Hello Alexander,
Thanks for the report.
On 01/03/24(Fri) 16:39, Alexander Bluhm wrote:
> Hi,
>
> An OpenBSD 7.4 machine on KVM running postgress and pagedaemon
> crashed in amap_wipeout().
>
> bluhm
>
> kernel: protection fault trap, code=0
> Stopped at amap_wipeout+0x76: movq %rcx,0x28(%rax)
The problem is an incorrect call to amap_wipeout() in OOM situation
inside amap_copy(). At this moment the amap being copied/allocated
is not in the global list. That's why you see this incorrect
dereference which corresponds to:
amap_list_remove(amap);
> ddb{3}> show panic
> the kernel did not panic
>
> ddb{3}> trace
> amap_wipeout(fffffd8015b154d0) at amap_wipeout+0x76
> uvm_fault_check(ffff8000232d6a20,ffff8000232d6a58,ffff8000232d6a80) at
> uvm_faul
> t_check+0x2ad
> uvm_fault(fffffd811d150748,7d42519fb000,0,1) at uvm_fault+0xfb
> upageflttrap(ffff8000232d6b80,7d42519fb3c0) at upageflttrap+0x65
> usertrap(ffff8000232d6b80) at usertrap+0x1ee
> recall_trap() at recall_trap+0x8
> end of kernel
> end trace frame: 0x7d42519fb3f0, count: -6
Diff below should fix it. I don't know how to test it.
ok?
Index: uvm/uvm_amap.c
===================================================================
RCS file: /cvs/src/sys/uvm/uvm_amap.c,v
diff -u -p -r1.92 uvm_amap.c
--- uvm/uvm_amap.c 11 Apr 2023 00:45:09 -0000 1.92
+++ uvm/uvm_amap.c 30 Mar 2024 17:30:10 -0000
@@ -662,9 +658,10 @@ amap_copy(struct vm_map *map, struct vm_
chunk = amap_chunk_get(amap, lcv, 1, PR_NOWAIT);
if (chunk == NULL) {
- /* amap_wipeout() releases the lock. */
- amap->am_ref = 0;
- amap_wipeout(amap);
+ amap_unlock(srcamap);
+ /* Destroy the new amap. */
+ amap->am_ref--;
+ amap_free(amap);
return;
}
