kern/55597: amap KASSERTs/panics

[martin%NetBSD.org@localhost]

>Number:         55597
>Category:       kern
>Synopsis:       amap KASSERTs/panics
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 22 09:10:00 +0000 2020
>Originator:     Martin Husemann
>Release:        NetBSD 9.99.71
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD space-truckin.duskware.de 9.99.71 NetBSD 9.99.71 (GENERIC) #102: Fri Aug 21 19:02:48 CEST 2020 martin%seven-days-to-the-wolves.aprisoft.de@localhost:/work/src/sys/arch/evbarm/compile/GENERIC evbarm
Architecture: earmv7hfeb
Machine: evbarm
>Description:

During several ATF runs I got a sequence of amap related panics, with
various levels of diagnostic available:


t_audio (1/2): 159 test cases
[...]
[ 41059.7554972] uvm_fault(0x80b6e908, 0, 1) -> e
[ 41059.7655086] Fatal kernel mode data abort: 'Translation Fault (S)'
[ 41059.7655086] trapframe: 0xc7f5bc50
[ 41059.7755008] FSR=00000005, FAR=00000000, spsr=800c0213
[ 41059.7755008] r0 =00000000, r1 =9331c040, r2 =9331c168, r3 =94646300
[ 41059.7855041] r4 =9beee890, r5 =00000000, r6 =0000000b, r7 =00000128
[ 41059.7955016] r8 =00000024, r9 =00000000, r10=00000000, r11=c7f5bcec
[ 41059.7955016] r12=80093f24, ssp=c7f5bca0, slr=80003270, pc =80409a80
Stopped in pid 10273.10273 (audiotest) at       netbsd:amap_wiperange+0x174:

This is: 

0x80409a80 is in amap_wiperange (../../../../uvm/uvm_amap.c:1308).
1303                                    continue;
1304                            }
1305                            stop--; /* drop stop, since anon will be removed */
1306                    }
1307                    anon = amap->am_anon[curslot];
1308                    KASSERT(anon->an_lock == amap->am_lock);


Could anon be NULL?

Another one in the ptrace tests (have seen this backtrace in a previous run
too but had no proper logging enabled, so not sure it happend at the same
place):

    traceme_lwpinfo2: [0.187480s] Passed.
    traceme_lwpinfo2_lwpstatus: [0.159634s] Passed.
    traceme_lwpinfo2_lwpstatus_pl_name: [0.218605s] Passed.
    traceme_lwpinfo2_lwpstatus_pl_private: [0.198824s] Passed.
    traceme_lwpinfo2_lwpstatus_pl_sigmask: [0.197590s] Passed.
    traceme_lwpinfo3: [0.217410s] Passed.
    traceme_lwpinfo3_lwpstatus: 
[ 2596.6324836] panic: kernel diagnostic assertion "anon != NULL && anon->an_ref != 0" failed: file "../../../../uvm/uvm_amap.c", line 777 
[ 2596.6511788] cpu0: Begin traceback...
[ 2596.6511788] 0xc88a5d3c: netbsd:db_panic+0x14
[ 2596.6618087] 0xc88a5d54: netbsd:vpanic+0xe4
[ 2596.6618087] 0xc88a5d6c: netbsd:__aeabi_uldivmod
[ 2596.6714532] 0xc88a5dbc: netbsd:amap_wipeout+0xb4
[ 2596.6714532] 0xc88a5dfc: netbsd:uvm_unmap_detach+0x80
[ 2596.6817913] 0xc88a5e24: netbsd:uvmspace_free+0xf0
[ 2596.6929471] 0xc88a5ecc: netbsd:exit1+0x1a0
[ 2596.6929471] 0xc88a5eec: netbsd:sys_exit+0x3c
[ 2596.7029680] 0xc88a5fac: netbsd:syscall+0x188
[ 2596.7029680] cpu0: End traceback...


and this is:

(gdb) list *(amap_wipeout+0xb4)
0x804092f0 is in amap_wipeout (../../../../uvm/uvm_amap.c:779).
774     
775                     slot = amap->am_slots[lcv];
776                     anon = amap->am_anon[slot];
777                     KASSERT(anon != NULL && anon->an_ref != 0);
778     
779                     KASSERT(anon->an_lock == amap->am_lock);
780                     UVMHIST_LOG(maphist,"  processing anon %#jx, ref=%jd",
781                         (uintptr_t)anon, anon->an_ref, 0, 0);


>How-To-Repeat:

as root: cd /usr/tests && atf-run

>Fix:
n/a