NetBSD Problem Report #51393

From www@NetBSD.org  Sat Aug  6 16:07:16 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 1E5DD7A10E
	for <gnats-bugs@gnats.NetBSD.org>; Sat,  6 Aug 2016 16:07:16 +0000 (UTC)
Message-Id: <20160806160714.993917A2AA@mollari.NetBSD.org>
Date: Sat,  6 Aug 2016 16:07:14 +0000 (UTC)
From: max@m00nbsd.net
Reply-To: max@m00nbsd.net
To: gnats-bugs@NetBSD.org
Subject: Reproducible KASSERT in UVM
X-Send-Pr-Version: www-1.0

>Number:         51393
>Category:       kern
>Synopsis:       Reproducible KASSERT in UVM
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 06 16:10:00 +0000 2016
>Last-Modified:  Tue Oct 01 12:50:01 +0000 2019
>Originator:     Maxime Villard
>Release:        NetBSD-current (7.99.35)
>Organization:
>Environment:
Just a VirtualBox VM, GENERIC amd64.
>Description:
This KASSERTMSG in uvm_map.c is easy to trigger.

2115 	KASSERTMSG(!topdown || hint <= orig_hint, "hint: %jx, orig_hint: %jx",
2116 	    (uintmax_t)hint, (uintmax_t)orig_hint);

The output is:
	hint: 3ff000
	orig_hint: 0
>How-To-Repeat:
The following code triggers the kassert:

#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#define PAGE_SIZE 4096

int main()
{
	char *buf;
	void *addr = (void *)((size_t)-1);
	int ret;

	buf = mmap((void *)PAGE_SIZE, PAGE_SIZE, PROT_READ|PROT_WRITE,
	    MAP_FIXED|MAP_ANON|MAP_PRIVATE,-1,0);
	printf("buf1 = %p\n", buf);

	ret = munmap(NULL, PAGE_SIZE);
	printf("ret = %d\n", ret);

	buf = mmap(addr, PAGE_SIZE, PROT_READ|PROT_WRITE,
	    MAP_TRYFIXED|MAP_ANON|MAP_PRIVATE, -1, 0);
	/* NOTREACHED */
}

$ gcc -o mapnull mapnull.c
$ ./mapnull
buf1 = 0xffffffffffffffff
ret = -1
panic: kernel diagnostic assertion ...



>Fix:
I haven't investigated it.

>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Sat, 6 Aug 2016 19:57:48 +0200

 Same as kern/51254?

 I am tempted to call it a compiler issue.

 Martin

From: Maxime Villard <max@m00nbsd.net>
To: gnats-bugs@NetBSD.org, kern-bug-people@netbsd.org,
 gnats-admin@netbsd.org, netbsd-bugs@netbsd.org
Cc: Martin Husemann <martin@duskware.de>
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Fri, 12 Aug 2016 18:48:23 +0200

 Le 06/08/2016 à 20:00, Martin Husemann a écrit :
 > The following reply was made to PR kern/51393; it has been noted by GNATS.
 >
 > From: Martin Husemann <martin@duskware.de>
 > To: gnats-bugs@NetBSD.org
 > Cc:
 > Subject: Re: kern/51393: Reproducible KASSERT in UVM
 > Date: Sat, 6 Aug 2016 19:57:48 +0200
 >
 >  Same as kern/51254?

 Apparently, yes.

 >  I am tempted to call it a compiler issue.

 That seems highly unlikely to me. There must be another unrelated issue in
 UVMHIST, or whatever.

 The real bug might be hiding in the way hints work. The code I posted in this
 report generates orig_hint=0, so obviously there is no way for 'hint' to be
 below zero, and the allocation should theoretically fail.

 This 'theoretically' is necessarily wrong, since most of the vm space could be
 available - meaning the allocation should succeed.

From: Michael van Elst <mlelstv@serpens.de>
To: gnats@netbsd.org
Cc: 
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Wed, 16 Aug 2017 00:42:40 +0200

 The address hint is passed through round_page() unless MAP_FIXED is set.
 A value of (void *)-1 is rounded up to 0.

 The assertion that a topdown allocation is below or equal to the "orig_hint"
 (== the rounded up and overflown value) doesn't hold in that case.


 -- 
                                 Michael van Elst
 Internet: mlelstv@serpens.de
                                 "A potential Snark may lurk in every tree."

From: Michael van Elst <mlelstv@serpens.de>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Sun, 29 Apr 2018 19:22:45 +0200

 This patch:

 Index: uvm_mmap.c
 ===================================================================
 RCS file: /cvsroot/src/sys/uvm/uvm_mmap.c,v
 retrieving revision 1.169
 diff -p -u -r1.169 uvm_mmap.c
 --- uvm_mmap.c  19 Dec 2017 18:34:47 -0000      1.169
 +++ uvm_mmap.c  29 Apr 2018 17:16:50 -0000
 @@ -896,7 +896,9 @@ uvm_mmap(struct vm_map *map, vaddr_t *ad
          */

         if ((flags & MAP_FIXED) == 0) {
 -               *addr = round_page(*addr);
 +               vaddr_t naddr;
 +               naddr = round_page(*addr);
 +               *addr = naddr < *addr ? trunc_page(*addr) : naddr;
         } else {
                 if (*addr & PAGE_MASK)
                         return EINVAL;

 stops the panic by ensuring that rounding the hint doesn't wrap.

 But I'm wondering why the address hint is actually rounded (up). It's
 probably more correct to truncate for topdown allocation and to round up
 for !topdown allocation. This should also prevent the issue.



 Greetings,
 -- 
                                 Michael van Elst
 Internet: mlelstv@serpens.de
                                 "A potential Snark may lurk in every tree."

From: Valery Ushakov <uwe@stderr.spb.ru>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/51393: Reproducible KASSERT in UVM
Date: Tue, 1 Oct 2019 15:46:01 +0300

 On Sun, Apr 29, 2018 at 17:25:01 +0000, Michael van Elst wrote:

 >  But I'm wondering why the address hint is actually rounded (up). It's
 >  probably more correct to truncate for topdown allocation and to round up
 >  for !topdown allocation. This should also prevent the issue.

 Xref kern/54395 where the suggested patch does just that.

 -uwe

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.