Subject: port-hp300/21679: User can panic system with repeated mmap calls
To: None <>
From: None <>
List: netbsd-bugs
Date: 05/25/2003 20:06:33
>Number:         21679
>Category:       port-hp300
>Synopsis:       User can panic system with repeated mmap calls
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    port-hp300-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 25 18:07:00 UTC 2003
>Originator:     Jarle Greipsland
>Release:        NetBSD 1.6T
System: NetBSD 1.6T NetBSD 1.6T (DENNIS) #0: Mon May 19 14:56:11 CEST 2003 hp300
Architecture: m68k
Machine: hp300
While trying do build and install clisp (/usr/pkgsrc/lang/clisp), my HP
9000/433t panicked with the message:
panic: enter: out of address space
Stopped in pid 29286.1 (conftest) at    netbsd:cpu_Debugger+0x6:        unlk a6
db> trace
cpu_Debugger(ffffffff,b000000,0,43e014,7c0edd0) + 6
panic(156290,b005000,19,0,fd853000) + ac
pmap_enter_ptpage(6e93a8,b000000) + fc
pmap_enter(6e93a8,b000000,fd853000,3,23) + 92
uvm_fault(7aa2900,b000000,0,3) + bd8
trap(8,4a1,b000079) + 4c6
faultstkadj() + 0
db> show reg
d0          0x2704      doboot+0x386
d1          0x16e106    __bss_start+0xd346
d2          0x7c0eda0   end+0x7a73c88
d3          0x100
d4          0x156290    mem_cdevsw+0x450
d5          0xfd853000
d6          0xb000000   end+0xae64ee8
d7          0x23
a0          0x203000    end+0x67ee8
a1          0x1
a2          0xcf95e     printf
a3          0x6e93a8    end+0x54e290
a4          0x7c0eed8   end+0x7a73dc0
a5          0x6e93a8    end+0x54e290
a6          0x7c0ed7c   end+0x7a73c64
sp          0x7c0ed7c   end+0x7a73c64
pc          0x121eaa    cpu_Debugger+0x6
sr          0x2000      switch_exit+0x8
netbsd:cpu_Debugger+0x6:        unlk    a6
db> reboot

This was just after the build job had printed out the configure message:
"checking for working mmap".  I retrieved the test in question and cleaned
it up:
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/mman.h>

int main ()
        int flags = MAP_ANON | MAP_PRIVATE;
        int fd = -1;
#define my_shift 24
#define my_low   1
#define my_high  64
#define my_size  8192
        long i;
        for (i=my_low; i<=my_high; i++) {
                caddr_t addr = (caddr_t)(i << my_shift);
                long size = ((i+1)/2)*my_size;
                if (mmap(addr,size,PROT_READ|PROT_WRITE,flags|MAP_FIXED,fd,0) == MAP_FAILED)

Note that the above program will crash my hp433t even when run as a
non-root user.  The crashes are repeatable.

dmesg of system:
Copyright (c) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003
    The NetBSD Foundation, Inc.  All rights reserved.
Copyright (c) 1982, 1986, 1989, 1991, 1993
    The Regents of the University of California.  All rights reserved.

NetBSD 1.6T (DENNIS) #0: Mon May 19 14:56:11 CEST 2003
HP 9000/433t (33MHz MC68040 CPU+MMU+FPU, 4k on-chip physical I/D caches)
total memory = 65524 KB
avail memory = 57304 KB
using 844 buffers containing 3376 KB of memory
mainbus0 (root)
intio0 at mainbus0
rtc0 at intio0 addr 0x420000
frodo0 at intio0 addr 0x41c000
dnkbd at frodo0 offset 0x0 not configured
apci0 at frodo0 offset 0x40: no fifo
apci1 at frodo0 offset 0x60: no fifo
hil0 at intio0 addr 0x428000
dma0 at intio0 addr 0x500000: 98620C, 2 channels, 32-bit DMA
dio0 at mainbus0
nhpib0 at dio0 scode 7 ipl 3: internal HP-IB
hpibbus0 at nhpib0
dca0 at dio0 scode 9 ipl 5: console, working fifo
internal parallel at dio0 scode 12 not configured
oscsi0 at dio0 scode 14 ipl 4: 32 bit DMA, async, scsi id 7
sd0 at oscsi0 targ 6 lun 0: <IBM, DCAS-34330, S61A> (SCSI-2)
sd0: 8205 cylinders, 6 heads, 8467200 blocks, 512 bytes/block
le0 at dio0 scode 21 ipl 5: address 08:00:09:13:7d:8d
le0: 8 receive buffers, 2 transmit buffers
hyper0 at dio0 scode 133: 1280 x 1024 monochrome hyperion display
grf0 at hyper0
ite0 at grf0
interrupt levels: bio = 4, net = 5, tty = 5
boot device: sd0
root on sd0a dumps on sd0b
root file system type: ffs

Compile and run the sample program supplied with this report.