[prev in list] [next in list] [prev in thread] [next in thread]
List: openbsd-bugs
Subject: Re: protection fault in amap_wipeout
From: Jonathan Gray <jsg () jsg ! id ! au>
Date: 2024-04-15 13:13:40
Message-ID: Zh0oBDV7lHg8FAVI () largo ! jsg ! id ! au
[Download RAW message or body]
On Sat, Apr 13, 2024 at 06:14:25PM +0200, Martin Pieuchot wrote:
> On 30/03/24(Sat) 18:38, Martin Pieuchot wrote:
> > Hello Alexander,
> >
> > Thanks for the report.
> >
> > On 01/03/24(Fri) 16:39, Alexander Bluhm wrote:
> > > Hi,
> > >
> > > An OpenBSD 7.4 machine on KVM running postgress and pagedaemon
> > > crashed in amap_wipeout().
> > >
> > > bluhm
> > >
> > > kernel: protection fault trap, code=0
> > > Stopped at amap_wipeout+0x76: movq %rcx,0x28(%rax)
> >
> > The problem is an incorrect call to amap_wipeout() in OOM situation
> > inside amap_copy(). At this moment the amap being copied/allocated
> > is not in the global list. That's why you see this incorrect
> > dereference which corresponds to:
> >
> > amap_list_remove(amap);
> >
> > > ddb{3}> show panic
> > > the kernel did not panic
> > >
> > > ddb{3}> trace
> > > amap_wipeout(fffffd8015b154d0) at amap_wipeout+0x76
> > > uvm_fault_check(ffff8000232d6a20,ffff8000232d6a58,ffff8000232d6a80) at uvm_faul
> > > t_check+0x2ad
> > > uvm_fault(fffffd811d150748,7d42519fb000,0,1) at uvm_fault+0xfb
> > > upageflttrap(ffff8000232d6b80,7d42519fb3c0) at upageflttrap+0x65
> > > usertrap(ffff8000232d6b80) at usertrap+0x1ee
> > > recall_trap() at recall_trap+0x8
> > > end of kernel
> > > end trace frame: 0x7d42519fb3f0, count: -6
> >
> > Diff below should fix it. I don't know how to test it.
> >
> > ok?
>
> Anyone?
ok jsg@
>
> > Index: uvm/uvm_amap.c
> > ===================================================================
> > RCS file: /cvs/src/sys/uvm/uvm_amap.c,v
> > diff -u -p -r1.92 uvm_amap.c
> > --- uvm/uvm_amap.c 11 Apr 2023 00:45:09 -0000 1.92
> > +++ uvm/uvm_amap.c 30 Mar 2024 17:30:10 -0000
> > @@ -662,9 +658,10 @@ amap_copy(struct vm_map *map, struct vm_
> >
> > chunk = amap_chunk_get(amap, lcv, 1, PR_NOWAIT);
> > if (chunk == NULL) {
> > - /* amap_wipeout() releases the lock. */
> > - amap->am_ref = 0;
> > - amap_wipeout(amap);
> > + amap_unlock(srcamap);
> > + /* Destroy the new amap. */
> > + amap->am_ref--;
> > + amap_free(amap);
> > return;
> > }
> >
> >
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic