NetBSD Problem Report #52864
From www@NetBSD.org Tue Dec 26 01:13:20 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 7E6E77A174
for <gnats-bugs@gnats.NetBSD.org>; Tue, 26 Dec 2017 01:13:20 +0000 (UTC)
Message-Id: <20171226011319.8104C7A1F3@mollari.NetBSD.org>
Date: Tue, 26 Dec 2017 01:13:19 +0000 (UTC)
From: venture37@geeklan.co.uk
Reply-To: venture37@geeklan.co.uk
To: gnats-bugs@NetBSD.org
Subject: executing luactl after creating a Lua state causes panic
X-Send-Pr-Version: www-1.0
>Number: 52864
>Category: kern
>Synopsis: executing luactl after creating a Lua state causes panic
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: martin
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 26 01:15:01 +0000 2017
>Closed-Date: Tue Dec 26 17:31:15 +0000 2017
>Last-Modified: Sun Feb 25 23:00:01 +0000 2018
>Originator: Sevan Janiyan
>Release: NetBSD-8.0
>Organization:
>Environment:
>Description:
Executing luactl results in a panic rather than listing current states in kernel after creating a states.
trap: kernel write DSI trap @ 0xfdc010d0 by 0xe232cdc8 (DSISR 0x42000000, err=14), lr 0xe232cdb4
panic: trap
stopped in pid 435.1 (luactl) at netbsd:vpanic+0x140: addi r4, r0, 0x0
0x10289a20: at panic+0x4c
0x10289a60: at trap+0x430
0x12089af0: kernel DSI write trap @ 0xfdc010d0 by luaioctl+0x55c: srr1=0x9032 r1=0x10289bc0 cr=0x24000402 xer=0 ctr=0x12f5dc dsisr=0x42000000
0x10289bc0: at luaioctl+0x544
0x10289cf0: at VOP_IOCTL+0x40
0x10289d20: at vn_ioctl+0xb4
0x10289df0: at sys_ioctl+0x118
0x10289eb0: at syscall+0x274
0x10289f20: user SC trap #54 by 0xfde52bf4: srr1=0xd032 r1=0xffffe970 cr=0x44000408 xer=0x20000000 ctr=0xfde52bec
Photo
https://pbs.twimg.com/media/DR7pLIvXcAE1Jc0.jpg:orig
Confirmed issue on macppc builds of NetBSD 8.0_BETA from the 24th, 8.99.7 and yesterdays 8.99.9 build.
Unable to recreate issue on i386.
>How-To-Repeat:
modload lua
luactl create state1
luactl
>Fix:
>Release-Note:
>Audit-Trail:
From: Paul Goyette <paul@whooppee.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-macppc/52864: executing luactl after creating a Lua state
causes panic
Date: Tue, 26 Dec 2017 09:48:30 +0800 (+08)
> ...
> Confirmed issue on macppc builds of NetBSD 8.0_BETA from the 24th,
> 8.99.7 and yesterdays 8.99.9 build.
> Unable to recreate issue on i386.
I also tried this on amd64-8.99.9 (sources updated on 2017-12-25 at
01:49:22 UTC) and cannot reproduce.
From: Sevan Janiyan <venture37@geeklan.co.uk>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-macppc/52864: executing luactl after creating a Lua state
causes panic
Date: Tue, 26 Dec 2017 04:35:15 +0000
In src/sbin/luactl/luactl.c, the function getinfo()[1] calls LUAINFO
with ioctl() and if the number of states in the kernel is greater than
0, it allocates memory based on that number with calloc() and calls
ioctl() again, with the same parameters. upon the second call is where
the crash happens.
From the lua kernel model side, handling the LUAINFO ioctl with
luaioctl()[2] seems to be the case of stepping through the list of
states and copying out their details with copyoutstr().
If I only call ioctl once in my test, after calloc(), I'm able to fetch
the number of states before the program crashes, the system still stays up.
I will try and put together a test using ioctls using something else to
rule out the lua module.
[1] https://nxr.netbsd.org/xref/src/sbin/luactl/luactl.c#120
[2] https://nxr.netbsd.org/xref/src/sys/modules/lua/lua.c#299
Sevan
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-macppc/52864: executing luactl after creating a Lua state
causes panic
Date: Tue, 26 Dec 2017 12:52:53 +0100
The lua ioctl mixes up user and kernel pointers, it crashes on all
architectures that have a spearate kernel address space.
How about adding an atf test that just does what you did (if modload
is allowed) so we'll exercise it as part of regular test runs?
Martin
From: Sevan Janiyan <venture37@geeklan.co.uk>
To: "gnats-bugs@NetBSD.org" <gnats-bugs@NetBSD.org>
Cc:
Subject: Re: port-macppc/52864: executing luactl after creating a Lua state causes panic
Date: Tue, 26 Dec 2017 12:29:49 +0000
> On 26 Dec 2017, at 11:55, Martin Husemann <martin@duskware.de> wrote:
>
> How about adding an atf test that just does what you did (if modload
> is allowed) so we'll exercise it as part of regular test runs?
Sure, no problem.
Thanks for the explanation of what's happening.
Sevan
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52864 CVS commit: src/sys/modules/lua
Date: Tue, 26 Dec 2017 12:43:59 +0000
Module Name: src
Committed By: martin
Date: Tue Dec 26 12:43:59 UTC 2017
Modified Files:
src/sys/modules/lua: lua.c
Log Message:
Fix cargo cult ioctl implementation for LUAINFO: the name and desc fields
are arrays, not pointers, so don't use copyoutstr on them, but instead
copyin/copyout the whole array of structures.
Fixes PR 52864 for me (on sparc64).
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/sys/modules/lua/lua.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: martin@NetBSD.org
State-Changed-When: Tue, 26 Dec 2017 12:45:48 +0000
State-Changed-Why:
Should be fixed, can you confirm on macppc?
From: Sevan Janiyan <venture37@geeklan.co.uk>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-macppc/52864 (executing luactl after creating a Lua state
causes panic)
Date: Tue, 26 Dec 2017 16:55:36 +0000
On 26/12/2017 12:45, martin@NetBSD.org wrote:
> Should be fixed, can you confirm on macppc?
Indeed, it is. Will get the unit test together later tonight.
https://pbs.twimg.com/media/DR_MC9LXcAEU-Rw.jpg:orig
Thank you.
Sevan
State-Changed-From-To: feedback->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Tue, 26 Dec 2017 17:31:15 +0000
State-Changed-Why:
Confirmed fixed
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52864 CVS commit: [netbsd-8] src/sys/modules/lua
Date: Sun, 7 Jan 2018 09:27:32 +0000
Module Name: src
Committed By: snj
Date: Sun Jan 7 09:27:32 UTC 2018
Modified Files:
src/sys/modules/lua [netbsd-8]: lua.c
Log Message:
Pull up following revision(s) (requested by sevan in ticket #469):
sys/modules/lua/lua.c: revision 1.24
Fix cargo cult ioctl implementation for LUAINFO: the name and desc fields
are arrays, not pointers, so don't use copyoutstr on them, but instead
copyin/copyout the whole array of structures.
Fixes PR 52864 for me (on sparc64).
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.23.2.1 src/sys/modules/lua/lua.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: venture37@geeklan.co.uk
To: gnats-bugs@NetBSD.org
Cc:
Subject: Add an ATF test for PR 52864
Date: Sun, 7 Jan 2018 20:46:56 +0000 (UTC)
>Submitter-Id: net
>Originator: Sevan Janiyan
>Organization:
>Confidential: no
>Synopsis: Add an ATF test for PR 52864
>Severity: serious
>Priority: medium
>Category: kern
>Class: sw-bug
>Release: NetBSD-HEAD
>Environment: NetBSD 8.0_BETA macppc powerpc
>Description:
Attached test exercises the bug in kLua reported as port-macppc/52864.
I have not been able to perform a full build test due to the lack of resources so It is possible I may have a step with file set lists??
Should the category for this PR be switched to the kern category as the issue was not just port-macppc specific?
>How-To-Repeat:
>Fix:
Index: distrib/sets/lists/tests/module.mi
===================================================================
RCS file: /cvsroot/src/distrib/sets/lists/tests/module.mi,v
retrieving revision 1.12
diff -u -r1.12 module.mi
--- distrib/sets/lists/tests/module.mi 23 Feb 2013 22:01:51 -0000 1.12
+++ distrib/sets/lists/tests/module.mi 7 Jan 2018 20:42:52 -0000
@@ -14,5 +14,6 @@
./usr/tests/modules/k_uvm/k_uvm.kmod tests-sys-tests atf,rump
./usr/tests/modules/t_abi_uvm tests-sys-tests atf,rump
./usr/tests/modules/t_builtin tests-sys-tests atf,rump
+./usr/tests/modules/t_klua_pr_52864 tests-sys-tests atf,rump
./usr/tests/modules/t_modctl tests-sys-tests atf,rump
./usr/tests/modules/t_modload tests-sys-tests atf,rump
Index: tests/modules/t_klua_pr_52864.sh
===================================================================
RCS file: tests/modules/t_klua_pr_52864.sh
diff -N tests/modules/t_klua_pr_52864.sh
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tests/modules/t_klua_pr_52864.sh 7 Jan 2018 20:42:52 -0000
@@ -0,0 +1,55 @@
+#! /usr/bin/atf-sh
+# $NetBSD$
+#
+# Copyright (c) 2018 The NetBSD Foundation, Inc.
+# All rights reserved.
+#
+# This code is derived from software contributed to The NetBSD Foundation
+# by Sevan Janiyan
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+atf_test_case luastate cleanup
+luastate_head() {
+ atf_set "descr" "Test that once lua(4) is loaded and a state is " \
+ "created, system does not crash when listing states" \
+ "(PR port-macppc/52864)"
+ atf_set "require.user" "root"
+}
+
+luastate_body() {
+ sysctl -q kern.lua.verbose
+ if [ $? -eq 1 ]; then
+ atf_check -s eq:0 modload lua
+ fi
+ atf_check -s eq:0 luactl -q create atfluastate
+ atf_check -s eq:0 -o ignore luactl
+}
+
+luastate_cleanup() {
+ modunload lua >/dev/null 2>&1
+}
+
+atf_init_test_cases() {
+ atf_add_test_case luastate
+}
Index: tests/modules/Makefile
===================================================================
RCS file: /cvsroot/src/tests/modules/Makefile,v
retrieving revision 1.12
diff -u -r1.12 Makefile
--- tests/modules/Makefile 23 Jan 2016 21:22:49 -0000 1.12
+++ tests/modules/Makefile 7 Jan 2018 20:42:52 -0000
@@ -17,6 +17,7 @@
TESTS_SH= t_abi_uvm
TESTS_SH+= t_modload
+TESTS_SH+= t_klua_pr_52864
SUBDIR= k_helper
SUBDIR+= k_helper2
Responsible-Changed-From-To: port-macppc-maintainer->martin
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Mon, 08 Jan 2018 09:55:25 +0000
Responsible-Changed-Why:
I fixed it
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52864 CVS commit: src
Date: Mon, 8 Jan 2018 14:17:15 +0000
Module Name: src
Committed By: martin
Date: Mon Jan 8 14:17:15 UTC 2018
Modified Files:
src/distrib/sets/lists/tests: module.mi
src/tests/modules: Makefile
Added Files:
src/tests/modules: t_klua_pr_52864.sh
Log Message:
PR 52864: add a test for this bug, from sevan@
To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/distrib/sets/lists/tests/module.mi
cvs rdiff -u -r1.12 -r1.13 src/tests/modules/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/modules/t_klua_pr_52864.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/52864 CVS commit: [netbsd-7] src/sys/modules/lua
Date: Sun, 25 Feb 2018 22:59:28 +0000
Module Name: src
Committed By: snj
Date: Sun Feb 25 22:59:28 UTC 2018
Modified Files:
src/sys/modules/lua [netbsd-7]: lua.c
Log Message:
Pull up following revision(s) (requested by sevan in ticket #1545):
sys/modules/lua/lua.c: up to 1.24
whitespace, knf, comments, but no functional change
--
lua(4): fixed require
--
plug leak on error. Reported by:
http://www.m00nbsd.net/ae123a9bae03f7dde5c6d654412daf5a.html#Report-4
--
fix double require bug
--
Use aprint*() instead of printf() in xxx_attach().
--
Check pmf_device_register return value. NFC
Appeases static analyzers.
Can't destroy pb until we're done using it.
--
Fix cargo cult ioctl implementation for LUAINFO: the name and desc fields
are arrays, not pointers, so don't use copyoutstr on them, but instead
copyin/copyout the whole array of structures.
Fixes PR 52864 for me (on sparc64).
To generate a diff of this commit:
cvs rdiff -u -r1.13.2.6 -r1.13.2.7 src/sys/modules/lua/lua.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.