uvm_unmap_remove

Mike Larkin Tue, 02 Oct 2018 19:47:40 -0700

On Tue, Oct 02, 2018 at 07:35:29PM -0700, Greg Steuck wrote:
> We got "lucky" in a different way after enabling VMM_DEBUG. I captured some
> details of a
> crash. The fault address seems to be vm_map(=0xffff800000b44200) + 0x100.
> 
> The kernel is built with this config:
> ci-openbsd$ cat /syzkaller/src/sys/arch/amd64/conf/VMM_DEBUG
> include "arch/amd64/conf/GENERIC.MP"
> option  VMM_DEBUG
>


Oh, if this is the issue then it's not "spinning".

And this bug is a known issue, I just haven't had a chance to fix it yet.
Maybe this weekend.

-ml

> Still this commit:
> commit 44df374beffdeeab308e9c219092e1c860fc97a9 (HEAD)
> 
> Author: kevlo <[email protected]>
> Date:   Tue Oct 2 02:05:34 2018 +0000
> 
>     Add support for RT3290 chipset by James Hastings.
> 
> 
>     Tested by me and James Hastings.
> 
> Logs:
> 
> SeaBIOS (version 1.8.2-20171012_061934-google)
> Total RAM Size = 0x0000000400000000 = 16384 MiB
> CPUs found: 8     Max CPUs supported: 8
> found virtio-scsi at 0:3
> virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0
> removable=0
> virtio-scsi blksize=512 sectors=20971520 = 10240 MiB
> virtio-scsi vendor='Google' product='PersistentDisk' rev='1' type=0
> removable=0
> virtio-scsi blksize=512 sectors=2097152000 = 1024000 MiB
> drive 0x000f2bc0: PCHS=0/0/0 translation=lba LCHS=1024/255/63 s=20971520
> drive 0x000f2b80: PCHS=0/0/0 translation=lba LCHS=1024/255/63 s=2097152000
> Booting from Hard Disk 0...
> >> OpenBSD/amd64 BOOT 3.41
> boot>
> [ using 2143328 bytes of bsd ELF symbol table ]
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2018 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
> 
> OpenBSD 6.4 (VMM_DEBUG) #0: Tue Oct  2 10:37:13 PDT 2018
>     [email protected]
> :/syzkaller/src/sys/arch/amd64/compile/VMM_DEBUG
> real mem = 17163079680 (16367MB)
> avail mem = 16633610240 (15863MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xbffffcf0 (20 entries)
> bios0: vendor Google version "Google" date 01/01/2011
> bios0: Google Google Compute Engine
> acpi0 at bios0: rev 0
> acpi0: sleep states S3 S4 S5
> acpi0: tables DSDT FACP SSDT APIC WAET SRAT
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU @ 2.30GHz, 2300.55 MHz, 06-3f-00
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 990MHz
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.88 MHz, 06-3f-00
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 4 (application processor)
> cpu2: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.87 MHz, 06-3f-00
> cpu2:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 6 (application processor)
> cpu3: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.89 MHz, 06-3f-00
> cpu3:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 0, core 3, package 0
> cpu4 at mainbus0: apid 1 (application processor)
> cpu4: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.88 MHz, 06-3f-00
> cpu4:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu4: 256KB 64b/line 8-way L2 cache
> cpu4: smt 1, core 0, package 0
> cpu5 at mainbus0: apid 3 (application processor)
> cpu5: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.88 MHz, 06-3f-00
> cpu5:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu5: 256KB 64b/line 8-way L2 cache
> cpu5: smt 1, core 1, package 0
> cpu6 at mainbus0: apid 5 (application processor)
> cpu6: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.94 MHz, 06-3f-00
> cpu6:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu6: 256KB 64b/line 8-way L2 cache
> cpu6: smt 1, core 2, package 0
> cpu7 at mainbus0: apid 7 (application processor)
> cpu7: Intel(R) Xeon(R) CPU @ 2.30GHz, 2276.91 MHz, 06-3f-00
> cpu7:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN
> cpu7: 256KB 64b/line 8-way L2 cache
> cpu7: smt 1, core 3, package 0
> ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1 halt!)
> acpicpu2 at acpi0: C1(@1 halt!)
> acpicpu3 at acpi0: C1(@1 halt!)
> acpicpu4 at acpi0: C1(@1 halt!)
> acpicpu5 at acpi0: C1(@1 halt!)
> acpicpu6 at acpi0: C1(@1 halt!)
> acpicpu7 at acpi0: C1(@1 halt!)
> "ACPI0006" at acpi0 not configured
> acpicmos0 at acpi0
> "QEMU0001" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> "ACPI0007" at acpi0 not configured
> pvbus0 at mainbus0: KVM
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> pcib0 at pci0 dev 1 function 0 "Intel 82371AB PIIX4 ISA" rev 0x03
> piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: SMBus
> disabled
> virtio0 at pci0 dev 3 function 0 "Qumranet Virtio SCSI" rev 0x00
> vioscsi0 at virtio0: qsize 8192
> scsibus1 at vioscsi0: 253 targets
> sd0 at scsibus1 targ 1 lun 0: <Google, PersistentDisk, 1> SCSI4 0/direct
> fixed serial.Google_PersistentDisk_
> sd0: 10240MB, 512 bytes/sector, 20971520 sectors, thin
> sd1 at scsibus1 targ 2 lun 0: <Google, PersistentDisk, 1> SCSI4 0/direct
> fixed serial.Google_PersistentDisk_
> sd1: 1024000MB, 512 bytes/sector, 2097152000 sectors, thin
> virtio0: msix shared
> virtio1 at pci0 dev 4 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio1: address 42:01:0a:80:00:3f
> virtio1: msix per-VQ
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> com2 at isa0 port 0x3e8/8 irq 5: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0 mux 1
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation)
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on sd0a (dd61083aafe9fd0b.a) swap on sd0b dump on sd0b
> Automatic boot in progress: starting file system checks.
> /dev/sd0a (dd61083aafe9fd0b.a): file system is clean; not checking
> setting tty flags
> pf enabled
> kern.nosuidcoredump: 1 -> 3
> starting network
> vio0: bound to 10.128.0.63 from 169.254.169.254 (42:01:0a:80:00:01)
> reordering libraries: done.
> starting early daemons: syslogd pflogd ntpd.
> starting RPC daemons:.
> savecore: no core dump
> checking quotas: done.
> clearing /tmp
> kern.securelevel: 0 -> 1
> creating runtime link editor directory cache.
> preserving editor files.
> starting network daemons: sshd vmd.
> + echo starting syz-ci
> starting syz-ci
> + fsck -y /dev/sd1a
> ** /dev/rsd1a
> ** File system is clean; not checking
> + mount /syzkaller
> + mkdir -p /syzkaller/ramdisk
> + mount -t mfs -o-s=10G /dev/sd0b /syzkaller/ramdisk
> + chown syzkaller:syzkaller /syzkaller/ramdisk
> + su -l syzkaller
> + << EOF2
> + test -x syz-ci
> + ./syz-ci -config ./config-openbsd.ci
> + 2>&1
> + tee syz-ci.log
> starting local daemons: cron.
> Tue Oct  2 10:56:09 PDT 2018
> 
> OpenBSD/amd64 (ci-openbsd.syzkaller) (tty00)
> 
> login: vm_impl_init_vmx: created vm_map @ 0xffff800000b27700
> vm_impl_init_vmx: created vm_map @ 0xffff800000b27200
> vm_impl_init_vmx: created vm_map @ 0xffff800000b27800
> vm_resetcpu: resetting vm 2 vcpu 0 to power on defaults
> Guest EPTP = 0x11f07101e
> vm_resetcpu: resetting vm 1 vcpu 0 to power on defaults
> Guest EPTP = 0x11f05b01e
> vm_resetcpu: resetting vm 3 vcpu 0 to power on defaults
> Guest EPTP = 0x3b688401e
> vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not
> supported
> vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not
> supported
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not
> supported
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031
> vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031
> vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031
> vmm_handle_cpuid: unsupported rax=0x40000100
> vmm_handle_cpuid: unsupported rax=0x40000100
> vmm_handle_cpuid: unsupported rax=0x40000100
> vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported
> vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported
> vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest
> rip=0xffffffff8138f075 - resetting to 0xd
> vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from
> guest=0x70106:0x70106
> vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest
> rip=0xffffffff8138f075 - resetting to 0xd
> vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from
> guest=0x70106:0x70106
> vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported
> vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest
> rip=0xffffffff8138f075 - resetting to 0xd
> vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from
> guest=0x70106:0x70106
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vm_impl_init_vmx: created vm_map @ 0xffff800000b44200
> vm_resetcpu: resetting vm 4 vcpu 0 to power on defaults
> Guest EPTP = 0x3befc301e
> vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not
> supported
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031
> vmm_handle_cpuid: unsupported rax=0x40000100
> vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported
> vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest
> rip=0xffffffff8138f075 - resetting to 0xd
> vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from
> guest=0x70106:0x70106
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vm_impl_init_vmx: created vm_map @ 0xffff800000b44700
> vm_resetcpu: resetting vm 5 vcpu 0 to power on defaults
> Guest EPTP = 0x3c27f401e
> vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not
> supported
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031
> vmm_handle_cpuid: unsupported rax=0x40000100
> vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported
> vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest
> rip=0xffffffff8138f075 - resetting to 0xd
> vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from
> guest=0x70106:0x70106
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vm_impl_init_vmx: created vm_map @ 0xffff800000b27100
> vm_resetcpu: resetting vm 6 vcpu 0 to power on defaults
> Guest EPTP = 0x3befc401e
> vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not
> supported
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031
> vmm_handle_cpuid: unsupported rax=0x40000100
> vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported
> vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest
> rip=0xffffffff8138f075 - resetting to 0xd
> vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from
> guest=0x70106:0x70106
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vm_impl_init_vmx: created vm_map @ 0xffff800000b44f00
> vm_resetcpu: resetting vm 7 vcpu 0 to power on defaults
> Guest EPTP = 0x3c27fa01e
> vmm_handle_cpuid: function 0x07 (SEFF) unsupported subleaf 0x6c65746e not
> supported
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> vmx_handle_cr: mov to cr0 @ 100060a, data=0xe0010031
> vmm_handle_cpuid: unsupported rax=0x40000100
> vmm_handle_cpuid: function 0x06 (thermal/power mgt) not supported
> vmm_handle_cpuid: invalid cpuid input leaf 0x15, guest
> rip=0xffffffff8138f075 - resetting to 0xd
> vmx_handle_wrmsr: wrmsr exit, msr=0x277, discarding data written from
> guest=0x70106:0x70106
> vmm_handle_cpuid: function 0x0a (arch. perf mon) not supported
> uvm_fault(0xffffffff81ced808, 0xffff800000b45000, 0, 1) -> e
> kernel: page fault trap, code=0
> Stopped at      uvm_unmap_remove+0x212: movq    0x100(%r13),%r8
> ddb{3}> show registers
> rdi                         0x2a549b    acpi_pdirpa+0x291303
> rsi                                0
> rbp               0xffff8000221a5bc0
> rbx               0xffff8000221a5b80
> rdx                         0x11f010    acpi_pdirpa+0x10ae78
> rcx                                0
> rax               0xffffff01152bad80
> r8                               0x3
> r9                           0xa0000    acpi_pdirpa+0x8be68
> r10               0xd0bcf2dd46b2b746
> r11               0xdb541ee3f9c6bb0f
> r12               0xffffff03ae5b9798
> r13               0xffff800000b44f00
> r14               0xffffff03ae5b98e8
> r15                       0x20000000
> rip               0xffffffff813aac22    uvm_unmap_remove+0x212
> cs                               0x8
> rflags                       0x10246    __ALIGN_SIZE+0xf246
> rsp               0xffff8000221a5b70
> ss                              0x10
> uvm_unmap_remove+0x212: movq    0x100(%r13),%r8
> ddb{3}> show uvm
> Current UVM status:
>   pagesize=4096 (0x1000), pagemask=0xfff, pageshift=12
>   4063012 VM pages: 248880 active, 22841 inactive, 0 wired, 3618910 free
> (45236
> 3 zero)
>   min  10% (25) anon, 10% (25) vnode, 5% (12) vtext
>   freemin=135433, free-target=180577, inactive-target=0, wired-max=1354337
>   faults=1834393, traps=1968492, intrs=259893, ctxswitch=2128046 fpuswitch=0
>   softint=711009, syscalls=54992133, kmapent=28
>   fault counts:
>     noram=0, noanon=0, noamap=0, pgwait=0, pgrele=0
>     ok relocks(total)=44885(44947), anget(retries)=186943(0),
> amapcopy=138714
>     neighbor anon/obj pg=176803/119887, gets(lock/unlock)=85155/44947
>     cases: anon=174733, anoncow=12210, obj=76574, prcopy=8519,
> przero=1562349
>   daemon and swap counts:
>     woke=0, revs=0, scans=0, obscans=0, anscans=0
>     busy=0, freed=0, reactivate=0, deactivate=0
>     pageouts=0, pending=0, nswget=0
>     nswapdev=1
>     swpages=262143, swpginuse=0, swpgonly=0 paging=0
>   kernel pointers:
>     objs(kern)=0xffffffff81d0dfa8
> ddb{3}> show bcstats
> Current Buffer Cache status:
> numbufs 13807 busymapped 0, delwri 14
> kvaslots 6553 avail kva slots 6553
> bufpages 157098, dmapages 156346, dirtypages 224
> pendingreads 0, pendingwrites 0
> highflips 188, highflops 0, dmaflips 0
> ddb{3}> trace
> uvm_unmap_remove(44d1cccf70f0c14e,ffffff03af20df28,ffff800000b44f00,ffffff03af2
> 0df18,ffff8000fffeab80,0) at uvm_unmap_remove+0x212
> uvm_map_deallocate(afb692e07744b9d) at uvm_map_deallocate+0x5e
> vm_teardown(ffffff03af20df28) at vm_teardown+0xf0
> vm_terminate(4d5b55e959cb995b) at vm_terminate+0x192
> VOP_IOCTL(57a3eaddf57314b9,ffffff03c0cd75f0,aa07f3f3f1aae2e8,ffff8000220e7528,f
> fffff043f7ca3c0,ffff800000000003) at VOP_IOCTL+0x5a
> vn_ioctl(7a3832e847fe16c7,ffffff03bef01088,ffff8000220e7528,4) at
> vn_ioctl+0x6b
> 
> sys_ioctl(4c28df5ce452af20,360,ffff8000220e7528) at sys_ioctl+0x3ec
> syscall(2f430d22c712d672) at syscall+0x32a
> Xsyscall(6,36,1,36,7f7ffffc8f38,154b669bd800) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7ffffc8f20, count: -9
> ddb{3}> show panic
> kernel page fault
> uvm_fault(0xffffffff81ced808, 0xffff800000b45000, 0, 1) -> e
> uvm_unmap_remove(44d1cccf70f0c14e,ffffff03af20df28,ffff800000b44f00,ffffff03af2
> 0df18,ffff8000fffeab80,0) at uvm_unmap_remove+0x212
> end trace frame: 0xffff8000221a5c00, count: 0
> ddb{3}> trace
> uvm_unmap_remove(44d1cccf70f0c14e,ffffff03af20df28,ffff800000b44f00,ffffff03af2
> 0df18,ffff8000fffeab80,0) at uvm_unmap_remove+0x212
> uvm_map_deallocate(afb692e07744b9d) at uvm_map_deallocate+0x5e
> vm_teardown(ffffff03af20df28) at vm_teardown+0xf0
> vm_terminate(4d5b55e959cb995b) at vm_terminate+0x192
> VOP_IOCTL(57a3eaddf57314b9,ffffff03c0cd75f0,aa07f3f3f1aae2e8,ffff8000220e7528,f
> fffff043f7ca3c0,ffff800000000003) at VOP_IOCTL+0x5a
> vn_ioctl(7a3832e847fe16c7,ffffff03bef01088,ffff8000220e7528,4) at
> vn_ioctl+0x6b
> 
> sys_ioctl(4c28df5ce452af20,360,ffff8000220e7528) at sys_ioctl+0x3ec
> syscall(2f430d22c712d672) at syscall+0x32a
> Xsyscall(6,36,1,36,7f7ffffc8f38,154b669bd800) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7ffffc8f20, count: -9
> ddb{3}> machine ddbcpu 0
> Stopped at      x86_ipi_db+0x12:        popq    %r11
> ddb{0}> trace
> x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(4,ffffffff81cb4ff0,0,0,0,0) at Xresume_lapic_ipi+0x23
> _kernel_lock(2f430d22c72c0929,0) at _kernel_lock+0xa0
> Xsoftclock(0,ffffffff81cb4ff0,154b45ccbe98,0,360,ffff800022168980) at
> Xsoftcloc
> k+0x1f
> _kernel_lock(2f430d22c712d672,0) at _kernel_lock+0xa2
> Xsyscall(6,36,ffff,36,1549443b2ee0,154944332e20) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x154b45ccbf00, count: -7
> ddb{0}> machine ddbcpu 1
> Stopped at      x86_ipi_db+0x12:        popq    %r11
> ddb{1}> trace
> x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(c,ffff800022008ff0,ffffff03c91e5c78,0,0,ffff8000220e6e20)
> at X
> resume_lapic_ipi+0x23
> ___mp_acquire_count(5fc7dbe4cddc104b,202) at ___mp_acquire_count+0x82
> mi_switch() at mi_switch+0x284
> sleep_finish(4f65d4dca25e8b44,ffff80002213e8b0) at sleep_finish+0x7f
> sleep_finish_all(bb564a080f93a3cd,ffff80002213e8b0) at sleep_finish_all+0x1f
> tsleep(ec8de469adcead5c,ffffff03c24e9ea8,ffff80002213e9e0,40) at tsleep+0xcd
> kqueue_scan(c3f2a33c1aebefd9,ffffff03c24e9ea0,0,ffff80002213ed10,ffff80002213ed
> 00,ffff8000220e6e20) at kqueue_scan+0x50c
> sys_kevent(498f516e1701a4e8,480,ffff8000220e6e20) at sys_kevent+0x2e4
> syscall(2f430d22c712d672) at syscall+0x32a
> Xsyscall(6,48,7f7ffffe6bc0,48,0,1aaa39bbd800) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7ffffe6b80, count: -12
> ddb{1}> machine ddbcpu 2
> Stopped at      x86_ipi_db+0x12:        popq    %r11
> ddb{2}> trace
> x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,ffff800022019ff0,3,0,ffff,ffff8000fffe95c0) at
> Xresume_lapi
> c_ipi+0x23
> _kernel_lock(b4b9e7642801437d,ffffff03af20d988) at _kernel_lock+0xa2
> vm_run(4968c378ff2b0243) at vm_run+0x1d2
> VOP_IOCTL(57a3eaddf57314b9,ffffff03c0cd75f0,aa07f3f3f1aae2e8,ffff8000221699e8,f
> fffff043f7ca3c0,ffff800000000003) at VOP_IOCTL+0x5a
> vn_ioctl(7a3832e847fe16c7,ffffff03bef01088,ffff8000221699e8,20) at
> vn_ioctl+0x6
> b
> sys_ioctl(4c28df5ce452af20,360,ffff8000221699e8) at sys_ioctl+0x3ec
> syscall(2f430d22c712d672) at syscall+0x32a
> Xsyscall(0,36,0,36,1549443b2ee0,154944332e20) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x154c07f45dc0, count: -10
> ddb{2}> machine ddbcpu 3
> Stopped at      uvm_unmap_remove+0x212: movq    0x100(%r13),%r8
> ddb{3}> trace
> uvm_unmap_remove(44d1cccf70f0c14e,ffffff03af20df28,ffff800000b44f00,ffffff03af2
> 0df18,ffff8000fffeab80,0) at uvm_unmap_remove+0x212
> uvm_map_deallocate(afb692e07744b9d) at uvm_map_deallocate+0x5e
> vm_teardown(ffffff03af20df28) at vm_teardown+0xf0
> vm_terminate(4d5b55e959cb995b) at vm_terminate+0x192
> VOP_IOCTL(57a3eaddf57314b9,ffffff03c0cd75f0,aa07f3f3f1aae2e8,ffff8000220e7528,f
> fffff043f7ca3c0,ffff800000000003) at VOP_IOCTL+0x5a
> vn_ioctl(7a3832e847fe16c7,ffffff03bef01088,ffff8000220e7528,4) at
> vn_ioctl+0x6b
> 
> sys_ioctl(4c28df5ce452af20,360,ffff8000220e7528) at sys_ioctl+0x3ec
> syscall(2f430d22c712d672) at syscall+0x32a
> Xsyscall(6,36,1,36,7f7ffffc8f38,154b669bd800) at Xsyscall+0x128
> end of kernel
> end trace frame: 0x7f7ffffc8f20, count: -9
> ddb{3}> machine ddbcpu 4
> Stopped at      x86_ipi_db+0x12:        popq    %r11
> ddb{4}> trace
> x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,0,1388,0,ffff800000022a00,ffff80002202c6b0) at
> Xresume_lapi
> c_ipi+0x23
> acpicpu_idle() at acpicpu_idle+0x281
> sched_idle(0) at sched_idle+0x245
> end trace frame: 0x0, count: -5
> ddb{4}> machine ddbcpu 5
> Stopped at      x86_ipi_db+0x12:        popq    %r11
> ddb{5}> trace
> x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,0,1388,0,ffff800000022a60,ffff8000220356b0) at
> Xresume_lapi
> c_ipi+0x23
> acpicpu_idle() at acpicpu_idle+0x281
> sched_idle(0) at sched_idle+0x245
> end trace frame: 0x0, count: -5
> ddb{5}> machine ddbcpu 6
> Stopped at      x86_ipi_db+0x12:        popq    %r11
> ddb{6}> trace
> x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,0,1388,0,ffff800000022aa0,ffff80002203e6b0) at
> Xresume_lapi
> c_ipi+0x23
> acpicpu_idle() at acpicpu_idle+0x281
> sched_idle(0) at sched_idle+0x245
> end trace frame: 0x0, count: -5
> ddb{6}> machine ddbcpu 7
> Stopped at      x86_ipi_db+0x12:        popq    %r11
> ddb{7}> trace
> x86_ipi_db(9f7125898da98c60) at x86_ipi_db+0x12
> x86_ipi_handler() at x86_ipi_handler+0x80
> Xresume_lapic_ipi(0,0,1388,0,ffff800000022ae0,ffff8000220476b0) at
> Xresume_lapi
> c_ipi+0x23
> acpicpu_idle() at acpicpu_idle+0x281
> sched_idle(0) at sched_idle+0x245
> end trace frame: 0x0, count: -5
> ddb{7}>
>  75909   98659  98458    107  3   0x4100090  fsleep        vmd
>  75909  520548  98458    107  3   0x4100090  kqread        vmd
>  72563  152888  36719   1000  3    0x100082  kqread        cu
>  31544   86900   6660   1000  3    0x100083  ttyin         sh
>   6660  393208  69188   1000  3    0x10008b  pause         ksh
>  69188  422355  70910   1000  3        0x90  select        sshd
>  70910  469490  42311      0  3        0x92  poll          sshd
>  77741  311020  36719   1000  3    0x100082  select        ssh
>  98046   73968  36719   1000  3    0x100082  select        ssh
>  65876  294564  98458    107  3    0x100090  fsleep        vmd
>  65876  355927  98458    107  7   0x4100010                vmd
>  65876  290815  98458    107  3   0x4100090  kqread        vmd
>  76344  172390  98458    107  3    0x100090  fsleep        vmd
>  76344  313650  98458    107  7   0x4100010                vmd
>  76344  313492  98458    107  3   0x4100090  kqread        vmd
>  43125   25647  36719   1000  3    0x100082  kqread        cu
>  10661  491560  36719   1000  3    0x100082  kqread        cu
>  36719  369167  78910   1000  3        0x82  wait          syz-manager
>  36719  344670  78910   1000  3   0x4000082  nanosleep     syz-manager
>  36719  342133  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  437023  78910   1000  3   0x4000082  kqread        syz-manager
>  36719  246037  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  448056  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719   55877  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719   63574  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719    9314  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  374331  78910   1000  3   0x4000082  nanosleep     syz-manager
>  36719  312249  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  177228  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  193073  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  172834  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  276406  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  116842  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  400281  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719  517174  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719   33034  78910   1000  3   0x4000082  thrsleep      syz-manager
>  36719   51166  78910   1000  3   0x4000082  thrsleep      syz-manager
>  56831  285988      1      0  3    0x100083  ttyin         getty
>  46580  302811      1      0  3    0x100098  poll          cron
>  41577  146375      1   1000  3    0x100083  piperd        tee
>  78910  158261      1   1000  3        0x83  thrsleep      syz-ci
>  78910  492581      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910  187554      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910  302523      1   1000  3   0x4000083  kqread        syz-ci
>  78910   42140      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910   98351      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910  293366      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910  274983      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910  220652      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910   81881      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910  351811      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910     849      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910   22847      1   1000  3   0x4000083  wait          syz-ci
>  78910  134511      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910  266881      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910  332277      1   1000  3   0x4000083  thrsleep      syz-ci
>  78910   86226      1   1000  3   0x4000083  thrsleep      syz-ci
>  70312  392767      1      0  3        0x80  mfsidl        mount_mfs
>  51730   34439      1      0  3    0x100080  kqread        vmd
> *98458   83239      1    107  7    0x100012                vmd
>  29269  182472      1    107  3    0x100092  kqread        vmd
>   2965  312618      1      0  3        0x92  kqread        vmd
>  42311  326700      1      0  3        0x80  select        sshd
>  69323  248571  37758     83  3    0x100092  poll          ntpd
>  37758  332004  64168     83  3    0x100092  poll          ntpd
>  64168  228197      1      0  3    0x100080  poll          ntpd
>  51883    6706  27507     74  3    0x100092  bpf           pflogd
>  27507  202290      1      0  3        0x80  netio         pflogd
>  10928   97553  86776     73  7    0x100090                syslogd
>  86776  160925      1      0  3    0x100082  netio         syslogd
>  45980   55090      1     77  3    0x100090  poll          dhclient
>  87711  334773      1      0  3        0x80  poll          dhclient
>  60259  386314      0      0  3     0x14200  pgzero        zerothread
>  17324   31150      0      0  3     0x14200  aiodoned      aiodoned
>  90110  311109      0      0  3     0x14200  syncer        update
>  13835   86777      0      0  3     0x14200  cleaner       cleaner
>  50914   55800      0      0  3     0x14200  reaper        reaper
>  95240  140341      0      0  3     0x14200  pgdaemon      pagedaemon
>   7054  382711      0      0  3     0x14200  bored         crynlk
>  86581  108259      0      0  3     0x14200  bored         crypto
>  12742  161682      0      0  3  0x40014200  acpi0         acpi0
>  13196  391981      0      0  7  0x40014200                idle7
>  95224   83812      0      0  7  0x40014200                idle6
>  13741   57385      0      0  7  0x40014200                idle5
>  80243   30890      0      0  7  0x40014200                idle4
>  45207  455294      0      0  3  0x40014200                idle3
>  55689   61935      0      0  3  0x40014200                idle2
>  26997  523249      0      0  3  0x40014200                idle1
>  91848   76499      0      0  3     0x14200  bored         softnet
>  97774  352546      0      0  3     0x14200  bored         systqmp
>  63560  114974      0      0  3     0x14200  bored         systq
>  89082  449782      0      0  3  0x40014200  bored         softclock
>  98578  254644      0      0  3  0x40014200                idle0
>      1   62172      0      0  3        0x82  wait          init
>      0       0     -1      0  3     0x10200  scheduler     swapper
> 
> The relevant disassembly looks like this:
> 
> 000000000001c10 <uvm_unmap_remove>:
> uvm_unmap_remove():
> ...
> syzkaller/src/sys/uvm/uvm_map.c:2125
>     1de0:       4c 89 ef                mov    %r13,%rdi
>     1de3:       4c 89 e6                mov    %r12,%rsi
>     1de6:       e8 c5 1e 00 00          callq  3cb0 <uvm_unmap_kill_entry>
> /syzkaller/src/sys/uvm/uvm_map.c:2128
>     1deb:       41 f6 45 44 40          testb  $0x40,0x44(%r13)
>     1df0:       0f 84 ba 00 00 00       je     1eb0 <uvm_unmap_remove+0x2a0>
> /syzkaller/src/sys/uvm/uvm_map.c:2129
>     1df6:       49 83 7c 24 60 00       cmpq   $0x0,0x60(%r12)
>     1dfc:       0f 85 ae 00 00 00       jne    1eb0 <uvm_unmap_remove+0x2a0>
> /syzkaller/src/sys/uvm/uvm_map.c:2128
>     1e02:       41 f6 84 24 80 00 00    testb  $0x10,0x80(%r12)
>     1e09:       00 10
>     1e0b:       0f 85 9f 00 00 00       jne    1eb0 <uvm_unmap_remove+0x2a0>
> /syzkaller/src/sys/uvm/uvm_map.c:2132
>     1e11:       49 8b 4c 24 40          mov    0x40(%r12),%rcx
>     1e16:       4d 8b 4c 24 48          mov    0x48(%r12),%r9
> uvmspace_dused():
> /syzkaller/src/sys/uvm/uvm_map.c:494
>     1e1b:       49 8b b5 f8 00 00 00    mov    0xf8(%r13),%rsi
>     1e22:       4d 8b 85 00 01 00 00    mov    0x100(%r13),%r8
>     1e29:       4c 39 c6                cmp    %r8,%rsi
>     1e2c:       4c 89 c2                mov    %r8,%rdx
>     1e2f:       48 0f 42 d6             cmovb  %rsi,%rdx
> /syzkaller/src/sys/uvm/uvm_map.c:495
>     1e33:       4c 0f 47 c6             cmova  %rsi,%r8
> /syzkaller/src/sys/uvm/uvm_map.c:498
>     1e37:       4c 39 c9                cmp    %r9,%rcx
>     1e3a:       75 04                   jne    1e40 <uvm_unmap_remove+0x230>
>     1e3c:       31 f6                   xor    %esi,%esi
>     1e3e:       eb 5a                   jmp    1e9a <uvm_unmap_remove+0x28a>
>     1e40:       49 89 da                mov    %rbx,%r10
>     1e43:       31 f6                   xor    %esi,%esi
>     1e45:       eb 09                   jmp    1e50 <uvm_unmap_remove+0x240>
> 
> -- 
> nest.cx is Gmail hosted, use PGP for anything private. Key:
> http://goo.gl/6dMsr
> Fingerprint: 5E2B 2D0E 1E03 2046 BEC3  4D50 0B15 42BD 8DF5 A1B0

Re: Crash in vm_terminate > vm_teardown > uvm_map_deallocate > uvm_unmap_remove

Reply via email to