netbsd-bugs: port-mips/16154: any user can hang the machine by masking SIGSEGV and faulting

Subject: port-mips/16154: any user can hang the machine by masking SIGSEGV and faulting
To: None <gnats-bugs@gnats.netbsd.org>
From: None <manu@netbsd.org>
List: netbsd-bugs
Date: 04/01/2002 05:29:41

>Number:         16154
>Category:       port-mips
>Synopsis:       any user can hang the machine by masking SIGSEGV and faulting
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    port-mips-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr 01 05:30:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     Emmanuel Dreyfus
>Release:        NetBSD-current
>Organization:
The NetBSD Project
>Environment:
NetBSD plume 1.5ZC NetBSD 1.5ZC (IRIX3) #69: Mon Apr  1 13:28:17 CEST 2002     manu@plume:/cvs/src/sys/arch/sgimips/compile/IRIX3 sgimips
>Description:
When a program masks SIGSEGV and does a page fault, NetBSD/mips hangs. 
It is possible to drop into ddb and send a kill -9 to the offending
process, this will restore the machine to a fully functionnal state.
>How-To-Repeat:
#include <stdio.h>
#include <signal.h>

int main (void) {
        char *p = (char *)0xc;

        signal(SIGSEGV, SIG_IGN);

        printf("let's go\n");
        *p = *p + 1;
        printf("still alive?\n");
        return 0;
}
>Fix:
I have not yet fully spotted the problem. However, here are the 
information I gathered:

The normal behavior would be to loop on the fault: on *p access, we
get a page fault. There is no valid mapping at the requested address, 
hence we attempt to send a SIGSEGV. It is blocked, so we return to 
userland and restart the offending instruction. We fault again and we 
loop here forever.

This should not hang the machine since on return to userland, we can
schedule another process to run. The problem on mips ports is that 
the offending process is *always* re-scheduled to run.

More information: on the page fault, mips3_UserGenException is invoked,
from here, we have approximately this code path (determined by bloating
my kernel with printf's):
mips3_UserGenException
  trap
    uvm_fault
      uvmfault_lookup
    trapsignal
      psignal1
  ast
    preempt
      mi_switch
        ...

mi_switch always selects the offending process to run again, thus hanging
the machine. 
>Release-Note:
>Audit-Trail:
>Unformatted: