NetBSD Problem Report #55708

From snow@datagirl.xyz  Fri Oct  9 08:25:49 2020
Return-Path: <snow@datagirl.xyz>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id C2DF81A9239
	for <gnats-bugs@gnats.NetBSD.org>; Fri,  9 Oct 2020 08:25:49 +0000 (UTC)
Date: Fri, 09 Oct 2020 01:23:30 -0700
From: snow flurry <snow@datagirl.xyz>
Reply-To: snow flurry <snow@datagirl.xyz>
To: gnats-bugs@NetBSD.org
Subject: Panic when using poll(2) with wsmouse
X-Send-Pr-Version: 3.95

>Number:         55708
>Category:       kern
>Synopsis:       poll(2) causes a panic when a wsmouse is detached and reattached
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 09 08:30:00 +0000 2020
>Originator:     snow flurry
>Release:        NetBSD 9.99.73
>Organization:
>Environment:
System: NetBSD patchouli 9.99.73 NetBSD 9.99.73 (GENERIC) #0: Wed Sep 23 00:52:49 UTC 2020 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
When a wsmouse is being polled, then detached and reattached before
poll reaches its timeout (or, if timeout == -1, is interrupted), the
kernel panics with the following:

[ 4612.8673727] panic: kernel diagnostic assertion "sip->sel_lwp == l" failed: file "/home/source/ab/HEAD/src/sys/kern/sys_select.c", line 839
[ 4612.8673727] cpu0: Begin traceback...
[ 4612.8673727] vpanic() at netbsd:vpanic+0x156
[ 4612.8673727] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
[ 4612.8673727] selclear() at netbsd:selclear+0xd2
[ 4612.8673727] sel_do_scan() at netbsd:sel_do_scan+0x251
[ 4612.8673727] pollcommon() at netbsd:pollcommon+0xcc
[ 4612.8673727] sys_poll() at netbsd:sys_poll+0x69
[ 4612.8673727] syscall() at netbsd:syscall+0x23e
[ 4612.8673727] --- syscall (number 209) ---
[ 4612.8673727] netbsd:syscall+0x23e:
[ 4612.8673727] cpu0: End traceback...
[ 4612.8673727] fatal breakpoint trap in supervisor mode
[ 4612.8673727] trap type 1 code 0 rip 0xffffffff80221a25 cs 0x8 rflags 0x202 cr2 0x70e995942000 ilevel 0x8 rsp 0xffff8b015036cc60
[ 4612.8673727] curlwp 0xffffbd5323f0f280 pid 8138.8138 lowest kstack 0xffff8b01503682c0

>How-To-Repeat:
This can be done in X11 using xf86-input-mouse connected to two pointer
devices, but I wasn't able to find the specific sequence to reliably
cause the panic. The code at https://termbin.com/91m5 has reliably
caused this issue to occur using a USB mouse and the following steps:

1. With the mouse plugged in, start the program and cause some events
   to occur (ex. move the mouse, click one of the buttons)
2. Unplug the mouse and quickly plug it back in. The device must be
   reattached before poll() returns, every five seconds.

I've also had luck with setting the poll timeout on line 33 to -1, and
interrupting the program with ^C once the device is reattached.

>Fix:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.