NetBSD Problem Report #52676
From www@NetBSD.org Mon Oct 30 19:49:52 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id B2F3A7A1DB
for <gnats-bugs@gnats.NetBSD.org>; Mon, 30 Oct 2017 19:49:52 +0000 (UTC)
Message-Id: <20171030194951.935F27A1F7@mollari.NetBSD.org>
Date: Mon, 30 Oct 2017 19:49:51 +0000 (UTC)
From: n54@gmx.com
Reply-To: n54@gmx.com
To: gnats-bugs@NetBSD.org
Subject: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on 8.99.3 [syzkaller]
X-Send-Pr-Version: www-1.0
>Number: 52676
>Category: kern
>Synopsis: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on 8.99.3 [syzkaller]
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Oct 30 19:50:00 +0000 2017
>Last-Modified: Wed Feb 13 09:50:00 +0000 2019
>Originator: Kamil Rytarowski
>Release: NetBSD 8.99.3
>Organization:
TNF
>Environment:
NetBSD 8.99.3 NetBSD 8.99.3 (GENERIC) #0: Sat
Sep 30 12:34:57 IST 2017
utkarsh@utkarsh-GP62-6QE:/extra/amd64/sys/arch/amd64/compile/GENERIC
amd64
>Description:
panic: kernel diagnostic assertion "pmap->pm_obj[i].uo_npages == 0"
failed: file "/extra/netbsd-src/sys/arch/x86/x86/pmap.c", line 2368
cpu1: Begin traceback...
vpanic() at netbsd:vpanic+0x140
ch_voltag_convert_in() at netbsd:ch_voltag_convert_in
pmap_destroy() at netbsd:pmap_destroy+0x265
pmap_pp_remove() at netbsd:pmap_pp_remove+0x27a
uvm_anon_dispose() at netbsd:uvm_anon_dispose+0x11f
uvm_anon_freelst() at netbsd:uvm_anon_freelst+0x35
amap_wipeout() at netbsd:amap_wipeout+0x133
uvm_unmap_detach() at netbsd:uvm_unmap_detach+0x44
uvmspace_free() at netbsd:uvmspace_free+0xf4
exit1() at netbsd:exit1+0x1a0
sys_exit() at netbsd:sys_exit+0x3d
syscall() at netbsd:syscall+0x1d8
--- syscall (number 1) ---
Reported by Dmitry Vyukov (google), found by syzkaller.
>How-To-Repeat:
1. Build syz-execprog from google/syzkaller
2. Fetch reproducer.
https://gist.githubusercontent.com/dvyukov/13a6f173306c00ebbb3552ce689b566f/raw/9e35a7ff8e572963c30e5ea5c372d30badf94212/gistfile1.txt
3. Spawn a machine with >= 4 cores with hw assisted virtualization (qemu-kvm)
4. ./syz-execprog -procs=8 -repeat=0 prog
where prog is the fetched gistfile1.txt
///
This is not reproducible by myself with softemu in qemu and it looks like a race.
>Fix:
N/A
>Audit-Trail:
From: Utkarsh Anand <uanand009@gmail.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Subject: Re: kern/52676: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on
8.99.3 [syzkaller]
Date: Tue, 31 Oct 2017 08:15:06 +0530
I reproduced the result on Virtualbox using the same image that Dmitry is using.
You can access some important information from:
http://ftp.netbsd.org/pub/NetBSD/misc/utkarsh009/syzkaller/NetBSD_crash.tar.gz
After crashing 2-3 times, it completely crippled the VM and it
couldn't even boot.
Interestingly, it doesn't crash this VM:
utkarsh# uname -a
NetBSD utkarsh.localhost 7.99.71 NetBSD 7.99.71 (XEN3_DOM0) #1: Sat
Jun 10 13:41:43 IST 2017
root@utkarsh-GP62-6QE:/extra/obj/sys/arch/amd64/compile/XEN3_DOM0
amd64
Regards,
Utkarsh Anand
From: Utkarsh Anand <utkarsh009@yandex.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/52676: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on 8.99.3 [syzkaller]
Date: Tue, 31 Oct 2017 08:17:49 +0530
I reproduced the result on Virtualbox using the same image that Dmitry is using.
You can access some important information from:
http://ftp.netbsd.org/pub/NetBSD/misc/utkarsh009/syzkaller/NetBSD_crash.tar.gz
After crashing 2-3 times, it completely crippled the VM and it couldn't even boot.
Interestingly, it doesn't crash this VM:
utkarsh# uname -a
NetBSD utkarsh.localhost 7.99.71 NetBSD 7.99.71 (XEN3_DOM0) #1: Sat Jun 10 13:41:43 IST 2017 root@utkarsh-GP62-6QE:/extra/obj/sys/arch/amd64/compile/XEN3_DOM0 amd64
Regards,
Utkarsh Anand
From: Kamil Rytarowski <n54@gmx.com>
To: gnats-bugs@NetBSD.org, Dmitry Vyukov <dvyukov@google.com>
Cc:
Subject: Re: kern/52676: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on
8.99.3 [syzkaller]
Date: Tue, 31 Oct 2017 04:51:02 +0100
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--mdhl4T3odBntdF1UFVpMBH3otagjCr2EJ
Content-Type: multipart/mixed; boundary="qp9s1JIKP5ktraWlCFVdpoKUnEBE65N2s";
protected-headers="v1"
From: Kamil Rytarowski <n54@gmx.com>
To: gnats-bugs@NetBSD.org, Dmitry Vyukov <dvyukov@google.com>
Message-ID: <315ee42c-4c5b-ef27-6400-238d32434ca2@gmx.com>
Subject: Re: kern/52676: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on
8.99.3 [syzkaller]
References: <pr-kern-52676@gnats.netbsd.org>
<20171030194951.935F27A1F7@mollari.NetBSD.org>
<20171030195000.B1A2A7A1F7@mollari.NetBSD.org>
In-Reply-To: <20171030195000.B1A2A7A1F7@mollari.NetBSD.org>
--qp9s1JIKP5ktraWlCFVdpoKUnEBE65N2s
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Dmitry,
Can you reproduce the panic with fresh HEAD kernel?
1. HEAD kernel can be fetched from our releng builds:
http://nycdn.netbsd.org/pub/NetBSD-daily/HEAD/
please check the most recent date
path amd64/binary/kernel/netbsd-GENERIC.gz
2. The NetBSD kernel can be built with ./build.sh kernel=3DGENERIC using
this example mirror:
https://github.com/netbsd/src
To finalize the upgrade process please replace new kernel old one in
/netbsd in guest and reboot.
HEAD also has fixed the hanging issue.
I will enhance the NetBSD readme section in syzkaller to describe how to
prepare the kernel, environment etc.. similar to the Linux documentation.=
--qp9s1JIKP5ktraWlCFVdpoKUnEBE65N2s--
--mdhl4T3odBntdF1UFVpMBH3otagjCr2EJ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJZ9/MsAAoJEEuzCOmwLnZsO2wP/25POsokT6P+ACz8a6VEtniQ
P3KESSvpyxnPq4F9b0HipoCYJqNecNJWgrzlfNDn/jX5XYHoD6+iEbg+D6+2jUnO
ojTsgX57Vl1QK1hVjWANILPKyBgmY/R5a6Ibx5yP8Qf9jolMOpewYC0TOkTWrz6+
optvRtFp0UMgn7HPzqL5VFAhb5opPJ+Opi93o4fytzYJ2pUh8EgC3r7xNzT8NAa3
nJFFK2BGV/DDabTy460apRNEAizzSmEksXMxc4czIjN/wY0NSATUzSG/ul1AsE5q
XCgRAY6D14ff+OCg4O/vNJZ23Zs2GhRDfP1i9OnC+Wrh4gf36B6YSvWumTXOaxsO
WTljouxwJGwdVLmkNMNbHKCrxwMlpPCP1T6MUHJrVesy53FTPLWOri5I8Wchz2B0
wuBhyw7aVOLuN47ZZbPFdNy6WTRlNnlU5uaAG8X5Rtcu3lSO7rLIL3WrqV/oZlB8
dVBCSOohxDbtn/23S242Oq7JoTjeu718S6MB9f+/PlAgtVacBJ06bbtAdUktb0IM
RQVOpKxf8F+H+Uuij74cKyvgPOZNbAOsotitTU+FrW0ePf1jhO3vzoKUrgyps0uZ
dOxDHk9WVEK7YpOeAVtWHjfbuNQb+3z5mdWlAicFCqkCnRiY4k9rsVEyk0KXhOuc
sVpHTbEV9kds52XXgbv+
=Ik6p
-----END PGP SIGNATURE-----
--mdhl4T3odBntdF1UFVpMBH3otagjCr2EJ--
From: David Holland <dholland-bugs@netbsd.org>
To: Utkarsh Anand <uanand009@gmail.com>
Cc: gnats-bugs@netbsd.org
Subject: Re: kern/52676: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on
8.99.3 [syzkaller]
Date: Mon, 11 Feb 2019 16:16:20 +0000
On Tue, Oct 31, 2017 at 08:15:06AM +0530, Utkarsh Anand wrote:
> After crashing 2-3 times, it completely crippled the VM and it
> couldn't even boot.
Crippled how? File system corruption? Please file another PR on this.
--
David A. Holland
dholland@netbsd.org
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/52676: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on
8.99.3 [syzkaller]
Date: Mon, 11 Feb 2019 16:50:53 +0000
On Mon, Feb 11, 2019 at 04:20:01PM +0000, David Holland wrote:
> On Tue, Oct 31, 2017 at 08:15:06AM +0530, Utkarsh Anand wrote:
> > After crashing 2-3 times, it completely crippled the VM and it
> > couldn't even boot.
>
> Crippled how? File system corruption? Please file another PR on this.
Oops, didn't notice this was from a year and a half ago. If you still
have any information along these lines, please send it along...
--
David A. Holland
dholland@netbsd.org
From: Utkarsh Anand <uanand009@gmail.com>
To: David Holland <dholland-bugs@netbsd.org>
Cc: gnats-bugs@netbsd.org
Subject: Re: kern/52676: Kernel assert "pmap->pm_obj[i].uo_npages == 0" on
8.99.3 [syzkaller]
Date: Wed, 13 Feb 2019 15:19:31 +0530
--000000000000feca0e0581c3753d
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
I don=E2=80=99t see how this is relatable to me anymore. Besides, this isn=
=E2=80=99t
something that=E2=80=99s very hard to reproduce. Although, I would say that=
this
attitude is appreciable, given that some of your fellow socialists don=E2=
=80=99t
hesitate while admitting that there=E2=80=99s no incentive for working unde=
r a
socialist environment. You know the excuses, don=E2=80=99t you?
PS: Some just prefer not replying at all! Who=E2=80=99s going to waste time=
on
excuses?
On Mon, 11 Feb 2019 at 9:46 PM, David Holland <dholland-bugs@netbsd.org>
wrote:
> On Tue, Oct 31, 2017 at 08:15:06AM +0530, Utkarsh Anand wrote:
> > After crashing 2-3 times, it completely crippled the VM and it
> > couldn't even boot.
>
> Crippled how? File system corruption? Please file another PR on this.
>
> --
> David A. Holland
> dholland@netbsd.org
>
--=20
Regards,
Utkarsh Anand
--000000000000feca0e0581c3753d
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div><div dir=3D"auto">I don=E2=80=99t see how this is relatable to me anym=
ore. Besides, this isn=E2=80=99t something that=E2=80=99s very hard to repr=
oduce. Although, I would say that this attitude is appreciable, given that =
some of your fellow socialists don=E2=80=99t hesitate while admitting that =
there=E2=80=99s no incentive for working under a socialist environment. You=
know the excuses, don=E2=80=99t you?</div></div><div dir=3D"auto">PS: Some=
just prefer not replying at all! Who=E2=80=99s going to waste time on excu=
ses?</div><div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gma=
il_attr">On Mon, 11 Feb 2019 at 9:46 PM, David Holland <<a href=3D"mailt=
o:dholland-bugs@netbsd.org">dholland-bugs@netbsd.org</a>> wrote:<br></di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:=
1px #ccc solid;padding-left:1ex">On Tue, Oct 31, 2017 at 08:15:06AM +0530, =
Utkarsh Anand wrote:<br>
=C2=A0> After crashing 2-3 times, it completely crippled the VM and it<b=
r>
=C2=A0> couldn't even boot.<br>
<br>
Crippled how? File system corruption? Please file another PR on this.<br>
<br>
-- <br>
David A. Holland<br>
<a href=3D"mailto:dholland@netbsd.org" target=3D"_blank">dholland@netbsd.or=
g</a><br>
</blockquote></div></div>-- <br><div dir=3D"ltr" class=3D"gmail_signature" =
data-smartmail=3D"gmail_signature">Regards,<br>Utkarsh Anand</div>
--000000000000feca0e0581c3753d--
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home