NetBSD Problem Report #57623
From martin@duskware.de Wed Sep 20 16:52:09 2023
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 1D9A11A9238
for <gnats-bugs@gnats.NetBSD.org>; Wed, 20 Sep 2023 16:52:09 +0000 (UTC)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: pv_flushcache4m called with bogus vm_page
X-Send-Pr-Version: 3.95
>Number: 57623
>Category: port-sparc
>Synopsis: pv_flushcache4m called with bogus vm_page
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: port-sparc-maintainer
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Sep 20 16:55:00 +0000 2023
>Last-Modified: Thu Sep 21 15:55:01 +0000 2023
>Originator: Martin Husemann
>Release: NetBSD 10.99.8
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD sunset-glow.duskware.de 10.99.8 NetBSD 10.99.8 (GENERIC.MP) #42: Wed Sep 20 14:51:56 CEST 2023 martin@seven-days-to-the-wolves.aprisoft.de:/work/src/sys/arch/sparc/compile/GENERIC.MP sparc
Architecture: sparc
Machine: sparc
>Description:
While doing pkg builds I repeatadly got a crash due to a bogus vm_page
passed to pv_flushcache4m: 0xdeaddead
[ 5595.7889865] memfault_sun4m(0xf059e1d8, 0xf0008de0, 0xf423f, 0xf059e138, 0xa0, 0x2) at netbsd:pv_flushcache4m+0x5c
[ 5595.8813861] pv_flushcache4m(0xdeaddead, 0x1, 0xf1f7c6c0, 0xf04b9000, 0x0, 0xf0002000) at netbsd:pmap_copy_page4m+0x198
[ 5595.9529349] pmap_copy_page4m(0x116400, 0x8e4a000, 0x0, 0x1, 0x0, 0xf1f7c6c0) at netbsd:uvm_pagecopy+0x34
[ 5596.0210570] uvm_pagecopy(0xf07a7650, 0xf0a17e30, 0xedec1000, 0xf0038dc4, 0xff000000, 0xedec1000) at netbsd:uvmfault_promote+0x190
[ 5596.1190399] uvmfault_promote(0xfb771da4, 0x0, 0xf0a17e30, 0xfb771da0, 0xfb771dd8, 0xf21d57f0) at netbsd:uvm_fault_internal+0x13e0
[ 5596.2190214] uvm_fault_internal(0xf04b4098, 0xf04b40a8, 0x1, 0xf2260300, 0xf07a7650, 0xf05b2e64) at netbsd:mem_access_fault4m+0x2ec
[ 5596.2992827] mem_access_fault4m(0x9, 0x386, 0xedec0794, 0xfb771fb0, 0xf14608c0, 0xf1f7c6c0) at netbsd:memfault_sun4m+0xec
[ 5596.3819842] cpu0: End traceback...
This is on a dual SS20.
>How-To-Repeat:
s/a
>Fix:
n/a
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: port-sparc/57623: pv_flushcache4m called with bogus vm_page
Date: Thu, 21 Sep 2023 17:51:31 +0200
I got another one and looked a bit deeper:
0xf003dc88 is in pmap_copy_page4m (../../../../arch/sparc/sparc/pmap.c:7212).
7207 int spte, dpte;
7208
7209 kpreempt_disable();
7210 if ((pg = PHYS_TO_VM_PAGE(src)) != NULL) {
7211 if (CACHEINFO.c_vactype == VAC_WRITEBACK)
7212 pv_flushcache4m(pg);
7213 }
7214
7215 spte = SRMMU_TEPTE | SRMMU_PG_C | PPROT_N_RX |
7216 (src >> SRMMU_PPNPASHIFT);
In the case I caught in ddb I have src=0x11f800 and dst=0x79a7000,
ddb says:
db{1}> mach page 0x79a7000
pa 79a7000 pg 0xf09b0b40
db{1}> mach page 0x11f800
pa 11f800 pg 0x0
and the call comes from:
0xf029c2bc is in uvmfault_promote (../../../../uvm/uvm_fault.c:648).
643 */
644 if (opg) {
645 pmap_remove(vm_map_pmap(ufi->orig_map), ufi->orig_rvaddr,
646 ufi->orig_rvaddr + PAGE_SIZE);
647 pmap_update(vm_map_pmap(ufi->orig_map));
648 uvm_pagecopy(opg, pg);
.. so opg was != NULL but now is not mapped anymore, which explains why we
can't copy it over.
Martin
(Contact us)
$NetBSD: query-full-pr,v 1.49 2026/05/14 01:52:41 riastradh Exp $
$NetBSD: gnats_config.sh,v 1.10 2026/05/13 22:00:09 riastradh Exp $
Copyright © 1994-2026
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home