'Re: protection fault in amap_wipeout'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-bugs
Subject:    Re: protection fault in amap_wipeout
From:       Jonathan Gray <jsg () jsg ! id ! au>
Date:       2024-04-15 13:13:40
Message-ID: Zh0oBDV7lHg8FAVI () largo ! jsg ! id ! au
[Download RAW message or body]

On Sat, Apr 13, 2024 at 06:14:25PM +0200, Martin Pieuchot wrote:
> On 30/03/24(Sat) 18:38, Martin Pieuchot wrote:
> > Hello Alexander,
> > 
> > Thanks for the report.
> > 
> > On 01/03/24(Fri) 16:39, Alexander Bluhm wrote:
> > > Hi,
> > > 
> > > An OpenBSD 7.4 machine on KVM running postgress and pagedaemon
> > > crashed in amap_wipeout().
> > > 
> > > bluhm
> > > 
> > > kernel: protection fault trap, code=0
> > > Stopped at      amap_wipeout+0x76:      movq    %rcx,0x28(%rax)
> > 
> > The problem is an incorrect call to amap_wipeout() in OOM situation
> > inside amap_copy().  At this moment the amap being copied/allocated
> > is not in the global list.  That's why you see this incorrect
> > dereference which corresponds to:
> > 
> > 	amap_list_remove(amap);
> > 
> > > ddb{3}> show panic
> > > the kernel did not panic
> > > 
> > > ddb{3}> trace
> > > amap_wipeout(fffffd8015b154d0) at amap_wipeout+0x76
> > > uvm_fault_check(ffff8000232d6a20,ffff8000232d6a58,ffff8000232d6a80) at uvm_faul
> > > t_check+0x2ad
> > > uvm_fault(fffffd811d150748,7d42519fb000,0,1) at uvm_fault+0xfb
> > > upageflttrap(ffff8000232d6b80,7d42519fb3c0) at upageflttrap+0x65
> > > usertrap(ffff8000232d6b80) at usertrap+0x1ee
> > > recall_trap() at recall_trap+0x8
> > > end of kernel
> > > end trace frame: 0x7d42519fb3f0, count: -6
> > 
> > Diff below should fix it.  I don't know how to test it.
> > 
> > ok?
> 
> Anyone?

ok jsg@

> 
> > Index: uvm/uvm_amap.c
> > ===================================================================
> > RCS file: /cvs/src/sys/uvm/uvm_amap.c,v
> > diff -u -p -r1.92 uvm_amap.c
> > --- uvm/uvm_amap.c	11 Apr 2023 00:45:09 -0000	1.92
> > +++ uvm/uvm_amap.c	30 Mar 2024 17:30:10 -0000
> > @@ -662,9 +658,10 @@ amap_copy(struct vm_map *map, struct vm_
> >  
> >  		chunk = amap_chunk_get(amap, lcv, 1, PR_NOWAIT);
> >  		if (chunk == NULL) {
> > -			/* amap_wipeout() releases the lock. */
> > -			amap->am_ref = 0;
> > -			amap_wipeout(amap);
> > +			amap_unlock(srcamap);
> > +			/* Destroy the new amap. */
> > +			amap->am_ref--;
> > +			amap_free(amap);
> >  			return;
> >  		}
> >  
> > 
> 
> 

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic