NetBSD Problem Report #51393
From www@NetBSD.org Sat Aug 6 16:07:16 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 1E5DD7A10E
for <gnats-bugs@gnats.NetBSD.org>; Sat, 6 Aug 2016 16:07:16 +0000 (UTC)
Message-Id: <20160806160714.993917A2AA@mollari.NetBSD.org>
Date: Sat, 6 Aug 2016 16:07:14 +0000 (UTC)
From: max@m00nbsd.net
Reply-To: max@m00nbsd.net
To: gnats-bugs@NetBSD.org
Subject: Reproducible KASSERT in UVM
X-Send-Pr-Version: www-1.0
>Number: 51393
>Category: kern
>Synopsis: Reproducible KASSERT in UVM
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: kern-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Aug 06 16:10:00 +0000 2016
>Closed-Date: Fri Jul 07 11:04:36 +0000 2023
>Last-Modified: Fri Jul 07 11:04:36 +0000 2023
>Originator: Maxime Villard
>Release: NetBSD-current (7.99.35)
>Organization:
>Environment:
Just a VirtualBox VM, GENERIC amd64.
>Description:
This KASSERTMSG in uvm_map.c is easy to trigger.
2115 KASSERTMSG(!topdown || hint <= orig_hint, "hint: %jx, orig_hint: %jx",
2116 (uintmax_t)hint, (uintmax_t)orig_hint);
The output is:
hint: 3ff000
orig_hint: 0
>How-To-Repeat:
The following code triggers the kassert:
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#define PAGE_SIZE 4096
int main()
{
char *buf;
void *addr = (void *)((size_t)-1);
int ret;
buf = mmap((void *)PAGE_SIZE, PAGE_SIZE, PROT_READ|PROT_WRITE,
MAP_FIXED|MAP_ANON|MAP_PRIVATE,-1,0);
printf("buf1 = %p\n", buf);
ret = munmap(NULL, PAGE_SIZE);
printf("ret = %d\n", ret);
buf = mmap(addr, PAGE_SIZE, PROT_READ|PROT_WRITE,
MAP_TRYFIXED|MAP_ANON|MAP_PRIVATE, -1, 0);
/* NOTREACHED */
}
$ gcc -o mapnull mapnull.c
$ ./mapnull
buf1 = 0xffffffffffffffff
ret = -1
panic: kernel diagnostic assertion ...
>Fix:
I haven't investigated it.
>Release-Note:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Sat, 6 Aug 2016 19:57:48 +0200
Same as kern/51254?
I am tempted to call it a compiler issue.
Martin
From: Maxime Villard <max@m00nbsd.net>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: Martin Husemann <martin@duskware.de>
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Fri, 12 Aug 2016 18:48:23 +0200
Le 06/08/2016 à 20:00, Martin Husemann a écrit :
> The following reply was made to PR kern/51393; it has been noted by GNATS.
>
> From: Martin Husemann <martin@duskware.de>
> To: gnats-bugs@NetBSD.org
> Cc:
> Subject: Re: kern/51393: Reproducible KASSERT in UVM
> Date: Sat, 6 Aug 2016 19:57:48 +0200
>
> Same as kern/51254?
Apparently, yes.
> I am tempted to call it a compiler issue.
That seems highly unlikely to me. There must be another unrelated issue in
UVMHIST, or whatever.
The real bug might be hiding in the way hints work. The code I posted in this
report generates orig_hint=0, so obviously there is no way for 'hint' to be
below zero, and the allocation should theoretically fail.
This 'theoretically' is necessarily wrong, since most of the vm space could be
available - meaning the allocation should succeed.
From: Michael van Elst <mlelstv@serpens.de>
To: gnats@netbsd.org
Cc:
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Wed, 16 Aug 2017 00:42:40 +0200
The address hint is passed through round_page() unless MAP_FIXED is set.
A value of (void *)-1 is rounded up to 0.
The assertion that a topdown allocation is below or equal to the "orig_hint"
(== the rounded up and overflown value) doesn't hold in that case.
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: Michael van Elst <mlelstv@serpens.de>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Sun, 29 Apr 2018 19:22:45 +0200
This patch:
Index: uvm_mmap.c
===================================================================
RCS file: /cvsroot/src/sys/uvm/uvm_mmap.c,v
retrieving revision 1.169
diff -p -u -r1.169 uvm_mmap.c
--- uvm_mmap.c 19 Dec 2017 18:34:47 -0000 1.169
+++ uvm_mmap.c 29 Apr 2018 17:16:50 -0000
@@ -896,7 +896,9 @@ uvm_mmap(struct vm_map *map, vaddr_t *ad
*/
if ((flags & MAP_FIXED) == 0) {
- *addr = round_page(*addr);
+ vaddr_t naddr;
+ naddr = round_page(*addr);
+ *addr = naddr < *addr ? trunc_page(*addr) : naddr;
} else {
if (*addr & PAGE_MASK)
return EINVAL;
stops the panic by ensuring that rounding the hint doesn't wrap.
But I'm wondering why the address hint is actually rounded (up). It's
probably more correct to truncate for topdown allocation and to round up
for !topdown allocation. This should also prevent the issue.
Greetings,
--
Michael van Elst
Internet: mlelstv@serpens.de
"A potential Snark may lurk in every tree."
From: Valery Ushakov <uwe@stderr.spb.ru>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Tue, 1 Oct 2019 15:46:01 +0300
On Sun, Apr 29, 2018 at 17:25:01 +0000, Michael van Elst wrote:
> But I'm wondering why the address hint is actually rounded (up). It's
> probably more correct to truncate for topdown allocation and to round up
> for !topdown allocation. This should also prevent the issue.
Xref kern/54395 where the suggested patch does just that.
-uwe
From: "Taylor R Campbell" <riastradh@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51393 CVS commit: src/sys/uvm
Date: Sat, 4 Jun 2022 20:54:54 +0000
Module Name: src
Committed By: riastradh
Date: Sat Jun 4 20:54:53 UTC 2022
Modified Files:
src/sys/uvm: uvm_map.c
Log Message:
uvm(9): Fix mmap optimization for topdown case.
PR kern/51393
To generate a diff of this commit:
cvs rdiff -u -r1.395 -r1.396 src/sys/uvm/uvm_map.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Sat, 04 Jun 2022 22:54:33 +0000
State-Changed-Why:
uvm_map.c 1.395, 1.396
State-Changed-From-To: pending-pullups->needs-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 31 Mar 2023 08:34:51 +0000
State-Changed-Why:
pullups were not pending, pullups were needed
State-Changed-From-To: needs-pullups->pending-pullups
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 31 Mar 2023 08:35:35 +0000
State-Changed-Why:
pullup-8 #1815, #1816
pullup-9 #1622, #1623
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51393 CVS commit: [netbsd-9] src/sys/uvm
Date: Sat, 1 Apr 2023 16:03:48 +0000
Module Name: src
Committed By: martin
Date: Sat Apr 1 16:03:48 UTC 2023
Modified Files:
src/sys/uvm [netbsd-9]: uvm_map.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1623):
sys/uvm/uvm_map.c: revision 1.396
uvm(9): Fix mmap optimization for topdown case.
PR kern/51393
To generate a diff of this commit:
cvs rdiff -u -r1.362.2.3 -r1.362.2.4 src/sys/uvm/uvm_map.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/51393 CVS commit: [netbsd-8] src/sys/uvm
Date: Sat, 1 Apr 2023 16:05:00 +0000
Module Name: src
Committed By: martin
Date: Sat Apr 1 16:05:00 UTC 2023
Modified Files:
src/sys/uvm [netbsd-8]: uvm_map.c
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1816):
sys/uvm/uvm_map.c: revision 1.396
uvm(9): Fix mmap optimization for topdown case.
PR kern/51393
To generate a diff of this commit:
cvs rdiff -u -r1.351.2.4 -r1.351.2.5 src/sys/uvm/uvm_map.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 07 Jul 2023 11:04:36 +0000
State-Changed-Why:
fixed, pulled up
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2023
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home