netbsd-bugs: kern/9172: use of libefence (with EF_PROTECT

Subject: kern/9172: use of libefence (with EF_PROTECT_FREE) panics kernel
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 01/11/2000 20:45:50
>Number:         9172
>Category:       kern
>Synopsis:       use of libefence (with EF_PROTECT_FREE) panics kernel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 11 20:45:01 2000
>Last-Modified:
>Originator:     Jun-ichiro itojun Hagino
>Organization:
	itojun.org
>Release:        NetBSD 1.4.1, with latest KAME
>Environment:
System: NetBSD lychee.itojun.org 1.4.1 NetBSD 1.4.1 (LYCHEE.v6) #502: Tue Jan 11 10:23:24 PST 2000 itojun@lychee.itojun.org:/export/home/itojun/k/kame/netbsd/sys/arch/i386/compile/LYCHEE.v6 i386


>Description:
	I was debugging a code by using libefence 2.0.5 (installed via
	pkg/devel/ElectricFence), with EF_PROTECT_FREE enabled. 
	after ElectricFence detected a violation, I terminated debugger
	- and a kernel panic occured.  It looks that I can reproduce it.

panic: pmap_page_remove: mapped managed page has invalid pv_ptp field
#0  0xf02e619b in pmap_remove (pmap=0xf4cc1e24, sva=4107017752, eva=4028421976)
    at ../../../../arch/i386/i386/pmap.new.c:2435
2435    }
(gdb) backtrace
#0  0xf02e619b in pmap_remove (pmap=0xf4cc1e24, sva=4107017752, eva=4028421976)
    at ../../../../arch/i386/i386/pmap.new.c:2435
#1  0xf02ded3f in cpu_reboot (howto=256, bootstr=0x0)
    at ../../../../arch/i386/i386/machdep.c:1350
#2  0xf01cd758 in log (level=-265395813, 
    fmt=0xf02e615f "pmap_page_remove: PTP's phys addr: actual=%x, recorded=%lx\n") at ../../../../kern/subr_prf.c:212
#3  0xf02e6343 in pmap_page_remove (pg=0xf0504084)
    at ../../../../arch/i386/i386/pmap.new.c:2485
#4  0xf02cdb1a in uvm_anfree (anon=0xf4bd2140) at machine/pmap.new.h:456
#5  0xf02cd04f in amap_wipeout (amap=0xf4a53140)
    at ../../../../uvm/uvm_amap.c:538
#6  0xf02cc96e in amap_unref (entry=0xf4cb9ca8, all=0)
    at ../../../../uvm/uvm_amap_i.h:258
#7  0xf02d2a91 in uvm_unmap_detach (first_entry=0xf4cb999c, amap_unref_flags=0)
    at ../../../../uvm/uvm_map.c:1121
#8  0xf02d1e15 in uvm_unmap (map=0xf4c81c64, start=0, end=4022329344)
    at ../../../../uvm/uvm_map_i.h:166
#9  0xf02da8a8 in uvm_deallocate (map=0xf4c81c64, start=0, size=4022329344)
    at ../../../../uvm/uvm_user.c:66
#10 0xf01bee23 in exit1 (p=0xf4cae75c, rv=9)
    at ../../../../kern/kern_exit.c:203
#11 0xf01c5ffc in sigexit (p=0xf4cae75c, signum=9)
    at ../../../../kern/kern_sig.c:1166
#12 0xf01c5dd4 in postsig (signum=9) at ../../../../kern/kern_sig.c:1087
#13 0xf02e8f9e in trap (frame={tf_es = 31, tf_ds = -272695265, 
      tf_edi = -272637952, tf_esi = 170372, tf_ebp = -272641520, 
      tf_ebx = 1075081312, tf_edx = 1075123336, tf_ecx = 1, 
      tf_eax = -272808324, tf_trapno = 4, tf_err = 0, tf_eip = 1075016059, 
      tf_cs = 23, tf_eflags = 66050, tf_esp = -272641588, tf_ss = 31, 
      tf_vm86_es = 0, tf_vm86_ds = 0, tf_vm86_fs = 0, tf_vm86_gs = 0})
    at ../../../../arch/i386/i386/trap.c:180
(gdb) frame 3
#3  0xf02e6343 in pmap_page_remove (pg=0xf0504084)
    at ../../../../arch/i386/i386/pmap.new.c:2485
2485          panic("pmap_page_remove: mapped managed page has invalid pv_ptp field");
(gdb) list
2480          printf("pmap_page_remove: pg=%p: va=%lx, pv_ptp=%p\n", pg, pve->pv_va,
2481                    pve->pv_ptp);
2482          printf("pmap_page_remove: PTP's phys addr: actual=%x, recorded=%lx\n",
2483                    (pve->pv_pmap->pm_pdir[pdei(pve->pv_va)] & PG_FRAME),
2484                    VM_PAGE_TO_PHYS(pve->pv_ptp));
2485          panic("pmap_page_remove: mapped managed page has invalid pv_ptp field");
2486        }
2487    #endif
2488        
2489        opte = ptes[i386_btop(pve->pv_va)];
(gdb) print *pve
$1 = {pv_next = 0x0, pv_pmap = 0xf4a47854, pv_va = 307200, pv_ptp = 0xf0508e84}
(gdb) print *pve->pv_pmap
$2 = {pm_obj = {vmobjlock = {lock_data = 0}, pgops = 0x0, memq = {
      tqh_first = 0xf0508e84, tqh_last = 0xf0508e94}, uo_npages = 1, 
    uo_refs = 1}, pm_list = {le_next = 0xf4a47784, le_prev = 0xf0416184}, 
  pm_pdir = 0xf4cc2000, pm_pdirpa = 35291136, pm_ptphint = 0xf0502720, 
  pm_stats = {resident_count = 63, wired_count = 0}}
(gdb) print *pve->pv_pma*pve->pv_pmap->pm_pdir
$3 = 0
(gdb) print *pve->pv_pmap->pm_pdir
$4 = (pd_entry_t *) 0xf4cc2000

>How-To-Repeat:
	I'll try to come up with short code that can repeat it.

>Fix:
	I'm not sure if it's kernel side problem of efence problem,
	but anyway kernel panic is not a good thing...
>Audit-Trail:
>Unformatted: