NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/53261: kernel crash during test run
The following reply was made to PR kern/53261; it has been noted by GNATS.
From: Martin Husemann <martin%duskware.de@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc:
Subject: Re: kern/53261: kernel crash during test run
Date: Wed, 9 May 2018 12:11:45 +0200
Been barking at the wrong tree. Actually "uap" in sys_mmap is still correct,
but nevertheless the access to the element is wrong.
It even happens with -O0, so I did use that to make the assembly more easy
to follow.
Here is a bit more verbose debug output:
[ 1053.1664413] sy_invoke(uap=0xcbcdbf50)
[ 1053.1664413] sy_invoke: calling sy_call(uap=0xcbcdbf50)
[ 1053.1664413] sy_call(uap=0xcbcdbf50)
[ 1053.1664413] sy_call(uap=0xcbcdbf50)
[ 1053.1664413] sys_mmap(uap=0xcbcdbf50)
[ 1053.1664413] &addr: 0xcbcdbf50
[ 1053.1664413] &len: 0xcbcdbf54
[ 1053.1664413] &prot: 0xcbcdbf58
[ 1053.1664413] &flags: 0xcbcdbf5c
[ 1053.1664413] &fd: 0xcbcdbf60
[ 1053.1664413] &pos: 0xcbcdbf68
[ 1053.1664413] with uap->$name.le.datum prefix:
[ 1053.1664413] &addr: 0xcbcdbf50
[ 1053.1664413] &len: 0xcbcdbf54
[ 1053.1664413] &prot: 0xcbcdbf58
[ 1053.1664413] &flags: 0xcbcdbf5c
[ 1053.1664413] &fd: 0xcbcdbf60
[ 1053.1664413] &pos: 0xcbcdbf68
[ 1053.3764409] data_abort_handler: data_aborts fsr=0x1 far=0xcbcdbf6c
[ 1053.3764409] Fatal kernel mode data abort: 'Alignment Fault 1'
[ 1053.3764409] trapframe: 0xcbcdbe20
[ 1053.3764409] FSR=00000001, FAR=cbcdbf6c, spsr=60000013
[ 1053.3764409] r0 =c311a160, r1 =cbcdbf54, r2 =cbcdbf48, r3 =cbcdbf54
[ 1053.3764409] r4 =cbcdbf54, r5 =c04cf318, r6 =c311a160, r7 =c04a0f04
[ 1053.3764409] r8 =cbcdbf48, r9 =cbcdbf50, r10=c02a4e9c, r11=cbcdbf04
[ 1053.3764409] r12=cbcdbf08, ssp=cbcdbe70, slr=c02a4f18, pc =c024e664
Stopped in pid 697.1 (ubsan) at netbsd:sys_mmap+0x134: ldrd r2, [r3, #0x18]
and the objdump -S for the relevant part below.
Martin
uvm_mmap.o: file format elf32-littlearm
Disassembly of section .text:
[..]
000005a0 <sys_mmap>:
extern int do_syscall_debug;
int
sys_mmap(struct lwp *l, const struct sys_mmap_args *uap, register_t *retval)
{
5a0: e1a0c00d mov ip, sp
5a4: e92dd870 push {r4, r5, r6, fp, ip, lr, pc}
5a8: e24cb004 sub fp, ip, #4
5ac: e24dd07c sub sp, sp, #124 ; 0x7c
5b0: e50b0068 str r0, [fp, #-104] ; 0xffffff98
5b4: e50b106c str r1, [fp, #-108] ; 0xffffff94
5b8: e50b2070 str r2, [fp, #-112] ; 0xffffff90
syscallarg(int) flags;
syscallarg(int) fd;
syscallarg(long) pad;
syscallarg(off_t) pos;
} */
struct proc *p = l->l_proc;
5bc: e51b3068 ldr r3, [fp, #-104] ; 0xffffff98
5c0: e5933130 ldr r3, [r3, #304] ; 0x130
5c4: e50b3028 str r3, [fp, #-40] ; 0xffffffd8
off_t pos;
vsize_t size, pageoff, newsize;
vm_prot_t prot, maxprot, extraprot;
int flags, fd, advice;
vaddr_t defaddr;
struct file *fp = NULL;
5c8: e3a03000 mov r3, #0
5cc: e50b3020 str r3, [fp, #-32] ; 0xffffffe0
/*
* first, extract syscall args from the uap.
*/
if (do_syscall_debug) {
5d0: e59f34bc ldr r3, [pc, #1212] ; a94 <sys_mmap+0x4f4>
5d4: e5933000 ldr r3, [r3]
5d8: e3530000 cmp r3, #0
5dc: 0a000026 beq 67c <sys_mmap+0xdc>
printf("sys_mmap(uap=%p)\n"
5e0: e51bc06c ldr ip, [fp, #-108] ; 0xffffff94
5e4: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
5e8: e283e004 add lr, r3, #4
5ec: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
5f0: e2833008 add r3, r3, #8
5f4: e51b206c ldr r2, [fp, #-108] ; 0xffffff94
5f8: e282200c add r2, r2, #12
5fc: e51b106c ldr r1, [fp, #-108] ; 0xffffff94
600: e2811010 add r1, r1, #16
604: e51b006c ldr r0, [fp, #-108] ; 0xffffff94
608: e2800018 add r0, r0, #24
60c: e58d000c str r0, [sp, #12]
610: e58d1008 str r1, [sp, #8]
614: e58d2004 str r2, [sp, #4]
618: e58d3000 str r3, [sp]
61c: e1a0300e mov r3, lr
620: e1a0200c mov r2, ip
624: e51b106c ldr r1, [fp, #-108] ; 0xffffff94
628: e59f0468 ldr r0, [pc, #1128] ; a98 <sys_mmap+0x4f8>
62c: ebfffffe bl 0 <printf>
"&addr: %p\n&len: %p\n&prot: %p\n&flags: %p\n&fd: %p\n"
"&pos: %p\n", uap,
&uap->addr, &uap->len, &uap->prot, &uap->flags, &uap->fd,
&uap->pos);
printf("with uap->$name.le.datum prefix:\n"
630: e51b006c ldr r0, [fp, #-108] ; 0xffffff94
634: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
638: e283c004 add ip, r3, #4
63c: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
640: e283e008 add lr, r3, #8
644: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
648: e283300c add r3, r3, #12
64c: e51b206c ldr r2, [fp, #-108] ; 0xffffff94
650: e2822010 add r2, r2, #16
654: e51b106c ldr r1, [fp, #-108] ; 0xffffff94
658: e2811018 add r1, r1, #24
65c: e58d1008 str r1, [sp, #8]
660: e58d2004 str r2, [sp, #4]
664: e58d3000 str r3, [sp]
668: e1a0300e mov r3, lr
66c: e1a0200c mov r2, ip
670: e1a01000 mov r1, r0
674: e59f0420 ldr r0, [pc, #1056] ; a9c <sys_mmap+0x4fc>
678: ebfffffe bl 0 <printf>
&uap->prot.le.datum, &uap->flags.le.datum,
&uap->fd.le.datum,
&uap->pos.le.datum);
}
addr = (vaddr_t)SCARG(uap, addr);
67c: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
680: e5933000 ldr r3, [r3]
684: e50b3048 str r3, [fp, #-72] ; 0xffffffb8
size = (vsize_t)SCARG(uap, len);
688: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
68c: e5933004 ldr r3, [r3, #4]
690: e50b302c str r3, [fp, #-44] ; 0xffffffd4
prot = SCARG(uap, prot) & VM_PROT_ALL;
694: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
698: e5933008 ldr r3, [r3, #8]
69c: e2033007 and r3, r3, #7
6a0: e50b3030 str r3, [fp, #-48] ; 0xffffffd0
extraprot = PROT_MPROTECT_EXTRACT(SCARG(uap, prot));
6a4: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
6a8: e5933008 ldr r3, [r3, #8]
6ac: e1a031c3 asr r3, r3, #3
6b0: e2033007 and r3, r3, #7
6b4: e50b3034 str r3, [fp, #-52] ; 0xffffffcc
flags = SCARG(uap, flags);
6b8: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
6bc: e593300c ldr r3, [r3, #12]
6c0: e50b305c str r3, [fp, #-92] ; 0xffffffa4
fd = SCARG(uap, fd);
6c4: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
6c8: e5933010 ldr r3, [r3, #16]
6cc: e50b3038 str r3, [fp, #-56] ; 0xffffffc8
pos = SCARG(uap, pos);
6d0: e51b306c ldr r3, [fp, #-108] ; 0xffffff94
6d4: e1c321d8 ldrd r2, [r3, #24]
6d8: e14b25f4 strd r2, [fp, #-84] ; 0xffffffac
Home |
Main Index |
Thread Index |
Old Index