From owner-dev-commits-src-branches@freebsd.org Tue Sep 7 12:10:04 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5B3B1662A02; Tue, 7 Sep 2021 12:10:04 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H3kbv0Q55z4rsR; Tue, 7 Sep 2021 12:10:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6C7A412595; Tue, 7 Sep 2021 12:10:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 187CA0R7087871; Tue, 7 Sep 2021 12:10:00 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 187CA04S087860; Tue, 7 Sep 2021 12:10:00 GMT (envelope-from git) Date: Tue, 7 Sep 2021 12:10:00 GMT Message-Id: <202109071210.187CA04S087860@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Jessica Clarke Subject: git: 23181404aad8 - stable/13 - riscv: Fix pmap_alloc_l2 when it should allocate a new L1 entry MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrtc27 X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 23181404aad8b55722b6374062200aed33f779ac Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2021 12:10:04 -0000 The branch stable/13 has been updated by jrtc27: URL: https://cgit.FreeBSD.org/src/commit/?id=23181404aad8b55722b6374062200aed33f779ac commit 23181404aad8b55722b6374062200aed33f779ac Author: Jessica Clarke AuthorDate: 2021-08-09 19:28:37 +0000 Commit: Jessica Clarke CommitDate: 2021-09-07 12:08:16 +0000 riscv: Fix pmap_alloc_l2 when it should allocate a new L1 entry The current code checks the RWX bits are 0 but does not check the V bit is non-zero, meaning not-yet-allocated L1 entries that are still zero are regarded as being allocated. This is likely due to copying the arm64 code that checks ATTR_DESC_MASK is L1_TABLE, which emcompasses both the type and the validity in a single field, and erroneously translating that to a check of just PTE_RWX being 0 to indicate non-leaf, forgetting about the V bit. This then results in the following panic: panic: Fatal page fault at 0xffffffc0005cf292: 0x00000000000050 cpuid = 1 time = 1628379581 KDB: stack backtrace: db_trace_self() at db_trace_self db_trace_self_wrapper() at db_trace_self_wrapper+0x38 kdb_backtrace() at kdb_backtrace+0x2c vpanic() at vpanic+0x148 panic() at panic+0x2a page_fault_handler() at page_fault_handler+0x1ba do_trap_supervisor() at do_trap_supervisor+0x7a cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70 --- exception 13, tval = 0x50 pmap_enter_l2() at pmap_enter_l2+0xb2 pmap_enter_object() at pmap_enter_object+0x15e vm_map_pmap_enter() at vm_map_pmap_enter+0x228 vm_map_insert() at vm_map_insert+0x4ec vm_map_find() at vm_map_find+0x474 vm_map_find_min() at vm_map_find_min+0x52 vm_mmap_object() at vm_mmap_object+0x1ba vn_mmap() at vn_mmap+0xf8 kern_mmap() at kern_mmap+0x4c4 sys_mmap() at sys_mmap+0x38 do_trap_user() at do_trap_user+0x208 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --- exception 8, tval = 0x1dd Instead, we should just check the V bit, as on amd64, and assert that any valid L1 entries are not leaves, since an L1 leaf would render the entire range allocated and thus we should not have attempted to map that VA in the first place. Reported by: David Gilbert MFC after: 1 week Reviewed by: markj, mhorne Differential Revision: https://reviews.freebsd.org/D31460 (cherry picked from commit 98138bbde032e2040af3d158658c497fd3f63f2a) --- sys/riscv/riscv/pmap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sys/riscv/riscv/pmap.c b/sys/riscv/riscv/pmap.c index 075a2d4e84c8..b60df135fd51 100644 --- a/sys/riscv/riscv/pmap.c +++ b/sys/riscv/riscv/pmap.c @@ -1348,7 +1348,10 @@ pmap_alloc_l2(pmap_t pmap, vm_offset_t va, struct rwlock **lockp) retry: l1 = pmap_l1(pmap, va); - if (l1 != NULL && (pmap_load(l1) & PTE_RWX) == 0) { + if (l1 != NULL && (pmap_load(l1) & PTE_V) != 0) { + KASSERT((pmap_load(l1) & PTE_RWX) == 0, + ("%s: L1 entry %#lx for VA %#lx is a leaf", __func__, + pmap_load(l1), va)); /* Add a reference to the L2 page. */ l2pg = PHYS_TO_VM_PAGE(PTE_TO_PHYS(pmap_load(l1))); l2pg->ref_count++;