NetBSD Problem Report #54257
From www@netbsd.org Sat Jun 1 00:24:34 2019
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 32ACE7A158
for <gnats-bugs@gnats.NetBSD.org>; Sat, 1 Jun 2019 00:24:34 +0000 (UTC)
Message-Id: <20190601002432.D3ABD7A1F1@mollari.NetBSD.org>
Date: Sat, 1 Jun 2019 00:24:32 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: panic in invlpg
X-Send-Pr-Version: www-1.0
>Number: 54257
>Category: port-amd64
>Synopsis: panic in invlpg
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: port-amd64-maintainer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Jun 01 00:25:00 +0000 2019
>Closed-Date: Sat Jun 01 12:42:10 +0000 2019
>Last-Modified: Sat Jun 01 12:42:10 +0000 2019
>Originator: coypu
>Release: NetBSD 8.99.42
>Organization:
>Environment:
NetBSD plu 8.99.42 NetBSD 8.99.42 (GENERIC) #14: Fri May 31 17:04:01 IDT 2019 fly@plu:/home/fly/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
I ran 'audioctl -a' which apparently tries autoloading modules.
Hand transcribed...
fatal protection fault in supervisor mode
invlpg() at netbsd:invlpg+0x15
pmap_update() at netbsd:pmap_update+0x26
uvm_map_protect() at netbsd:uvm_map_protect+0x1ff
kobj_affix() at netbsd:kobj_affix+0x149
module_do_load() at netbsd:module_do_load+0x5de
module_autoload() at netbsd:module_autoload+0xa6
hdaudio_findvendor_stub
hdafg_getdev
audioioctl
sys_ioctl
syscall
cpuctl output:
cpu0: highest basic info 00000016
cpu0: highest extended info 80000008
cpu0: "Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz"
cpu0: Intel 6th gen Core, Xeon E3-1[25]00 v5 (Skylake) (686-class), 2592.61 MHz
cpu0: family 0x6 model 0x5e stepping 0x3 (id 0x506e3)
cpu0: features 0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE>
cpu0: features 0xbfebfbff<MCA,CMOV,PAT,PSE36,CLFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2>
cpu0: features 0xbfebfbff<SS,HTT,TM,SBF>
cpu0: features1 0x7ffafbbf<SSE3,PCLMULQDQ,DTES64,MONITOR,DS-CPL,VMX,EST,TM2>
cpu0: features1 0x7ffafbbf<SSSE3,SDBG,FMA,CX16,xTPR,PDCM,PCID,SSE41,SSE42>
cpu0: features1 0x7ffafbbf<X2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,OSXSAVE,AVX>
cpu0: features1 0x7ffafbbf<F16C,RDRAND>
cpu0: features2 0x2c100800<SYSCALL/SYSRET,XD,P1GB,RDTSCP,EM64T>
cpu0: features3 0x121<LAHF,LZCNT,PREFETCHW>
cpu0: features5 0x29c6fbf<FSGSBASE,TSCADJUST,SGX,BMI1,HLE,AVX2,SMEP,BMI2,ERMS>
cpu0: features5 0x29c6fbf<INVPCID,RTM,FPUCSDS,MPX,RDSEED,ADX,SMAP,CLFLUSHOPT>
cpu0: features5 0x29c6fbf<PT>
cpu0: features7 0x9c000000<IBRS,STIBP,L1D_FLUSH,SSBD>
cpu0: xsave features 0x1f<x87,SSE,AVX,BNDREGS,BNDCSR>
cpu0: xsave instructions 0xf<XSAVEOPT,XSAVEC,XGETBV,XSAVES>
cpu0: xsave area size: current 832, maximum 1088, xgetbv enabled
cpu0: enabled xsave 0x7<x87,SSE,AVX>
cpu0: I-cache 32KB 64B/line 8-way, D-cache 32KB 64B/line 8-way
cpu0: L2 cache 256KB 64B/line 4-way
cpu0: L3 cache 6MB 64B/line 12-way
cpu0: 64B prefetching
cpu0: ITLB 64 4KB entries 8-way, 2M/4M: 8 entries
cpu0: DTLB 64 4KB entries 4-way
cpu0: L2 STLB 1536 4KB entries 6-way
cpu0: L1 1GB page DTLB 4 1GB entries 4-way
cpu0: Initial APIC ID 0
cpu0: Cluster/Package ID 0
cpu0: Core ID 0
cpu0: SMT ID 0
cpu0: MONITOR/MWAIT extensions 0x3<EMX,IBE>
cpu0: monitor-line size 64
cpu0: C1 substates 2
cpu0: C2 substates 1
cpu0: C3 substates 2
cpu0: C4 substates 4
cpu0: C5 substates 1
cpu0: C6 substates 1
cpu0: C7 substates 1
cpu0: DSPM-eax 0x27f7<DTS,IDA,ARAT,PLN,ECMD,PTM,HWP,HWP_NOTIFY,HWP_ACTWIN>
cpu0: DSPM-eax 0x27f7<HWP_EPP,HDC>
cpu0: DSPM-ecx 0x9<HWF,EPB>
cpu0: SEF highest subleaf 00000000
cpu0: Perfmon-eax 0x7300404<VERSION=0x4,GPCounter=0x4,GPBitwidth=0x30>
cpu0: Perfmon-eax 0x7300404<Vectorlen=0x7>
cpu0: Perfmon-edx 0x603<FixedFunc=0x3,FFBitwidth=0x30>
cpu0: microcode version 0xc6, platform ID 5
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: coypu@sdf.org
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: port-amd64/54257: panic in invlpg
Date: Sat, 1 Jun 2019 00:38:49 +0000
This can be also reproduced with 'modload hdaudioverbose'.
From: "Maxime Villard" <maxv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54257 CVS commit: src/sys/arch/x86/x86
Date: Sat, 1 Jun 2019 08:12:26 +0000
Module Name: src
Committed By: maxv
Date: Sat Jun 1 08:12:26 UTC 2019
Modified Files:
src/sys/arch/x86/x86: pmap.c
Log Message:
Fix two bugs in pmap_write_protect():
* The mask should be ~PAGE_MASK, not PTE_FRAME. PTE_FRAME eliminates the
higher bits, and that's not wanted.
* The computation of tva is incorrect: if the VA is in kernel space we
must take the canonical hole into account, and here we were not.
We've had these bugs basically forever. It meant that uvm_km_protect()
would never flush the correct VA, and a stale TLB entry would persist.
Fixes PR/54257. Since I added PCID support we execute invpcid in invlpg(),
and invpcid triggers a #GP if the address is non canonical, contrary to
invlpg. The wrong computation of the VA during a modload happened to hit
the canonical hole.
To generate a diff of this commit:
cvs rdiff -u -r1.333 -r1.334 src/sys/arch/x86/x86/pmap.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Sat, 01 Jun 2019 08:18:40 +0000
State-Changed-Why:
I could reproduce the problem on my machine, and it should now be fixed. Please
confirm.
Basically, there was a bug in pmap_write_protect(), and PCID made it visible;
before PCID, invlpg would silently ignore the incorrect VA.
State-Changed-From-To: feedback->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Sat, 01 Jun 2019 12:42:10 +0000
State-Changed-Why:
Works for me as well. Thanks for the quick fix!
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home