From owner-freebsd-current@freebsd.org  Thu Jul 23 23:07:19 2015
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 802669A9672
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Thu, 23 Jul 2015 23:07:19 +0000 (UTC)
 (envelope-from pluknet@gmail.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 6301C10AD
 for <freebsd-current@freebsd.org>; Thu, 23 Jul 2015 23:07:19 +0000 (UTC)
 (envelope-from pluknet@gmail.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 5FB989A9671; Thu, 23 Jul 2015 23:07:19 +0000 (UTC)
Delivered-To: current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5F4DB9A9670
 for <current@mailman.ysv.freebsd.org>; Thu, 23 Jul 2015 23:07:19 +0000 (UTC)
 (envelope-from pluknet@gmail.com)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com
 [IPv6:2a00:1450:400c:c05::22d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 1367410AB;
 Thu, 23 Jul 2015 23:07:18 +0000 (UTC)
 (envelope-from pluknet@gmail.com)
Received: by wibxm9 with SMTP id xm9so4907816wib.0;
 Thu, 23 Jul 2015 16:07:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=NVqvIH2GlcDYfAEQKHKvfitD8uEId6Xxa+Dr6g26dNs=;
 b=kzQs4+qWgV39uzzilMYZBDL+tdHY5JLBqFW6ijuj911p68wlt9u4TWHB6i4Farv7MP
 mumacq7X4w7sn3zbQPW6J3RE5XhGz/gNEvD/MXTukLMP+rO6SC1ftz2SPbMTpNMFuy4s
 bgew2dj75WfEhUEYQ1CPz3OCWTE746daZSqSSpUCHo+S7ROffML5o8d1cZ5FZCdlolvc
 3cnsQTNQae6vd/FvQ7qcaDBhk65aP0YA73T9hCu0ZFp4uT9qm/TCIWJ6AX5ncWdxriP8
 yvyhxFXoJ67hr+kAKbYN58j+Xy6QEfKu84bVwgpADpENUGONgd5FOKIW49EWYUQ6udzx
 UW+g==
MIME-Version: 1.0
X-Received: by 10.194.82.167 with SMTP id j7mr20332640wjy.123.1437692837213;
 Thu, 23 Jul 2015 16:07:17 -0700 (PDT)
Received: by 10.27.100.214 with HTTP; Thu, 23 Jul 2015 16:07:17 -0700 (PDT)
In-Reply-To: <201507232224.t6NMOPuX010901@gw.catspoiler.org>
References: <201507232224.t6NMOPuX010901@gw.catspoiler.org>
Date: Fri, 24 Jul 2015 02:07:17 +0300
Message-ID: <CAE-mSOJGF947byOMHW3H9ymybKKxsfysE9kBjTJq6G80oh6TSw@mail.gmail.com>
Subject: Re: null pointer dereference panic in cap_rights_contains() on
 11.0-CURRENT r285785 amd64
From: Sergey Kandaurov <pluknet@gmail.com>
To: Don Lewis <truckman@freebsd.org>
Cc: current <current@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 23:07:19 -0000

On 24 July 2015 at 01:24, Don Lewis <truckman@freebsd.org> wrote:
> I just got this panic while using poudriere to build packages for
> FreeBSD 8.4 i386.
[..]
> db> bt
> Tracing pid 78211 tid 101405 td 0xfffff80139td29a0
> cap_rights_contains() at cap_rights_contains+0x24/frame
> 0xfffffe005acc772d0
> cap_check() at cap_check+0x15/frame 0xfffffe005acc7800
> fget_unlocked() at fget_unlocked+0xca/frame 0xfffffe005acc7870
> fget() at fget+0x2b/frame 0xfffffe005acc78a0
> ksem_get at ksem_get+0x1e/frame 0xfffffe05acc78e0
> sys_ksem_close() at sys_ksem_close+0x23/frame 0xfffffe005acc7920
> ia32_syscall() at ia32_syscall+0x2a5/frame 0xfffffe005acc7a30
> Xint0x00_syscall() at Xint0x00_syscall+0x95/frame 0xfffffe00acc7a30
> --- syscall (400, FreeBSD ELF32, sys_ksem_close), rip = 0x2828676b, rsp
> = 0xffffc60c, rbp = 0xffffc628 ---
>
>

Looks like this was missed after r284442.

Index: kern/uipc_sem.c
===================================================================
--- kern/uipc_sem.c    (revision 285723)
+++ kern/uipc_sem.c    (working copy)
@@ -651,12 +651,13 @@
 int
 sys_ksem_close(struct thread *td, struct ksem_close_args *uap)
 {
+    cap_rights_t rights;
     struct ksem *ks;
     struct file *fp;
     int error;

     /* No capability rights required to close a semaphore. */
-    error = ksem_get(td, uap->id, 0, &fp);
+    error = ksem_get(td, uap->id, cap_rights_init(&rights), &fp);
     if (error)
         return (error);
     ks = fp->f_data;
@@ -872,12 +873,13 @@
 int
 sys_ksem_destroy(struct thread *td, struct ksem_destroy_args *uap)
 {
+    cap_rights_t rights;
     struct file *fp;
     struct ksem *ks;
     int error;

     /* No capability rights required to close a semaphore. */
-    error = ksem_get(td, uap->id, 0, &fp);
+    error = ksem_get(td, uap->id, cap_rights_init(&rights), &fp);
     if (error)
         return (error);
     ks = fp->f_data;


-- 
wbr,
pluknet