Date: Fri, 24 Jul 2015 01:09:34 +0200 From: Mateusz Guzik <mjguzik@gmail.com> To: Sergey Kandaurov <pluknet@gmail.com> Cc: Don Lewis <truckman@freebsd.org>, current <current@freebsd.org> Subject: Re: null pointer dereference panic in cap_rights_contains() on 11.0-CURRENT r285785 amd64 Message-ID: <20150723230934.GA12297@dft-labs.eu> In-Reply-To: <CAE-mSOJGF947byOMHW3H9ymybKKxsfysE9kBjTJq6G80oh6TSw@mail.gmail.com> References: <201507232224.t6NMOPuX010901@gw.catspoiler.org> <CAE-mSOJGF947byOMHW3H9ymybKKxsfysE9kBjTJq6G80oh6TSw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 24, 2015 at 02:07:17AM +0300, Sergey Kandaurov wrote:
> On 24 July 2015 at 01:24, Don Lewis <truckman@freebsd.org> wrote:
> > I just got this panic while using poudriere to build packages for
> > FreeBSD 8.4 i386.
> [..]
> > db> bt
> > Tracing pid 78211 tid 101405 td 0xfffff80139td29a0
> > cap_rights_contains() at cap_rights_contains+0x24/frame
> > 0xfffffe005acc772d0
> > cap_check() at cap_check+0x15/frame 0xfffffe005acc7800
> > fget_unlocked() at fget_unlocked+0xca/frame 0xfffffe005acc7870
> > fget() at fget+0x2b/frame 0xfffffe005acc78a0
> > ksem_get at ksem_get+0x1e/frame 0xfffffe05acc78e0
> > sys_ksem_close() at sys_ksem_close+0x23/frame 0xfffffe005acc7920
> > ia32_syscall() at ia32_syscall+0x2a5/frame 0xfffffe005acc7a30
> > Xint0x00_syscall() at Xint0x00_syscall+0x95/frame 0xfffffe00acc7a30
> > --- syscall (400, FreeBSD ELF32, sys_ksem_close), rip = 0x2828676b, rsp
> > = 0xffffc60c, rbp = 0xffffc628 ---
> >
> >
>
> Looks like this was missed after r284442.
>
> Index: kern/uipc_sem.c
> ===================================================================
> --- kern/uipc_sem.c (revision 285723)
> +++ kern/uipc_sem.c (working copy)
> @@ -651,12 +651,13 @@
> int
> sys_ksem_close(struct thread *td, struct ksem_close_args *uap)
> {
> + cap_rights_t rights;
> struct ksem *ks;
> struct file *fp;
> int error;
>
> /* No capability rights required to close a semaphore. */
> - error = ksem_get(td, uap->id, 0, &fp);
> + error = ksem_get(td, uap->id, cap_rights_init(&rights), &fp);
> if (error)
> return (error);
> ks = fp->f_data;
> @@ -872,12 +873,13 @@
> int
> sys_ksem_destroy(struct thread *td, struct ksem_destroy_args *uap)
> {
> + cap_rights_t rights;
> struct file *fp;
> struct ksem *ks;
> int error;
>
> /* No capability rights required to close a semaphore. */
> - error = ksem_get(td, uap->id, 0, &fp);
> + error = ksem_get(td, uap->id, cap_rights_init(&rights), &fp);
> if (error)
> return (error);
> ks = fp->f_data;
>
>
Correct, please commit.
--
Mateusz Guzik <mjguzik gmail.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150723230934.GA12297>