NetBSD Problem Report #56045
From www@netbsd.org Mon Mar 8 18:44:13 2021
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id F09E61A9217
for <gnats-bugs@gnats.NetBSD.org>; Mon, 8 Mar 2021 18:44:12 +0000 (UTC)
Message-Id: <20210308184411.6267A1A923A@mollari.NetBSD.org>
Date: Mon, 8 Mar 2021 18:44:11 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: uvideo apparently causes kernel memory corruption
X-Send-Pr-Version: www-1.0
>Number: 56045
>Category: kern
>Synopsis: uvideo apparently causes kernel memory corruption
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Mar 08 18:45:00 +0000 2021
>Originator: coypu
>Release: NetBSD 9.99.80
>Organization:
>Environment:
NetBSD planets 9.99.80 NetBSD 9.99.80 (GENERIC) #3: Tue Feb 23 15:23:21 IST 2021 fly@planets:/bracket/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
Was using a fancy uvideo @ xhci, using firefox and Jitsi:
uvideo0 at uhub2 port 4 configuration 1 interface 0: vendor 046d (0x046d) BRIO 4K Stream Edition (0x086b), rev 3.10/3.17, addr 2
video0 at uvideo0: vendor 046d (0x046d) BRIO 4K Stream Edition (0x086b), rev 3.10/3.17, addr 2
The video froze. I disconnected the USB cable, reconnected (it was fine so far) and tried to restart the frozen video - that's when it panicked.
video0: detached
uvideo0: detached
uvideo0: at uhub2 port 4 (addr 2) disconnected
uaudio0: detached
uaudio0: at uhub2 port 4 (addr 2) disconnected
uhid0: detached
uhidev0: detached
uhidev0: at uhub2 port 4 (addr 2) disconnected
panic: kernel diagnostic assertion "!RB_SENTINEL_P(tree->rbt_root)" failed: file "/bracket/repo/src/sys/arch/x86/x86/pmap.c", line 2194
cpu0: Begin traceback...
vpanic() at netbsd:vpanic+0x156
__x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
pmap_lookup_pv() at netbsd:pmap_lookup_pv+0x1ae
pmap_remove_pte() at netbsd:pmap_remove_pte+0x12c
pmap_remove() at netbsd:pmap_remove+0x167
uvm_unmap_remove() at netbsd:uvm_unmap_remove+0x28a
sys_munmap() at netbsd:sys_munmap+0x69
syscall() at netbsd:syscall+0x23e
--- syscall (number 73) ---
netbsd:syscall+0x23e:
cpu0: End traceback...
Some info from gdb:
(gdb) frame 4
#4 0xffffffff80538508 in pmap_lookup_pv (pmap=pmap@entry=0xfffff40884d4ee00, ptp=ptp@entry=0xffffab0000c1ed00, old_pp=old_pp@entry=0xffffab0001e621d8, va=va@entry=139916092821504) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:2194
2194 KASSERT(!RB_SENTINEL_P(tree->rbt_root));
(gdb) display tree->rbt_root
1: tree->rbt_root = (struct rb_node *) 0x0
(gdb) bt full
(Trimming "optimized out", __func__, unnecessary frames)
#4 0xffffffff80538508 in pmap_lookup_pv (pmap=pmap@entry=0xfffff40884d4ee00, ptp=ptp@entry=0xffffab0000c1ed00, old_pp=old_pp@entry=0xffffab0001e621d8, va=va@entry=139916092821504) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:2194
tree = 0xffffab0000c1ed58
#5 0xffffffff8053b8b2 in pmap_remove_pte (va=139916092821504, pte=<optimized out>, ptp=0xffffab0000c1ed00, pmap=0xfffff40884d4ee00) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4087
pp = 0xffffab0001e621d8
opte = 9223372042687001703
#6 pmap_remove_pte (pmap=0xfffff40884d4ee00, ptp=0xffffab0000c1ed00, pte=<optimized out>, va=139916092821504) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4023
#7 0xffffffff8053f444 in pmap_remove_ptes (endva=139916094603264, startva=<optimized out>, ptpva=<optimized out>, ptp=0xffffab0000c1ed00, pmap=0xfffff40884d4ee00) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4007
#8 pmap_remove_locked (eva=139916094603264, sva=<optimized out>, pmap=0xfffff40884d4ee00) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4160
ptes = 0xffffe38000000000
pde = 5219426407
pdes = 0xffffffff818cd440 <normal_pdes>
blkendva = 139916094603264
va = 139916092760064
ptp = 0xffffab0000c1ed00
pmap2 = 0x0
lvl = 1
#9 pmap_remove (pmap=0xfffff40884d4ee00, sva=<optimized out>, eva=139916094603264) at /bracket/repo/src/sys/arch/x86/x86/pmap.c:4186
No locals.
#10 0xffffffff80c533e9 in uvm_unmap_remove (map=map@entry=0xfffff4088419adf8, start=<optimized out>, end=139916094603264, entry_list=entry_list@entry=0xffffab0154220f78, flags=flags@entry=0) at /bracket/repo/src/sys/uvm/uvm_map.c:2255
entry = 0xfffff408d7199040
first_entry = 0x0
next = 0xfffff4089848f100
len = 1843200
#11 0xffffffff80c585c6 in sys_munmap (l=<optimized out>, uap=<optimized out>, retval=<optimized out>) at /bracket/repo/src/sys/uvm/uvm_mmap.c:540
addr = 139916092760064
size = 1843200
map = 0xfffff4088419adf8
dead_entries = 0x0
#12 0xffffffff8054508e in sy_call (rval=0xffffab0154220fb0, uap=0xffffab0154221000, l=0xfffff408c2de3280, sy=0xffffffff81883078 <sysent+1752>) at /bracket/repo/src/sys/sys/syscallvar.h:65
#13 sy_invoke (code=73, rval=0xffffab0154220fb0, uap=0xffffab0154221000, l=0xfffff408c2de3280, sy=0xffffffff81883078 <sysent+1752>) at /bracket/repo/src/sys/sys/syscallvar.h:94
#14 syscall (frame=0xffffab0154221000) at /bracket/repo/src/sys/arch/x86/x86/syscall.c:138
callp = 0xffffffff81883078 <sysent+1752>
l = 0xfffff408c2de3280
code = 73
rval = {0, 0}
>How-To-Repeat:
>Fix:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.