port-arm/56380: Userland process randomly crashes with PAX_ASLR=0 on arm926ej-s

To: port-arm-maintainer%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: port-arm/56380: Userland process randomly crashes with PAX_ASLR=0 on arm926ej-s
From: rokuyama.rk%gmail.com@localhost
Date: Mon, 30 Aug 2021 01:15:01 +0000 (UTC)

>Number:         56380
>Category:       port-arm
>Synopsis:       Userland process randomly crashes with PAX_ASLR=0 on arm926ej-s
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    port-arm-maintainer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Aug 30 01:15:00 +0000 2021
>Originator:     Rin Okuyama
>Release:        9.99.88
>Organization:
Department of Physics, Meiji University
>Environment:
NetBSD kbpro 9.99.88 NetBSD 9.99.88 (KBPRO_EB) #26: Sat Aug 28 11:01:35 JST 2021  rin@latipes:/sys/arch/evbarm/compile/KBPRO_EB evbarm
>Description:
Userland processes sometimes crash due to SIGSEGV on arm926ej-s (v5TEJ),
if PAX_ASLR=0 option is enabled for kernel. When and which process crashes
seems almost random. And where (in the text) it crashes also seems random.
This occurs both in little- and big-endian modes.

If PAX_ASLR is disabled, or set to 1, everything works just fine (at least
for ~ one week of uptime).

Also, for i80219 (xscale/v5TE), crashes have never been observed even if
PAX_ASLR=0 is specified.

dmesg's of these machines are uploaded:

* arm926ej-s (affected) https://dmesgd.nycbug.org/index.cgi?do=view&id=6246

| cpu0 at mainbus0 core 0: ARM926EJ-S rev 0 (ARM9EJ-S V5TEJ core)
| cpu0: DC enabled IC enabled WB enabled LABT
| cpu0: 32KB/32B 1-way L1 VIVT Instruction cache
| cpu0: 32KB/32B 1-way write-back-locking-C L1 VIVT Data cache

* i80219 (NOT affected) https://dmesgd.nycbug.org/index.cgi?do=view&id=6139

| cpu0 at mainbus0 core 0: i80219 400MHz step A-0 (XScale V5TE core)
| cpu0: DC enabled IC enabled WB enabled LABT branch prediction enabled
| cpu0: 32KB/32B 32-way L1 VIVT Instruction cache
| cpu0: 32KB/32B 32-way write-back-locking L1 VIVT Data cache

I've found an MI bug for PAX_ASLR=0 (will be committed soon), but
unfortunately, fixing it is not suffice.
>How-To-Repeat:
Boot kernel with PAX_ASLR=0 on KUROBOX_PRO.

Userland process sometimes crashes during multi-user boot, sometimes
building some pkgsrc.
>Fix:
N/A

Prev by Date: Re: kern/56379 (raidframe assumes wrong raid components)
Next by Date: PR/56380 CVS commit: src/sys/kern
Previous by Thread: Re: kern/56379 (raidframe assumes wrong raid components)
Next by Thread: PR/56380 CVS commit: src/sys/kern
Indexes:

Home | Main Index | Thread Index | Old Index