long = int64 = off_t //s.md_mediasize = 4096*1000000000000000000000000000000000000000000000000000; %%% $ ./mdtest say goodnight... no +r no fun A new md device is successfully created. Are you sure that you attached the correct test program and you didn't have local patches applied to your kernel? -- Jaakko
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207181350.q6IDo3j8046469>