NetBSD Problem Report #56401

From martin@aprisoft.de  Tue Sep 14 12:21:12 2021
Return-Path: <martin@aprisoft.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id F0EB81A9239
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 14 Sep 2021 12:21:11 +0000 (UTC)
Message-Id: <20210914122102.D3E0D5CC85E@emmas.aprisoft.de>
Date: Tue, 14 Sep 2021 14:21:02 +0200 (CEST)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: kernel panic on userland NULL function pointer call?
X-Send-Pr-Version: 3.95

>Number:         56401
>Category:       port-sh3
>Synopsis:       kernel panic on userland NULL function pointer call?
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    port-sh3-maintainer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 14 12:25:00 +0000 2021
>Closed-Date:    Wed Sep 22 08:05:17 +0000 2021
>Last-Modified:  Wed Sep 22 08:20:02 +0000 2021
>Originator:     Martin Husemann
>Release:        NetBSD 9.99.88
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD last-of-the-heroes.aprisoft.de 9.99.88 NetBSD 9.99.88 (GENERIC) #130: Tue Sep 7 14:38:45 CEST 2021 martin@seven-days-to-the-wolves.aprisoft.de:/work/src/sys/arch/landisk/compile/GENERIC landisk
Architecture: sh3el
Machine: landisk
>Description:

Trying to boot a -current kernel from a few hours ago causes a panic
when makemandb runs:

 kernel mode trap: address error (load) code = 0x0
Stopped in pid 881.881 (makemandb) at   0:      Instruction fetch fault (user)
[ 188.9189998] panic: tlb_exception: invalid user-space access from kernel mode
[ 188.9189998] expevt=40 va=00000000 ssr=400000f1 spc=8c009670 lwp=0x8fa8ec40 onfault=0x0
[ 188.9189998] cpu0: Begin traceback...
[ 188.9189998] db_panic() at netbsd:vpanic+0xe2
[ 188.9189998] vpanic() at netbsd:panic+0x18
[ 188.9189998] panic() at netbsd:tlb_exception+0x27c
[ 188.9189998] tlb_exception() at 8c0004dc
[ 188.9189998] <EXPEVT 040; SSR=400000f1> at netbsd:longjmp
[ 188.9189998] [trapframe 0x8c00bc8c]
[ 188.9189998]    sr=400000f1   gbr=74c7a000    pc=8c009670     pr=8c0d0fd8
[ 188.9189998]    r0=0000001f    r1=8c009670    r2=8c416de4     r3=00000000
[ 188.9189998]    r4=00000000    r6=00000000    r7=0000000a     r8=ffe8001c
[ 188.9189998]    r5=c2915d10    r9=c2915d60   r10=8c4375e0    r11=00000000
[ 188.9189998]   r12=00000000   r13=8c280f18   r14=8c00bc8c sp=r15=c2915d28
[ 188.9189998] longjmp() at netbsd:db_error+0x20
[ 188.9189998] db_error() at netbsd:get_insn+0x14
[ 188.9189998] get_insn() at netbsd:db_disasm+0xe
[ 188.9189998] db_disasm() at netbsd:db_trap+0x88
[ 188.9189998] db_trap() at netbsd:kdb_trap+0xac
[ 188.9189998] kdb_trap() at netbsd:general_exception+0xc8
[ 188.9189998] general_exception() at 8c0001b2
[ 188.9189998] <EXPEVT 0e0; SSR=40000000> at 0
[ 188.9189998] [trapframe 0x8c0090b4]
[ 188.9189998]    sr=40000000   gbr=74c7a000    pc=00000000     pr=8c192be4
[ 188.9189998]    r0=0000000e    r1=8c41af00    r2=00000001     r3=8fa8ee7c
[ 188.9189998]    r4=fffffffe    r6=00000001    r7=8fa8ec44     r8=c2915ec4
[ 188.9189998]    r5=8fa8ec40    r9=fffffffe   r10=ffffffe4    r11=00004000
[ 188.9189998]   r12=00000003   r13=00000001   r14=8c0090b4 sp=r15=c2915e28
[ 188.9189998] cpu0: End traceback...
Stopped in pid 881.881 (makemandb) at   netbsd:cpu_Debugger+0x2:        rts



>How-To-Repeat:
n/a

>Fix:
n/a

>Release-Note:

>Audit-Trail:
From: "Rin Okuyama" <rin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/56401 CVS commit: src/sys/arch/sh3/sh3
Date: Wed, 15 Sep 2021 11:03:25 +0000

 Module Name:	src
 Committed By:	rin
 Date:		Wed Sep 15 11:03:25 UTC 2021

 Modified Files:
 	src/sys/arch/sh3/sh3: exception.c

 Log Message:
 For kernel mode address error, do not overwrite tf->tf_spc and tf->tf_r0
 *before* checking pcb->pbc_onfault != NULL.

 Should fix part of

 PR port-sh3/56382
 PR port-sh3/56401

 i.e., DDB will no longer wrongly indicate NULL as fault PC for kernel mode
 address error (and 0xe == EFAULT as r0).

 Yes, we have another bugs that cause panics described in the two PRs, but
 now we can examine them more easily :).


 To generate a diff of this commit:
 cvs rdiff -u -r1.73 -r1.74 src/sys/arch/sh3/sh3/exception.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: port-sh3/56401: kernel panic in tmpfs_write
Date: Tue, 21 Sep 2021 13:34:59 +0200

 With a new kernel the crash now looks like this:

 [ 444.4401356] panic: tlb_exception: invalid user-space access from kernel mode
 [ 444.4401356] expevt=40 va=00000000 ssr=400000e0 spc=8c1bcc8c lwp=0x8fa8e640 onfault=0x0
 [ 444.4401356] cpu0: Begin traceback...
 [ 444.4401356] db_panic() at netbsd:vpanic+0xe2
 [ 444.4401356] vpanic() at netbsd:panic+0x18
 [ 444.4401356] panic() at netbsd:tlb_exception+0x27c
 [ 444.4401356] tlb_exception() at 8c0004dc
 [ 444.4401356] <EXPEVT 040; SSR=400000e0> at netbsd:mutex_tryenter+0x4
 [ 444.4401356] [trapframe 0x8c426d00]
 [ 444.4401356]    sr=400000e0   gbr=7abda000    pc=8c1bcc8c     pr=8c1b9642
 [ 444.4401356]    r0=8c1b962c    r1=00000000    r2=00000060     r3=fffffffe
 [ 444.4401356]    r4=00000000    r6=8fa8e640    r7=00000001     r8=8c420364
 [ 444.4401356]    r5=8e909080    r9=00000000   r10=8c1bcbbc    r11=8c1bcc88
 [ 444.4401356]   r12=8fa8e6bc   r13=8e909080   r14=8c426d00 sp=r15=c2de2dc8
 [ 444.4401356] mutex_tryenter() at netbsd:lwp_trylock+0x16
 [ 444.4401356] lwp_trylock() at netbsd:turnstile_block+0x114
 [ 444.4401356] turnstile_block() at netbsd:rw_enter+0xe6
 [ 444.4401356] rw_enter() at netbsd:ubc_alloc.constprop.0+0xb0
 [ 444.4401356] ubc_alloc.constprop.0() at netbsd:ubc_uiomove+0x5c
 [ 444.4401356] ubc_uiomove() at netbsd:tmpfs_write+0xf8
 [ 444.4401356] tmpfs_write() at netbsd:VOP_WRITE+0x1a
 [ 444.4401356] VOP_WRITE() at netbsd:vn_write+0xa0
 [ 444.4401356] vn_write() at netbsd:dofilewrite+0x56
 [ 444.4401356] dofilewrite() at netbsd:sys_write+0x4a
 [ 444.4401356] sys_write() at netbsd:syscall+0xae
 [ 444.4401356] syscall() at 8c0001b2
 [ 444.4401356] <EXPEVT 160; SSR=00000001> at 7a768b14
 [ 444.4401356] [trapframe 0x40aae8]
 [ 444.4401356]    sr=00000001   gbr=7abda000    pc=7a768b14     pr=7a9178a4
 [ 444.4401356]    r0=00000004    r1=ffffe6dc    r2=7a93b178     r3=7a93b13c
 [ 444.4401356]    r4=00000004    r6=7a6b0580    r7=00010000     r8=00000000
 [ 444.4401356]    r5=7ac2ec00    r9=00000344   r10=7a93b140    r11=7a93b180
 [ 444.4401356]   r12=7a931468   r13=7a6b0580   r14=0040aae8 sp=r15=7ffd8a90
 [ 444.4401356] cpu0: End traceback...
 Stopped in pid 1045.1045 (tar) at       netbsd:cpu_Debugger+0x2:        rts


 Martin

State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Wed, 22 Sep 2021 08:05:17 +0000
State-Changed-Why:
Fixed by rin


From: Martin Husemann <martin@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: port-sh3/56401: kernel panic in tmpfs_write
Date: Wed, 22 Sep 2021 08:03:24 +0000

 This fixes PR 56401

 ----- Forwarded message from Rin Okuyama <rin@netbsd.org> -----

 Date: Wed, 22 Sep 2021 05:42:19 +0000
 From: Rin Okuyama <rin@netbsd.org>
 To: source-changes@NetBSD.org
 Subject: CVS commit: src/sys/kern
 X-Mailer: log_accum

 Module Name:	src
 Committed By:	rin
 Date:		Wed Sep 22 05:42:19 UTC 2021

 Modified Files:
 	src/sys/kern: kern_ksyms.c

 Log Message:
 ksymsmmap: Add missing uao_reference(9) call for ks->ks_uobj.

 Fix failure for savecore(8) and subsequent kernel panic, introduced to
 kern_ksyms.c rev 1.03, at least for sh3 and alpha.

 For sh3 and alpha, savecore(8) supports coff and ecoff, respectively, via
 libkvm via nlist(3). nlist(3) routines for coff and ecoff use mmap(2) and
 munmap(2) for /dev/ksyms.

 This munmap(2) decrements reference count for ks->ks_uobj. Unless it is
 incremented in ksymsmmap(), ks->ks_uobj will be freed unexpectedly.


 To generate a diff of this commit:
 cvs rdiff -u -r1.104 -r1.105 src/sys/kern/kern_ksyms.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.


 ----- End forwarded message -----

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.