Re: kern/58552: panic via genfs_getpages - ufs_bmaparray

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,spz%NetBSD.org@localhost
Subject: Re: kern/58552: panic via genfs_getpages - ufs_bmaparray
From: gnats-admin%netbsd.org@localhost
Date: Thu, 29 Aug 2024 09:30:02 +0000 (UTC)

The following reply was made to PR kern/58552; it has been noted by GNATS.

From: "J. Hannken-Illjes" <hannken%mailbox.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/58552: panic via genfs_getpages - ufs_bmaparray
Date: Thu, 29 Aug 2024 11:25:59 +0200

 From gdb frame #9 "incore(0xfffff48d36a6d940, -12)" we traverse the
 hash list "bufhashtbl[3581645]->lh_first == 0xfffff48e57516230".
 This buffer looks invalid:

   b_iodone = 0xffff828027d87100,
   b_error = 794242176,
   b_resid = -32128,
   b_flags = 1131827200,
   b_prio = -32128,
   b_bufsize = 660073344,
   b_bcount = -32128,
   ...

 The buffer is the 3rd element of "bufpl" item header 0xfffff4907870d150,
 page 0xfffff48e57516000.  All 15 buffers from this page are allocated.

 Page 0xfffff48e57516000 is a large page from the direct map, not sure
 if it matters (direct map 0xfffff484f8e00000 .. 0xfffff49138dfffff).

 Printing the entire page:

 0xfffff48e57516000:     0xffff82804a3f6380      0xffff82802784de80
 0xfffff48e57516010:     0xffff82804e020600      0xffff828036284d80
 0xfffff48e57516020:     0xffff82803c3f8d00      0xffff828031b42c80
 0xfffff48e57516030:     0xffff82803054dc00      0xffff828036e98f80
 ...
 0xfffff48e57516230:     0xffff82804d2e0e80      0xffff8280311de600
 0xfffff48e57516240:     0xffff82803144c580      0xffff828027d87100
 0xfffff48e57516250:     0xffff82802f572c80      0xffff828043765000
 0xfffff48e57516260:     0xffff82802757eb80      0xffff8280501ea300
 0xfffff48e57516270:     0xffff82802c916e00      0xffff828048faa400
 0xfffff48e57516280:     0xffff8280547ebb80      0xffff828040165300
 0xfffff48e57516290:     0xffff82804191ed80      0xffff82803eb2dd00
 ...
 0xfffff48e57516fc0:     0xffff828037f58180      0xffff828034a14900
 0xfffff48e57516fd0:     0xffff82804ee23080      0xffff8280519c0000
 0xfffff48e57516fe0:     0xffff82803c38fb80      0xffff82802bc49700
 0xfffff48e57516ff0:     0xffff828052c3f680      0xffff828033468200

 All these entrys are valid "struct vm_page *" pointers so it looks like
 this page allocated to the "bufpl" got overwritten with 512 pointers
 to vm pages.

 Which operation creates an array of at least 512 "struct vm_page"
 pointers and therefore is a candidate for trashing?

 -- 
 J. Hannken-Illjes

Prev by Date: Re: lib/58651: tm(3): wrong type in man page for tm_gmtoff
Next by Date: toolchain/58654: lint(1) chokes on stdatomic.h
Previous by Thread: kern/58552: panic via genfs_getpages - ufs_bmaparray
Next by Thread: Re: kern/58552: panic via genfs_getpages - ufs_bmaparray
Indexes:

Home | Main Index | Thread Index | Old Index