NetBSD Problem Report #55280

From www@netbsd.org  Wed May 20 05:39:15 2020
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 294B21A9227
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 20 May 2020 05:39:15 +0000 (UTC)
Message-Id: <20200520053914.2ECB31A9228@mollari.NetBSD.org>
Date: Wed, 20 May 2020 05:39:14 +0000 (UTC)
From: netbsd@eq.cz
Reply-To: netbsd@eq.cz
To: gnats-bugs@NetBSD.org
Subject: panic: kernel diagnostic assertion "c->c_magic == CALLOUT_MAGIC" failed
X-Send-Pr-Version: www-1.0

>Number:         55280
>Category:       kern
>Synopsis:       panic: kernel diagnostic assertion "c->c_magic == CALLOUT_MAGIC" failed
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 20 05:40:00 +0000 2020
>Last-Modified:  Wed May 20 09:40:02 +0000 2020
>Originator:     rudolf
>Release:        netbsd-8
>Organization:
>Environment:
NetBSD 8.2_STABLE amd64
>Description:
With kernel compiled on 2020-05-18 from a fresh netbsd-8 branch and with older userland from the same branch, probably compiled in February, I've encountered the following panic:

panic: kernel diagnostic assertion "c->c_magic == CALLOUT_MAGIC" failed: file "/usr/src/sys/kern/kern_timeout.c", line 474 
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x140
ch_voltag_convert_in() at netbsd:ch_voltag_convert_in
callout_halt() at netbsd:callout_halt+0x1fa
linux_cancel_delayed_work_callout() at netbsd:linux_cancel_delayed_work_callout+0x46
linux_cancel_delayed_work_sync() at netbsd:linux_cancel_delayed_work_sync+0xa2
__i915_add_request() at netbsd:__i915_add_request+0x186
i915_gem_do_execbuffer.isra.24() at netbsd:i915_gem_do_execbuffer.isra.24+0xf5a
i915_gem_execbuffer2() at netbsd:i915_gem_execbuffer2+0xc5
drm_ioctl() at netbsd:drm_ioctl+0x12e
sys_ioctl() at netbsd:sys_ioctl+0x101
syscall() at netbsd:syscall+0x1d8
--- syscall (number 54) ---
733942eff14a:
cpu0: End traceback...
uvm_fault(0xfffffe841864a300, 0x0, 2) -> e

fatal page fault in supervisor mode
dumping to dev 20,1 (offset=2152151, size=4170107):
trap type 6 code 0x2 rip 0xffffffff808f64cb cs 0x8 rflags 0x10286 cr2 0x84 ilevel 0x8 rsp 0xffff80013df78dd0
dump curlwp 0xfffffe8414979a00 pid 4701.12 lowest kstack 0xffff80013df742c0
Skipping crash dump on recursive panic
panic: wddump: polled command has been queued
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x140
snprintf() at netbsd:snprintf
wddump() at netbsd:wddump+0x295
cgd_dumpblocks() at netbsd:cgd_dumpblocks+0x89
dk_dump() at netbsd:dk_dump+0x16d
dump_header_flush() at netbsd:dump_header_flush+0x53
dump_header_addbytes() at netbsd:dump_header_addbytes+0x40
dump_header_addseg() at netbsd:dump_header_addseg+0x1e
dump_seg_iter() at netbsd:dump_seg_iter+0xd2
cpu_dump() at netbsd:cpu_dump+0x6a
dodumpsys() at netbsd:dodumpsys+0xfb
dumpsys() at netbsd:dumpsys+0x1d
vpanic() at netbsd:vpanic+0x149
ch_voltag_convert_in() at netbsd:ch_voltag_convert_in
callout_halt() at netbsd:callout_halt+0x1fa
linux_cancel_delayed_work_callout() at netbsd:linux_cancel_delayed_work_callout+0x46
linux_cancel_delayed_work_sync() at netbsd:linux_cancel_delayed_work_sync+0xa2
__i915_add_request() at netbsd:__i915_add_request+0x186
i915_gem_do_execbuffer.isra.24() at netbsd:i915_gem_do_execbuffer.isra.24+0xf5a
i915_gem_execbuffer2() at netbsd:i915_gem_execbuffer2+0xc5
drm_ioctl() at netbsd:drm_ioctl+0x12e
sys_ioctl() at netbsd:sys_ioctl+0x101
syscall() at netbsd:syscall+0x1d8
--- syscall (number 54) ---
733942eff14a:
cpu0: End traceback...
rebooting...

>How-To-Repeat:

>Fix:

>Audit-Trail:
From: coypu@sdf.org
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/55280: panic: kernel diagnostic assertion "c->c_magic ==
 CALLOUT_MAGIC" failed
Date: Wed, 20 May 2020 09:36:59 +0000

 Hmm. I was about to note that the functions in this backtrace are the
 same ones affected by CVE-2019-0155 / CVE-2019-0154.

 It seems that I haven't applied the fix to netbsd-8, though.
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.