NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: port-alpha/56201 (Apparent NULL pointer deref in pmap_l3pt_delref() via pmap_page_protect() under memory pressure)

The following reply was made to PR port-alpha/56201; it has been noted by GNATS.

From: Jason Thorpe <thorpej%me.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: port-alpha-maintainer%netbsd.org@localhost,
 netbsd-bugs%netbsd.org@localhost,
 gnats-admin%netbsd.org@localhost
Subject: Re: port-alpha/56201 (Apparent NULL pointer deref in
 pmap_l3pt_delref() via pmap_page_protect() under memory pressure)
Date: Sun, 23 May 2021 13:35:21 -0700

 This appears to be a use-after-free=E2=80=A6 if I poison =
 pmap->pm_lev1map with 0xdeadbeef in pmap_destroy(), I see:
 
 [  17.2311772] CPU 0: fatal kernel trap:
 
 [  17.2311772] CPU 0    trap entry =3D 0x4 (unaligned access fault)
 [  17.2311772] CPU 0    a0         =3D 0xdeadcee7
 [  17.2311772] CPU 0    a1         =3D 0x29
 [  17.2311772] CPU 0    a2         =3D 0x1
 [  17.2311772] CPU 0    pc         =3D 0xfffffc0000a4cea8
 [  17.2311772] CPU 0    ra         =3D 0xfffffc0000a4d2a4
 [  17.2311772] CPU 0    pv         =3D 0xfffffc0000a4ce50
 [  17.2311772] CPU 0    curlwp     =3D 0xfffffc0001dece00
 [  17.2311772] CPU 0        pid =3D 0, comm =3D system
 
 [  17.2311772] panic: trap
 [  17.2311772] cpu0: Begin traceback...
 [  17.2311772] alpha trace requires known PC =3Deject=3D
 [  17.2311772] cpu0: End traceback...
 Stopped in pid 0.97 (system) at netbsd:cpu_Debugger+0x4:        ret     =
 zero,(ra
 )
 db{0}> trace
 cpu_Debugger() at netbsd:cpu_Debugger+0x4
 db_panic() at netbsd:db_panic+0xc8
 vpanic() at netbsd:vpanic+0x108
 panic() at netbsd:panic+0x58
 trap() at netbsd:trap+0xa58
 XentUna() at netbsd:XentUna+0x20
 --- unaligned access fault (from ipl 0) ---
 pmap_l3pt_delref() at netbsd:pmap_l3pt_delref+0x58
 pmap_remove_mapping() at netbsd:pmap_remove_mapping+0xa4
 pmap_page_protect() at netbsd:pmap_page_protect+0x138
 uvm_pageout() at netbsd:uvm_pageout+0x330
 --- kernel thread backstop ---
 db{0}>=20
 
 
 So it would appear there=E2=80=99s a PV entry for the page pointing to a =
 pmap that=E2=80=99s been torn down.
 
 -- thorpej
Home | Main Index | Thread Index | Old Index