Created attachment 243288 [details] sysctl hang test Run the attached program compiled in a 32 bit chroot environment on 64 bit ARM. It hangs unkillable in sysctl. It is so stuck that rebooting doesn't work because the process won't die. Tools are confused about whether the program is running or runnable. The program does not accumulate CPU time. The program runs fine as a native 64 bit application. Something in 32 to 64 bit translation must be broken. Bug reported on mailing lists by Mark Millard. The original hang was in the kern_copyin test, but sysctl was to blame.
The corresponding test of an i386 binary on amd64 causes a panic. It does not require a chroot environment so it is allows an unprivileged user to crash the machine. I don't think this is a bug in any released version. The test program does not compile on 13.2. Running on amd64 and current from a few weeks back. First a 64 bit version of the reproducer: root@monax-vm:/tmp # ./a.out user address range 0x1000..0x7ffffffff000 Now recompile as a 32 bit binary: root@monax-vm:/tmp # cc -g hang.c -target i386-freebsd root@monax-vm:/tmp # file a.out a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 14.0 (1400091), FreeBSD-style, with debug_info, not stripped root@monax-vm:/tmp # ./a.out panic: releasing active pmap 0xfffffe00cdcdc170 cpuid = 4 time = 1688690396 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00b0d9b940 vpanic() at vpanic+0x150/frame 0xfffffe00b0d9b990 panic() at panic+0x43/frame 0xfffffe00b0d9b9f0 pmap_release() at pmap_release+0x2a5/frame 0xfffffe00b0d9ba20 vmspace_free() at vmspace_free+0x43/frame 0xfffffe00b0d9ba40 sysctl_kern_proc_vm_layout() at sysctl_kern_proc_vm_layout+0x35b/frame 0xfffffe00b0d9bbb0 sysctl_root_handler_locked() at sysctl_root_handler_locked+0x9c/frame 0xfffffe00b0d9bc00 sysctl_root() at sysctl_root+0x230/frame 0xfffffe00b0d9bc80 userland_sysctl() at userland_sysctl+0x184/frame 0xfffffe00b0d9bd30 freebsd32___sysctl() at freebsd32___sysctl+0xa6/frame 0xfffffe00b0d9bdf0 ia32_syscall() at ia32_syscall+0x157/frame 0xfffffe00b0d9bf30 int0x80_syscall_common() at int0x80_syscall_common+0x9c/frame 0xffffdc2c
There is a redundant vmspace_free() on the current address space in the compat code. Removing it fixes the bug. I will put a fix into review tomorrow.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=be30fd3ab2e8418a696e69f54a91a7e2db5962de commit be30fd3ab2e8418a696e69f54a91a7e2db5962de Author: Mike Karels <karels@FreeBSD.org> AuthorDate: 2023-07-07 13:37:16 +0000 Commit: Mike Karels <karels@FreeBSD.org> CommitDate: 2023-07-07 13:37:16 +0000 KERN_PROC_VM_LAYOUT sysctl: fix bug in 32-bit-compatible path vmspace_free() is called redundantly in the 32-bit-compatible path in sysctl_kern_proc_vm_layout(), causing a premature free (possibly for the current address space). Remove the extra call. PR: 272401 Reported by: marklmi at yahoo.com Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D40908 sys/kern/kern_proc.c | 1 - 1 file changed, 1 deletion(-)
Fixed on main; not in stable/13.