[Bug 265362] nmount() "snapshot" without "update" causes a kernel page fault panic

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 21 Jul 2022 17:39:10 UTC

            Bug ID: 265362
           Summary: nmount() "snapshot" without "update" causes a kernel
                    page fault panic
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

ffs_snapshot() assumes that the file system is already mounted, since
it dereferences mp->mnt_data (via VFSTOUFS(mp)). That's the case if a
snapshot is asked for with the MNT_UPDATE flag. But if a program calls
nmount() with "snapshot" but no "update", ffs_snapshot() will be
called with a NULL mnt_data.

You can see the crash by commenting out the "update" line in
mksnap_ffs.c, or by running this as root:

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/mount.h>
#include <sys/uio.h>

  struct iovec iov[10];
  iov[0].iov_base = "fstype";
  iov[0].iov_len = 7;
  iov[1].iov_base = "ffs";
  iov[1].iov_len = 4;
  iov[2].iov_base = "fspath";
  iov[2].iov_len = 7;
  iov[3].iov_base = "/";
  iov[3].iov_len = 2;
  iov[4].iov_base = "snapshot";
  iov[4].iov_len = 9;
  iov[5].iov_base = "";
  iov[5].iov_len = 1;
  iov[6].iov_base = "from";
  iov[6].iov_len = 5;
  iov[7].iov_base = "x";
  iov[7].iov_len = 2;
  nmount(iov, 8, 0);

panic: Fatal page fault at 0xffffffc0004d94f2: 0x00000000000038
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1a4
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x38
ffs_snapshot() at ffs_snapshot+0x52
ffs_mount() at ffs_mount+0x372
vfs_domount_first() at vfs_domount_first+0x18c
vfs_domount() at vfs_domount+0x208
vfs_donmount() at vfs_donmount+0x742
sys_nmount() at sys_nmount+0x5e
syscallenter() at syscallenter+0xec
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72

You are receiving this mail because:
You are the assignee for the bug.