kern/55708: Panic when using poll(2) with wsmouse

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/55708: Panic when using poll(2) with wsmouse
From: snow flurry <snow%datagirl.xyz@localhost>
Date: Fri, 9 Oct 2020 08:30:00 +0000 (UTC)

>Number:         55708
>Category:       kern
>Synopsis:       poll(2) causes a panic when a wsmouse is detached and reattached
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Oct 09 08:30:00 +0000 2020
>Originator:     snow flurry
>Release:        NetBSD 9.99.73
>Organization:
>Environment:
System: NetBSD patchouli 9.99.73 NetBSD 9.99.73 (GENERIC) #0: Wed Sep 23 00:52:49 UTC 2020 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
When a wsmouse is being polled, then detached and reattached before
poll reaches its timeout (or, if timeout == -1, is interrupted), the
kernel panics with the following:

[ 4612.8673727] panic: kernel diagnostic assertion "sip->sel_lwp == l" failed: file "/home/source/ab/HEAD/src/sys/kern/sys_select.c", line 839
[ 4612.8673727] cpu0: Begin traceback...
[ 4612.8673727] vpanic() at netbsd:vpanic+0x156
[ 4612.8673727] __x86_indirect_thunk_rax() at netbsd:__x86_indirect_thunk_rax
[ 4612.8673727] selclear() at netbsd:selclear+0xd2
[ 4612.8673727] sel_do_scan() at netbsd:sel_do_scan+0x251
[ 4612.8673727] pollcommon() at netbsd:pollcommon+0xcc
[ 4612.8673727] sys_poll() at netbsd:sys_poll+0x69
[ 4612.8673727] syscall() at netbsd:syscall+0x23e
[ 4612.8673727] --- syscall (number 209) ---
[ 4612.8673727] netbsd:syscall+0x23e:
[ 4612.8673727] cpu0: End traceback...
[ 4612.8673727] fatal breakpoint trap in supervisor mode
[ 4612.8673727] trap type 1 code 0 rip 0xffffffff80221a25 cs 0x8 rflags 0x202 cr2 0x70e995942000 ilevel 0x8 rsp 0xffff8b015036cc60
[ 4612.8673727] curlwp 0xffffbd5323f0f280 pid 8138.8138 lowest kstack 0xffff8b01503682c0

>How-To-Repeat:
This can be done in X11 using xf86-input-mouse connected to two pointer
devices, but I wasn't able to find the specific sequence to reliably
cause the panic. The code at https://termbin.com/91m5 has reliably
caused this issue to occur using a USB mouse and the following steps:

1. With the mouse plugged in, start the program and cause some events
   to occur (ex. move the mouse, click one of the buttons)
2. Unplug the mouse and quickly plug it back in. The device must be
   reattached before poll() returns, every five seconds.

I've also had luck with setting the poll timeout on line 33 to -1, and
interrupting the program with ^C once the device is reattached.

>Fix:

Prev by Date: Re: kern/55705 (ZFS: dmu_tx_delay may attempt to sleep with negative time - panic: "to_ticks >= 0" failed)
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: kern/55705 (ZFS: dmu_tx_delay may attempt to sleep with negative time - panic: "to_ticks >= 0" failed)
Next by Thread: Re: bin/55686 (unaligned access / segmentation fault in ssh-keygen for ecdsa key on Alpha)
Indexes:

Home | Main Index | Thread Index | Old Index