NetBSD Problem Report #56401
From martin@aprisoft.de Tue Sep 14 12:21:12 2021
Return-Path: <martin@aprisoft.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id F0EB81A9239
for <gnats-bugs@gnats.NetBSD.org>; Tue, 14 Sep 2021 12:21:11 +0000 (UTC)
Message-Id: <20210914122102.D3E0D5CC85E@emmas.aprisoft.de>
Date: Tue, 14 Sep 2021 14:21:02 +0200 (CEST)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: kernel panic on userland NULL function pointer call?
X-Send-Pr-Version: 3.95
>Number: 56401
>Category: port-sh3
>Synopsis: kernel panic on userland NULL function pointer call?
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: port-sh3-maintainer
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Sep 14 12:25:00 +0000 2021
>Closed-Date: Wed Sep 22 08:05:17 +0000 2021
>Last-Modified: Wed Sep 22 08:20:02 +0000 2021
>Originator: Martin Husemann
>Release: NetBSD 9.99.88
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD last-of-the-heroes.aprisoft.de 9.99.88 NetBSD 9.99.88 (GENERIC) #130: Tue Sep 7 14:38:45 CEST 2021 martin@seven-days-to-the-wolves.aprisoft.de:/work/src/sys/arch/landisk/compile/GENERIC landisk
Architecture: sh3el
Machine: landisk
>Description:
Trying to boot a -current kernel from a few hours ago causes a panic
when makemandb runs:
kernel mode trap: address error (load) code = 0x0
Stopped in pid 881.881 (makemandb) at 0: Instruction fetch fault (user)
[ 188.9189998] panic: tlb_exception: invalid user-space access from kernel mode
[ 188.9189998] expevt=40 va=00000000 ssr=400000f1 spc=8c009670 lwp=0x8fa8ec40 onfault=0x0
[ 188.9189998] cpu0: Begin traceback...
[ 188.9189998] db_panic() at netbsd:vpanic+0xe2
[ 188.9189998] vpanic() at netbsd:panic+0x18
[ 188.9189998] panic() at netbsd:tlb_exception+0x27c
[ 188.9189998] tlb_exception() at 8c0004dc
[ 188.9189998] <EXPEVT 040; SSR=400000f1> at netbsd:longjmp
[ 188.9189998] [trapframe 0x8c00bc8c]
[ 188.9189998] sr=400000f1 gbr=74c7a000 pc=8c009670 pr=8c0d0fd8
[ 188.9189998] r0=0000001f r1=8c009670 r2=8c416de4 r3=00000000
[ 188.9189998] r4=00000000 r6=00000000 r7=0000000a r8=ffe8001c
[ 188.9189998] r5=c2915d10 r9=c2915d60 r10=8c4375e0 r11=00000000
[ 188.9189998] r12=00000000 r13=8c280f18 r14=8c00bc8c sp=r15=c2915d28
[ 188.9189998] longjmp() at netbsd:db_error+0x20
[ 188.9189998] db_error() at netbsd:get_insn+0x14
[ 188.9189998] get_insn() at netbsd:db_disasm+0xe
[ 188.9189998] db_disasm() at netbsd:db_trap+0x88
[ 188.9189998] db_trap() at netbsd:kdb_trap+0xac
[ 188.9189998] kdb_trap() at netbsd:general_exception+0xc8
[ 188.9189998] general_exception() at 8c0001b2
[ 188.9189998] <EXPEVT 0e0; SSR=40000000> at 0
[ 188.9189998] [trapframe 0x8c0090b4]
[ 188.9189998] sr=40000000 gbr=74c7a000 pc=00000000 pr=8c192be4
[ 188.9189998] r0=0000000e r1=8c41af00 r2=00000001 r3=8fa8ee7c
[ 188.9189998] r4=fffffffe r6=00000001 r7=8fa8ec44 r8=c2915ec4
[ 188.9189998] r5=8fa8ec40 r9=fffffffe r10=ffffffe4 r11=00004000
[ 188.9189998] r12=00000003 r13=00000001 r14=8c0090b4 sp=r15=c2915e28
[ 188.9189998] cpu0: End traceback...
Stopped in pid 881.881 (makemandb) at netbsd:cpu_Debugger+0x2: rts
>How-To-Repeat:
n/a
>Fix:
n/a
>Release-Note:
>Audit-Trail:
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/56401 CVS commit: src/sys/arch/sh3/sh3
Date: Wed, 15 Sep 2021 11:03:25 +0000
Module Name: src
Committed By: rin
Date: Wed Sep 15 11:03:25 UTC 2021
Modified Files:
src/sys/arch/sh3/sh3: exception.c
Log Message:
For kernel mode address error, do not overwrite tf->tf_spc and tf->tf_r0
*before* checking pcb->pbc_onfault != NULL.
Should fix part of
PR port-sh3/56382
PR port-sh3/56401
i.e., DDB will no longer wrongly indicate NULL as fault PC for kernel mode
address error (and 0xe == EFAULT as r0).
Yes, we have another bugs that cause panics described in the two PRs, but
now we can examine them more easily :).
To generate a diff of this commit:
cvs rdiff -u -r1.73 -r1.74 src/sys/arch/sh3/sh3/exception.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-sh3/56401: kernel panic in tmpfs_write
Date: Tue, 21 Sep 2021 13:34:59 +0200
With a new kernel the crash now looks like this:
[ 444.4401356] panic: tlb_exception: invalid user-space access from kernel mode
[ 444.4401356] expevt=40 va=00000000 ssr=400000e0 spc=8c1bcc8c lwp=0x8fa8e640 onfault=0x0
[ 444.4401356] cpu0: Begin traceback...
[ 444.4401356] db_panic() at netbsd:vpanic+0xe2
[ 444.4401356] vpanic() at netbsd:panic+0x18
[ 444.4401356] panic() at netbsd:tlb_exception+0x27c
[ 444.4401356] tlb_exception() at 8c0004dc
[ 444.4401356] <EXPEVT 040; SSR=400000e0> at netbsd:mutex_tryenter+0x4
[ 444.4401356] [trapframe 0x8c426d00]
[ 444.4401356] sr=400000e0 gbr=7abda000 pc=8c1bcc8c pr=8c1b9642
[ 444.4401356] r0=8c1b962c r1=00000000 r2=00000060 r3=fffffffe
[ 444.4401356] r4=00000000 r6=8fa8e640 r7=00000001 r8=8c420364
[ 444.4401356] r5=8e909080 r9=00000000 r10=8c1bcbbc r11=8c1bcc88
[ 444.4401356] r12=8fa8e6bc r13=8e909080 r14=8c426d00 sp=r15=c2de2dc8
[ 444.4401356] mutex_tryenter() at netbsd:lwp_trylock+0x16
[ 444.4401356] lwp_trylock() at netbsd:turnstile_block+0x114
[ 444.4401356] turnstile_block() at netbsd:rw_enter+0xe6
[ 444.4401356] rw_enter() at netbsd:ubc_alloc.constprop.0+0xb0
[ 444.4401356] ubc_alloc.constprop.0() at netbsd:ubc_uiomove+0x5c
[ 444.4401356] ubc_uiomove() at netbsd:tmpfs_write+0xf8
[ 444.4401356] tmpfs_write() at netbsd:VOP_WRITE+0x1a
[ 444.4401356] VOP_WRITE() at netbsd:vn_write+0xa0
[ 444.4401356] vn_write() at netbsd:dofilewrite+0x56
[ 444.4401356] dofilewrite() at netbsd:sys_write+0x4a
[ 444.4401356] sys_write() at netbsd:syscall+0xae
[ 444.4401356] syscall() at 8c0001b2
[ 444.4401356] <EXPEVT 160; SSR=00000001> at 7a768b14
[ 444.4401356] [trapframe 0x40aae8]
[ 444.4401356] sr=00000001 gbr=7abda000 pc=7a768b14 pr=7a9178a4
[ 444.4401356] r0=00000004 r1=ffffe6dc r2=7a93b178 r3=7a93b13c
[ 444.4401356] r4=00000004 r6=7a6b0580 r7=00010000 r8=00000000
[ 444.4401356] r5=7ac2ec00 r9=00000344 r10=7a93b140 r11=7a93b180
[ 444.4401356] r12=7a931468 r13=7a6b0580 r14=0040aae8 sp=r15=7ffd8a90
[ 444.4401356] cpu0: End traceback...
Stopped in pid 1045.1045 (tar) at netbsd:cpu_Debugger+0x2: rts
Martin
State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Wed, 22 Sep 2021 08:05:17 +0000
State-Changed-Why:
Fixed by rin
From: Martin Husemann <martin@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-sh3/56401: kernel panic in tmpfs_write
Date: Wed, 22 Sep 2021 08:03:24 +0000
This fixes PR 56401
----- Forwarded message from Rin Okuyama <rin@netbsd.org> -----
Date: Wed, 22 Sep 2021 05:42:19 +0000
From: Rin Okuyama <rin@netbsd.org>
To: source-changes@NetBSD.org
Subject: CVS commit: src/sys/kern
X-Mailer: log_accum
Module Name: src
Committed By: rin
Date: Wed Sep 22 05:42:19 UTC 2021
Modified Files:
src/sys/kern: kern_ksyms.c
Log Message:
ksymsmmap: Add missing uao_reference(9) call for ks->ks_uobj.
Fix failure for savecore(8) and subsequent kernel panic, introduced to
kern_ksyms.c rev 1.03, at least for sh3 and alpha.
For sh3 and alpha, savecore(8) supports coff and ecoff, respectively, via
libkvm via nlist(3). nlist(3) routines for coff and ecoff use mmap(2) and
munmap(2) for /dev/ksyms.
This munmap(2) decrements reference count for ks->ks_uobj. Unless it is
incremented in ksymsmmap(), ks->ks_uobj will be freed unexpectedly.
To generate a diff of this commit:
cvs rdiff -u -r1.104 -r1.105 src/sys/kern/kern_ksyms.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
----- End forwarded message -----
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.