Sporadic crashes in the vmware_fs driver #36
Description
The current vmware_fs implementation seems to be quite buggy, and fails under extensive usage:
Crash 1:
PANIC: Unexpected exception "General Protection Exception" occurred in kernel mode! Error code: 0x0
stack trace for thread 2553 "cp"
kernel stack: 0xffffffff81bd5000 to 0xffffffff81bda000
user stack: 0x00007f4cad8c1000 to 0x00007f4cae8c1000
frame caller <image>:function + offset
…
11 ffffffff81bd95e0 (+ 240) ffffffff800ab0f7 <kernel_x86_64> panic + 0xb7
12 ffffffff81bd96d0 (+ 224) ffffffff801502b8 <kernel_x86_64> x86_unexpected_exception + 0x168
13 ffffffff81bd97b0 (+ 872) ffffffff8014692c <kernel_x86_64> int_bottom + 0x80
kernel iframe at 0xffffffff81bd9b18 (end = 0xffffffff81bd9be0)
rax 0xffffffff81bd3c90 rbx 0xffffffff9a09a520 rcx 0x0
rdx 0x9 rsi 0xffffffff9a09a520 rdi 0x64616f6c6e776f64
rbp 0xffffffff81bd9c00 r8 0x0 r9 0x6f8
r10 0x0 r11 0xffffffff8e19d000 r12 0xffffffff9a09a520
r13 0xffffffff9a304000 r14 0xffffffff9a35f938 r15 0xffffffff9a304000
rip 0xffffffff81bc2b0d rsp 0xffffffff81bd9be0 rflags 0x10202
vector: 0xd, error code: 0x0
14 ffffffff81bd9b18 (+ 232) ffffffff81bc2b0d </boot/system/add-ons/kernel/file_systems/vmwfs> VMWNode::~VMWNode() + 0x57
15 ffffffff81bd9c00 (+ 32) ffffffff81bc2b27 </boot/system/add-ons/kernel/file_systems/vmwfs> VMWNode::~VMWNode() + 0x11
16 ffffffff81bd9c20 (+ 64) ffffffff81bc2e41 </boot/system/add-ons/kernel/file_systems/vmwfs> VMWNode::DeleteChildIfExists(char const*) + 0x55
17 ffffffff81bd9c60 (+ 32) ffffffff81bc3e5d </boot/system/add-ons/kernel/file_systems/vmwfs> vmwfs_remove_vnode(fs_volume*, fs_vnode*, bool) + 0x38
18 ffffffff81bd9c80 (+ 64) ffffffff800fad65 <kernel_x86_64> free_vnode(vnode*, bool) + 0x185
19 ffffffff81bd9cc0 (+ 80) ffffffff800fb47c <kernel_x86_64> dec_vnode_ref_count(vnode*, bool, bool) + 0x2ac
20 ffffffff81bd9d10 (+ 144) ffffffff800fd696 <kernel_x86_64> vnode_path_to_vnode(vnode*, char*, bool, int, io_context*, vnode**, long*) + 0x156
21 ffffffff81bd9da0 (+ 80) ffffffff800fdd9c <kernel_x86_64> () + 0x3c
22 ffffffff81bd9df0 (+ 48) ffffffff80104d51 <kernel_x86_64> common_path_read_stat(int, char*, bool, stat*, bool) + 0x21
23 ffffffff81bd9e20 (+ 256) ffffffff801094d5 <kernel_x86_64> _user_read_stat + 0x135
24 ffffffff81bd9f20 (+ 16) ffffffff80146c38 <kernel_x86_64> x86_64_syscall_entry + 0xfe
Crash 2:
PANIC: vm_page_fault: unhandled page fault in kernel space at 0xffffffff0072616e, ip 0xffffffff81c40e1a
Welcome to Kernel Debugging Land...
Thread 2577 "python3" running on CPU 0
stack trace for thread 2577 "python3"
kernel stack: 0xffffffff81c53000 to 0xffffffff81c58000
user stack: 0x00007f86153f9000 to 0x00007f86163f9000
frame caller <image>:function + offset
…
4 ffffffff81c575d0 (+ 240) ffffffff800ab0f7 <kernel_x86_64> panic + 0xb7
5 ffffffff81c576c0 (+ 240) ffffffff80132420 <kernel_x86_64> vm_page_fault + 0x260
6 ffffffff81c577b0 (+ 64) ffffffff8014feb0 <kernel_x86_64> x86_page_fault_exception + 0x160
7 ffffffff81c577f0 (+ 888) ffffffff8014692c <kernel_x86_64> int_bottom + 0x80
kernel iframe at 0xffffffff81c57b68 (end = 0xffffffff81c57c30)
rax 0xffffffff99f262d0 rbx 0xffffffff99f262d0 rcx 0xe
rdx 0x4 rsi 0xffffffff99f262d0 rdi 0xffffffff9a103758
rbp 0xffffffff81c57c60 r8 0x0 r9 0x38
r10 0x0 r11 0xffffffff8e19d000 r12 0xffffffff99f262d0
r13 0x0 r14 0xffffffff9a103758 r15 0xffffffff00726166
rip 0xffffffff81c40e1a rsp 0xffffffff81c57c30 rflags 0x10282
vector: 0xe, error code: 0x0
8 ffffffff81c57b68 (+ 248) ffffffff81c40e1a </boot/system/add-ons/kernel/file_systems/vmwfs> VMWNode::DeleteChildIfExists(char const*) + 0x2e
9 ffffffff81c57c60 (+ 32) ffffffff81c41e5d </boot/system/add-ons/kernel/file_systems/vmwfs> vmwfs_remove_vnode(fs_volume*, fs_vnode*, bool) + 0x38
10 ffffffff81c57c80 (+ 64) ffffffff800fad65 <kernel_x86_64> free_vnode(vnode*, bool) + 0x185
11 ffffffff81c57cc0 (+ 80) ffffffff800fb47c <kernel_x86_64> dec_vnode_ref_count(vnode*, bool, bool) + 0x2ac
12 ffffffff81c57d10 (+ 144) ffffffff800fd6f6 <kernel_x86_64> vnode_path_to_vnode(vnode*, char*, bool, int, io_context*, vnode**, long*) + 0x1b6
13 ffffffff81c57da0 (+ 80) ffffffff800fdd9c <kernel_x86_64> () + 0x3c
14 ffffffff81c57df0 (+ 48) ffffffff80104d51 <kernel_x86_64> common_path_read_stat(int, char*, bool, stat*, bool) + 0x21
15 ffffffff81c57e20 (+ 256) ffffffff801094d5 <kernel_x86_64> _user_read_stat + 0x135
16 ffffffff81c57f20 (+ 16) ffffffff80146c38 <kernel_x86_64> x86_64_syscall_entry + 0xfe
Crash 3:
vm_page_fault: vm_soft_fault returned error 'Bad address' on fault at 0x8, ip 0xffffffff81fe1ee3, write 0, user 0, thread 0x936
PANIC: vm_page_fault: unhandled page fault in kernel space at 0x8, ip 0xffffffff81fe1ee3
stack trace for thread 2358 "bash"
kernel stack: 0xffffffff81fc2000 to 0xffffffff81fc7000
user stack: 0x00007fa1ca357000 to 0x00007fa1cb357000
frame caller <image>:function + offset
…
11 ffffffff81fc6790 (+ 240) ffffffff800ab0f7 <kernel_x86_64> panic + 0xb7
12 ffffffff81fc6880 (+ 240) ffffffff80132420 <kernel_x86_64> vm_page_fault + 0x260
13 ffffffff81fc6970 (+ 64) ffffffff8014feb0 <kernel_x86_64> x86_page_fault_exception + 0x160
14 ffffffff81fc69b0 (+ 904) ffffffff8014692c <kernel_x86_64> int_bottom + 0x80
kernel iframe at 0xffffffff81fc6d38 (end = 0xffffffff81fc6e00)
rax 0xffffffff9a01e770 rbx 0xffffffff9a01e770 rcx 0x73
rdx 0x0 rsi 0xffffffff99ff401a rdi 0xffffffff9a01e5f0
rbp 0xffffffff81fc6e30 r8 0x3 r9 0x38
r10 0x0 r11 0x1f4 r12 0xffffffff99ff401a
r13 0x0 r14 0xffffffff9a0c5e18 r15 0xffffffff9a0c5e18
rip 0xffffffff81fe1ee3 rsp 0xffffffff81fc6e00 rflags 0x10282
vector: 0xe, error code: 0x0
15 ffffffff81fc6d38 (+ 248) ffffffff81fe1ee3 </boot/system/add-ons/kernel/file_systems/vmwfs> VMWNode::GetChild(char const*) + 0x73
16 ffffffff81fc6e30 (+ 80) ffffffff81fe113a </boot/system/add-ons/kernel/file_systems/vmwfs> vmwfs_read_dir(fs_volume*, fs_vnode*, void*, dirent*, unsigned long, unsigned int*) + 0x79
17 ffffffff81fc6e80 (+ 64) ffffffff800fdbae <kernel_x86_64> dir_read(io_context*, file_descriptor*, dirent*, unsigned long, unsigned int*) + 0x4e
18 ffffffff81fc6ec0 (+ 96) ffffffff800ec0d6 <kernel_x86_64> _user_read_dir + 0xd6
19 ffffffff81fc6f20 (+ 16) ffffffff80146c38 <kernel_x86_64> x86_64_syscall_entry + 0xfe
The problem seems to be in the VMWNode children management logic, it looks like some nodes are used after their memory has been freed.