Re: port-alpha/56201 (Apparent NULL pointer deref in pmap_l3pt_delref() via pmap_page_protect() under memory pressure)

[Jason Thorpe <thorpej%me.com@localhost>]

This appears to be a use-after-free… if I poison pmap->pm_lev1map with 0xdeadbeef in pmap_destroy(), I see:

[  17.2311772] CPU 0: fatal kernel trap:

[  17.2311772] CPU 0    trap entry = 0x4 (unaligned access fault)
[  17.2311772] CPU 0    a0         = 0xdeadcee7
[  17.2311772] CPU 0    a1         = 0x29
[  17.2311772] CPU 0    a2         = 0x1
[  17.2311772] CPU 0    pc         = 0xfffffc0000a4cea8
[  17.2311772] CPU 0    ra         = 0xfffffc0000a4d2a4
[  17.2311772] CPU 0    pv         = 0xfffffc0000a4ce50
[  17.2311772] CPU 0    curlwp     = 0xfffffc0001dece00
[  17.2311772] CPU 0        pid = 0, comm = system

[  17.2311772] panic: trap
[  17.2311772] cpu0: Begin traceback...
[  17.2311772] alpha trace requires known PC =eject=
[  17.2311772] cpu0: End traceback...
Stopped in pid 0.97 (system) at netbsd:cpu_Debugger+0x4:        ret     zero,(ra
)
db{0}> trace
cpu_Debugger() at netbsd:cpu_Debugger+0x4
db_panic() at netbsd:db_panic+0xc8
vpanic() at netbsd:vpanic+0x108
panic() at netbsd:panic+0x58
trap() at netbsd:trap+0xa58
XentUna() at netbsd:XentUna+0x20
--- unaligned access fault (from ipl 0) ---
pmap_l3pt_delref() at netbsd:pmap_l3pt_delref+0x58
pmap_remove_mapping() at netbsd:pmap_remove_mapping+0xa4
pmap_page_protect() at netbsd:pmap_page_protect+0x138
uvm_pageout() at netbsd:uvm_pageout+0x330
--- kernel thread backstop ---
db{0}> 


So it would appear there’s a PV entry for the page pointing to a pmap that’s been torn down.

-- thorpej