NetBSD Problem Report #56045

From www@netbsd.org  Mon Mar  8 18:44:13 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id F09E61A9217
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  8 Mar 2021 18:44:12 +0000 (UTC)
Message-Id: <20210308184411.6267A1A923A@mollari.NetBSD.org>
Date: Mon,  8 Mar 2021 18:44:11 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: uvideo apparently causes kernel memory corruption
X-Send-Pr-Version: www-1.0

>Number:         56045
>Category:       kern
>Synopsis:       uvideo apparently causes kernel memory corruption
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Mar 08 18:45:00 +0000 2021
>Originator:     coypu
>Release:        NetBSD 9.99.80
>Organization:
>Environment:
NetBSD planets 9.99.80 NetBSD 9.99.80 (GENERIC) #3: Tue Feb 23 15:23:21 IST 2021  fly@planets:/bracket/obj/sys/arch/amd64/compile/GENERIC amd64

>Description:
Was using a fancy uvideo @ xhci, using firefox and Jitsi:
uvideo0 at uhub2 port 4 configuration 1 interface 0: vendor 046d (0x046d) BRIO 4K Stream Edition (0x086b), rev 3.10/3.17, addr 2
video0 at uvideo0: vendor 046d (0x046d) BRIO 4K Stream Edition (0x086b), rev 3.10/3.17, addr 2


The video froze. I disconnected the USB cable, reconnected (it was fine so far) and tried to restart the frozen video - that's when it panicked.
video0: detached
uvideo0: detached
uvideo0: at uhub2 port 4 (addr 2) disconnected
uaudio0: detached
uaudio0: at uhub2 port 4 (addr 2) disconnected
uhid0: detached
uhidev0: detached
uhidev0: at uhub2 port 4 (addr 2) disconnected
panic: kernel diagnostic assertion "!RB_SENTINEL_P(tree->rbt_root)" failed: file "/bracket/repo/src/sys/arch/x86/x86/pmap.c", line 2194 
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x156
__x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
pmap_lookup_pv() at netbsd:pmap_lookup_pv+0x1ae
pmap_remove_pte() at netbsd:pmap_remove_pte+0x12c
pmap_remove() at netbsd:pmap_remove+0x167
uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x28a
sys_munmap() at netbsd:sys_munmap+0x69
syscall() at netbsd:syscall+0x23e
--- syscall (number 73) ---
netbsd:syscall+0x23e:
cpu0: End traceback...


Some info from gdb:
(gdb) frame 4
#4  0xffffffff80538508 in pmap_lookup_pv (pmap=pmap@entry=0xfffff40884d4ee00, ptp=ptp@entry=0xffffab0000c1ed00, old_pp=old_pp@entry=0xffffab0001e621d8, va=va@entry=139916092821504) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:2194
2194		KASSERT(!RB_SENTINEL_P(tree->rbt_root));
(gdb) display tree->rbt_root
1: tree->rbt_root = (struct rb_node *) 0x0


(gdb) bt full
(Trimming "optimized out", __func__, unnecessary frames)

#4  0xffffffff80538508 in pmap_lookup_pv (pmap=pmap@entry=0xfffff40884d4ee00, ptp=ptp@entry=0xffffab0000c1ed00, old_pp=old_pp@entry=0xffffab0001e621d8, va=va@entry=139916092821504) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:2194
        tree = 0xffffab0000c1ed58
#5  0xffffffff8053b8b2 in pmap_remove_pte (va=139916092821504, pte=<optimized out>, ptp=0xffffab0000c1ed00, pmap=0xfffff40884d4ee00) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4087
        pp = 0xffffab0001e621d8
        opte = 9223372042687001703
#6  pmap_remove_pte (pmap=0xfffff40884d4ee00, ptp=0xffffab0000c1ed00, pte=<optimized out>, va=139916092821504) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4023
#7  0xffffffff8053f444 in pmap_remove_ptes (endva=139916094603264, startva=<optimized out>, ptpva=<optimized out>, ptp=0xffffab0000c1ed00, pmap=0xfffff40884d4ee00) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4007
#8  pmap_remove_locked (eva=139916094603264, sva=<optimized out>, pmap=0xfffff40884d4ee00) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4160
        ptes = 0xffffe38000000000
        pde = 5219426407
        pdes = 0xffffffff818cd440 <normal_pdes>
        blkendva = 139916094603264
        va = 139916092760064
        ptp = 0xffffab0000c1ed00
        pmap2 = 0x0
        lvl = 1
#9  pmap_remove (pmap=0xfffff40884d4ee00, sva=<optimized out>, eva=139916094603264) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4186
No locals.
#10 0xffffffff80c533e9 in uvm_unmap_remove (map=map@entry=0xfffff4088419adf8, start=<optimized out>, end=139916094603264, entry_list=entry_list@entry=0xffffab0154220f78, flags=flags@entry=0) at /bracket/repo/src/sys/uvm/uvm_map.c:2255
        entry = 0xfffff408d7199040
        first_entry = 0x0
        next = 0xfffff4089848f100
        len = 1843200
#11 0xffffffff80c585c6 in sys_munmap (l=<optimized out>, uap=<optimized out>, retval=<optimized out>) at /bracket/repo/src/sys/uvm/uvm_mmap.c:540
        addr = 139916092760064
        size = 1843200
        map = 0xfffff4088419adf8
        dead_entries = 0x0
#12 0xffffffff8054508e in sy_call (rval=0xffffab0154220fb0, uap=0xffffab0154221000, l=0xfffff408c2de3280, sy=0xffffffff81883078 <sysent+1752>) at /bracket/repo/src/sys/sys/syscallvar.h:65
#13 sy_invoke (code=73, rval=0xffffab0154220fb0, uap=0xffffab0154221000, l=0xfffff408c2de3280, sy=0xffffffff81883078 <sysent+1752>) at /bracket/repo/src/sys/sys/syscallvar.h:94
#14 syscall (frame=0xffffab0154221000) at /bracket/repo/src/sys/arch/x86/x86/syscall.c:138
        callp = 0xffffffff81883078 <sysent+1752>
        l = 0xfffff408c2de3280
        code = 73
        rval = {0, 0}

>How-To-Repeat:

>Fix:

Home	PR Database Search