port-alpha/56201: Apparent NULL pointer deref in pmap_l3pt_delref() via pmap_page_protect() under memory pressure

[thorpej%me.com@localhost]

>Number:         56201
>Category:       port-alpha
>Synopsis:       Apparent NULL pointer deref in pmap_l3pt_delref() via pmap_page_protect() under memory pressure
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-alpha-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun May 23 18:25:00 +0000 2021
>Originator:     Jason Thorpe
>Release:        NetBSD 9.99.82
>Organization:
RISCy Business
>Environment:
NetBSD alpha-vm 9.99.82 NetBSD 9.99.82 (GENERIC-$Revision: 1.410 $) #1: Sat May 22 11:30:30 PDT 2021  thorpej@the-ripe-vessel:/space/src/sys/arch/alpha/compile/GENERIC.QEMU alpha

32MB RAM config
>Description:
There is an apparent NULL pointer deref bug in pmap_l3pt_delref():

Building databases: dev, utmp, utmpx.

[  22.3168965] CPU 0: fatal kernel trap:

[  22.3168965] CPU 0    trap entry = 0x2 (memory management fault)
[  22.3168965] CPU 0    a0         = 0xff8
[  22.3168965] CPU 0    a1         = 0x0
[  22.3168965] CPU 0    a2         = 0x0
[  22.3168965] CPU 0    pc         = 0xfffffc0000a4c814
[  22.3168965] CPU 0    ra         = 0xfffffc0000a4d174
[  22.3168965] CPU 0    pv         = 0xfffffc0000a4c7d0
[  22.3168965] CPU 0    curlwp     = 0xfffffc0001dece00
[  22.3168965] CPU 0        pid = 0, comm = system

[  22.3168965] panic: trap
[  22.3168965] cpu0: Begin traceback...
[  22.3168965] alpha trace requires known PC =eject=
[  22.3168965] cpu0: End traceback...
Stopped in pid 0.97 (system) at netbsd:cpu_Debugger+0x4:        ret     zero,(ra
)
db{0}> trace
cpu_Debugger() at netbsd:cpu_Debugger+0x4
db_panic() at netbsd:db_panic+0xc8
vpanic() at netbsd:vpanic+0x108
panic() at netbsd:panic+0x58
trap() at netbsd:trap+0xa58
XentMM() at netbsd:XentMM+0x20
--- memory management fault (from ipl 0) ---
pmap_l3pt_delref() at netbsd:pmap_l3pt_delref+0x44
pmap_remove_mapping() at netbsd:pmap_remove_mapping+0xa4
pmap_page_protect() at netbsd:pmap_page_protect+0x138
uvm_pageout() at netbsd:uvm_pageout+0x330
--- kernel thread backstop ---
db{0}> 

This appears to have happened under memory pressure:

db{0}> show uvmexp
Current UVM status:
  pagesize=8192 (0x2000), pagemask=0x1fff, pageshift=13, ncolors=1
  2253 VM pages: 728 active, 330 inactive, 0 wired, 14 free
  pages  603 anon, 213 file, 263 exec
  freemin=16, free-target=21, wired-max=751
  resv-pg=1, resv-kernel=5
  bootpages=72, poolpages=1081
  faults=37650, traps=16042, intrs=7103, ctxswitch=18087
   softint=7439, syscalls=36875
  fault counts:
    noram=1, noanon=0, pgwait=0, pgrele=0
    ok relocks(total)=471(471), anget(retrys)=27607(18), amapcopy=2659
    neighbor anon/obj pg=3295/20669, gets(lock/unlock)=6719/453
    cases: anon=25209, anoncow=2398, obj=5857, prcopy=862, przero=2961
  daemon and swap counts:
    woke=9, revs=9, scans=1287, obscans=379, anscans=181
    busy=0, freed=558, reactivate=52, deactivate=1591
    pageouts=24, pending=157, nswget=18
    nswapdev=1, swpgavail=16383
    swpages=16383, swpginuse=177, swpgonly=154, paging=0
db{0}> 

With the current kernel booted on that Qemu instance, the faulting PC is:

the-ripe-vessel:thorpej 48$ alpha--netbsd-addr2line -e netbsd.gdb -a 0xfffffc0000a4c814
0xfffffc0000a4c814
/space/src/sys/arch/alpha/compile/GENERIC.QEMU/./machine/pmap.h:293
the-ripe-vessel:thorpej 49$ 

...which is this line in pmap_l2pte():

        lev2map = (pt_entry_t *)ALPHA_PHYS_TO_K0SEG(pmap_pte_pa(l1pte));

>How-To-Repeat:
The system was simply booting up.  The problem is not 100% reproducible.
>Fix:
N/A