On 30/03/24(Sat) 18:38, Martin Pieuchot wrote:
> Hello Alexander,
>
> Thanks for the report.
>
> On 01/03/24(Fri) 16:39, Alexander Bluhm wrote:
> > Hi,
> >
> > An OpenBSD 7.4 machine on KVM running postgress and pagedaemon
> > crashed in amap_wipeout().
> >
> > bluhm
> >
> > kernel: protection fault trap, code=0
> > Stopped at amap_wipeout+0x76: movq %rcx,0x28(%rax)
>
> The problem is an incorrect call to amap_wipeout() in OOM situation
> inside amap_copy(). At this moment the amap being copied/allocated
> is not in the global list. That's why you see this incorrect
> dereference which corresponds to:
>
> amap_list_remove(amap);
>
> > ddb{3}> show panic
> > the kernel did not panic
> >
> > ddb{3}> trace
> > amap_wipeout(fffffd8015b154d0) at amap_wipeout+0x76
> > uvm_fault_check(ffff8000232d6a20,ffff8000232d6a58,ffff8000232d6a80) at
> > uvm_faul
> > t_check+0x2ad
> > uvm_fault(fffffd811d150748,7d42519fb000,0,1) at uvm_fault+0xfb
> > upageflttrap(ffff8000232d6b80,7d42519fb3c0) at upageflttrap+0x65
> > usertrap(ffff8000232d6b80) at usertrap+0x1ee
> > recall_trap() at recall_trap+0x8
> > end of kernel
> > end trace frame: 0x7d42519fb3f0, count: -6
>
> Diff below should fix it. I don't know how to test it.
>
> ok?
Anyone?
> Index: uvm/uvm_amap.c
> ===================================================================
> RCS file: /cvs/src/sys/uvm/uvm_amap.c,v
> diff -u -p -r1.92 uvm_amap.c
> --- uvm/uvm_amap.c 11 Apr 2023 00:45:09 -0000 1.92
> +++ uvm/uvm_amap.c 30 Mar 2024 17:30:10 -0000
> @@ -662,9 +658,10 @@ amap_copy(struct vm_map *map, struct vm_
>
> chunk = amap_chunk_get(amap, lcv, 1, PR_NOWAIT);
> if (chunk == NULL) {
> - /* amap_wipeout() releases the lock. */
> - amap->am_ref = 0;
> - amap_wipeout(amap);
> + amap_unlock(srcamap);
> + /* Destroy the new amap. */
> + amap->am_ref--;
> + amap_free(amap);
> return;
> }
>
>
