Re: kern/54754: assertion "start < end" failed: uvm_map.c, line 4756 uvm_unmap1 start 0 < end 0

To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/54754: assertion "start < end" failed: uvm_map.c, line 4756 uvm_unmap1 start 0 < end 0
From: Tobias Ulmer <tobiasu%tmux.org@localhost>
Date: Mon, 27 Jan 2020 22:23:59 +0100

On Tue, Dec 10, 2019 at 07:50:00PM +0000, tobiasu%tmux.org@localhost wrote:
> >Number:         54754
> >Category:       kern
> >Synopsis:       assertion "start < end" failed: uvm_map.c, line 4756 uvm_unmap1 start 0 < end 0
> >Confidential:   no
> >Severity:       serious
> >Priority:       medium
> >Responsible:    kern-bug-people
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   net
> >Arrival-Date:   Tue Dec 10 19:50:00 +0000 2019
> >Originator:     Tobias Ulmer
> >Release:        NetBSD 9.99.21 (GENERIC) #0: Mon Dec 9 04:51:04 UTC 2019
> >Organization:
> >Environment:
> >Description:
> Machine hits assertion on login. Full serial console session below, two traces near the end.

From 9.99.41:

[  51.3813873] panic: kernel diagnostic assertion "start < end" failed: file "/home/source/ab/HEAD/src/sys/uvm/uvm_map.c", line 4749 uvm_unmap1: map 0x102568bc0: start 0 < end 0
[  51.5713981] cpu1: Begin traceback...
[  51.6114043] cpu1: End traceback...
[  51.6514026] Frame pointer is at 0x1880eebc1
[  51.7014044] Call traceback:
[  51.7414067]  netbsd:cpu_reboot+0x240(1cc3570, 102604400, ff0f0000000001, 1880ef61c, 4, 1c6f400) fp = 1880eeca1
[  51.8614124]  netbsd:kern_reboot+0x14(104, 0, 1cbe000, 0, 0, 102604400) fp = 1880eed51
[  51.9614191]  netbsd:vpanic+0x14c(104, 0, 19a0688, 1880ef7f8, e0048000, 1c3c400) fp = 1880eee01
[  52.0614237]  netbsd:kern_assert+0x34(19a0688, 1880ef7f8, 1cc2000, 1cc3400, 104, 1cc33c0) fp = 1880eeeb1
[  52.1714299]  netbsd:uvm_unmap1+0x88(19a0688, 1918b70, 199f400, 199fa40, 128d, 18fd840) fp = 1880eef71
[  52.2914367]  netbsd:execve_runproc+0x398(102568bc0, 0, 0, 0, 0, 1022aed00) fp = 1880ef051
[  52.3914424]  netbsd:execve1+0x58(102604400, 1880efa10, 0, 0, 102568bc0, 10255e970) fp = 1880ef151
[  52.4914490]  netbsd:sys_execve+0x24(102604400, 1, 40228090, ffffffffffffffff, ffffffffffffd0f0, 402f4400) fp = 1880ef431
[  52.6214554]  netbsd:syscall+0x410(102604400, 1880efde0, 1880efdd0, 1, 40b063f0, 6cebac5) fp = 1880ef4f1
[  52.7414631]  netbsd:1011724+0(1880efed0, 1880eff58, 40b60480, 3, 2, 102604400) fp = 1880ef621
[  52.8414688]  netbsd:40c74fe8+0(40228090, ffffffffffffd0f0, 402f4400, fefefefefefefeff, ffffffffffffffff, ff000000000000) fp = ffffffffffffc381

> >How-To-Repeat:
> Log in, either via serial or ssh, watch the machine crash and burn.
> >Fix:

uvm_deallocate is called with start=0 size=(vaddr_t)-1 and wrongly
calculates the end page, wrapping to 0.

uvm_unmap etc. expect 'end' to point to the last address in the page.

I've been hitting this on login because the shell was corrupted and
terminted with SIGABRT.

diff --git a/sys/uvm/uvm_user.c b/sys/uvm/uvm_user.c
index a2d5f3fd4a30..77f510e14441 100644
--- a/sys/uvm/uvm_user.c
+++ b/sys/uvm/uvm_user.c
@@ -51,5 +51,5 @@ uvm_deallocate(struct vm_map *map, vaddr_t start, vsize_t size)
 	if (size == 0)
 		return;
 
-	uvm_unmap(map, trunc_page(start), round_page(start + size));
+	uvm_unmap(map, trunc_page(start), trunc_page(start + size) + PAGE_MASK);
 }

References:
- kern/54754: assertion "start < end" failed: uvm_map.c, line 4756 uvm_unmap1 start 0 < end 0
  - From: tobiasu

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: bin/50350: rump/rumpkern/t_sp/stress_{long,short} fail on Core 2 Quad
Previous by Thread: kern/54754: assertion "start < end" failed: uvm_map.c, line 4756 uvm_unmap1 start 0 < end 0
Next by Thread: Re: kern/54754: assertion "start < end" failed: uvm_map.c, line 4756 uvm_unmap1 start 0 < end 0
Indexes:

Home | Main Index | Thread Index | Old Index