kern/48105: panic at shutdown from NULL pointer dereference caused by virtio_detach()

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/48105: panic at shutdown from NULL pointer dereference caused by virtio_detach()
From: rhansen%bbn.com@localhost
Date: Mon, 5 Aug 2013 19:25:00 +0000 (UTC)

>Number:         48105
>Category:       kern
>Synopsis:       panic at shutdown from NULL pointer dereference caused by 
>virtio_detach()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Aug 05 19:25:00 +0000 2013
>Originator:     Richard Hansen
>Release:        6.0.1
>Organization:
BBN
>Environment:
NetBSD netbsd-vm.bbn.com 6.0.1 NetBSD 6.0.1 (GENERIC) i386
>Description:
NetBSD virtual machine guests that have the 0x10031af4 PCI device (vendor ID 
0x1af4 = Qumranet, device ID 0x1003 = Virtio) panic on shutdown due to a NULL 
pointer dereference in intr_disestablish() at src/sys/arch/x86/x86/intr.c line 
901.

Console output when it panics:

uvm_fault(0xc4fc5438, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c04c915a cs 8 eflags 10246 cr2 24 ilevel 0
Skipping crash dump on recursive panic
panic: trap
cpu0: Begin traceback...
printf_nolog(c0ba9fab,dcfb7aa4,dcfb7aa4,c04c915a,8,10246,24,0,c07869a3,c4fca040)
 at netbsd:printf_nolog
trap_tss() at netbsd:trap_tss
--- trap via task gate ---
netbsd:cpu_lock:
cpu0: End traceback...
rebooting...

Going up the call stack, virtio_detach() passes the NULL pointer to 
pci_intr_disestablish() at src/sys/dev/pci/virtio.c line 202.

sc->sc_ih is NULL in virtio_detach() because it is never set in 
virtio_attach().  virtio_attach() hits an error case and returns early at 
src/sys/dev/pci/virtio.c line 158.  sc->sc_ih isn't set until line 173.

Evidence of the early return from virtio_attach() is in dmesg:

$ dmesg | grep virtio1
virtio1 at pci0 dev 6 function 0
virtio1: Virtio Console Device (rev. 0x00)
virtio1: no matching child driver; not configured

$ sudo pcictl /dev/pci0 list -n | grep 6:0
000:06:0: 0x10031af4 (0x078000000)
>How-To-Repeat:
1. On an amd64 Ubuntu 13.04 host system, install the following
   packages (and their dependencies):
     * libvirt-bin
     * ubuntu-virt
2. Set up libvirt (see
   <https://help.ubuntu.com/community/KVM/Installation>)
3. Using virt-manager, create a new i386 guest machine.  Select the
   defaults everywhere except on the last page of the wizard:
     a. expand Advanced options
     b. change Architecture from x86_64 to i686
4. Install i386 NetBSD 6.0.1 on the guest
5. Run 'sudo shutdown -p now'
6. Watch it panic and reboot rather than power off

To confirm that the problem only happens when the 0x10031af4 PCI
device is installed in the guest VM:

1. Using virt-manager, edit the guest VM settings
2. Remove the "Controller Virtio Serial" PCI device
3. Boot the VM
4. Run 'sudo shutdown -p now'
5. The VM will power off as expected

>Fix:
Only call pci_intr_disestablish() from virtio_detach() if the arguments are 
non-NULL?

Prev by Date: Re: port-arm/48096 (arm/BEAGLEBONE machdep.frequency.current sysctl node missing)
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: Re: toolchain/47955 toolchain issues with glib2
Next by Thread: Re: kern/48105: panic at shutdown from NULL pointer dereference caused by virtio_detach()
Indexes:

Home | Main Index | Thread Index | Old Index