The following reply was made to PR kern/169947; it has been noted by GNATS.
From: Jaakko Heinonen <[email protected]> To: Filip Palian <[email protected]> Cc: [email protected] Subject: Re: misc/169947: System crash via ioctl() on mdctl. Date: Wed, 18 Jul 2012 16:33:39 +0300 On 2012-07-17, Filip Palian wrote: > User who has read permission on "/dev/mdctl" is able to crash the > system (also within the jail if only provided by devfs(.rules)) via > ioctl() handler in "/usr/src/sys/dev/md/md.c:1082". The crash occures > in function swap_release_by_cred() (swap_pager.c:285) called in > vm_object_deallocate() (md.c:1119). Some detailed information included > below. > > Patch attached with submission follows: > > #include <stdio.h> > #include <stdlib.h> I couldn't reproduce the problem with your test program on current or stable/9: $ ./mdtest.orig say goodnight... ioctl(MDIOCATTACH) failed: Invalid argument no +r no fun I tried to modify the test program with following changes but still no success. %%% --- mdtest.c 2012-07-18 16:13:34.000000000 +0300 +++ mdtest.c 2012-07-18 16:17:05.000000000 +0300 @@ -21,7 +21,8 @@ s.md_version = MDIOVERSION; // s.md_type = MD_SWAP; s.md_type = MD_PRELOAD; - s.md_options = MD_CLUSTER | MD_AUTOUNIT | MD_COMPRESS; + s.md_base = -1; + s.md_options = MD_AUTOUNIT; // typedef long long = int64 = off_t //s.md_mediasize = 4096*1000000000000000000000000000000000000000000000000000; %%% $ ./mdtest say goodnight... no +r no fun A new md device is successfully created. Are you sure that you attached the correct test program and you didn't have local patches applied to your kernel? -- Jaakko _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "[email protected]"
