Bug 195767 - [unionfs] unionfs_relookup_for_delete passing null pointer to strlen
Summary: [unionfs] unionfs_relookup_for_delete passing null pointer to strlen
Status: Closed Not Accepted
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.1-RELEASE
Hardware: i386 Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-07 05:27 UTC by Mahmoud Al-Qudsi
Modified: 2014-12-24 00:56 UTC (History)
1 user (show)

See Also:

Attachments
backtrace screenshot (360.28 KB, image/jpeg)
2014-12-07 05:27 UTC, Mahmoud Al-Qudsi 		no flags Details
panic screenshot (313.69 KB, image/jpeg)
2014-12-07 05:29 UTC, Mahmoud Al-Qudsi 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mahmoud Al-Qudsi 2014-12-07 05:27:53 UTC 
Created attachment 150294 [details]
backtrace screenshot

This is a bug that may have been present in earlier versions of FreeBSD, but since upgrading to FreeBSD 10.1-RELEASE I can regularly reproduce.

The environment is a custom live CD, configured with a preloaded ufs.gz base bootstrap image that mounts a ufs.uzip file as the new root, creates a malloc-based virtual disk, and overlays it over the existing RO ufs.uzip image via unionfs.

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address= 0x0
fault code= supervisor read, page not present
...
current process= 2626 (rmdir)

[ thread pid 2626 tid 100065 ]
Stopped at strlen+0xd: movl 0(%ecx),%eax

db> bt
tracing pid 2626 tid 100065 td 0xc8dfe620
strlen(0,....
unionfs_rerelookup_for_delete
unionfs_rmdir
VOP_RMDIR_APV
kern_rmdirat
sys_rmdir
syscall
Xinit0x80_syscall()
--- syscall (137, FreeBSD ELF32, sys_rmdir)
Comment 1 Mahmoud Al-Qudsi 2014-12-07 05:29:08 UTC 
Created attachment 150295 [details]
panic screenshot
Comment 2 Mahmoud Al-Qudsi 2014-12-24 00:56:32 UTC 
Caused by kernel module mismatch.