From owner-freebsd-stable@FreeBSD.ORG  Mon Sep  9 07:11:22 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id D619A444
 for <stable@freebsd.org>; Mon,  9 Sep 2013 07:11:22 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7511D2B2C
 for <stable@freebsd.org>; Mon,  9 Sep 2013 07:11:22 +0000 (UTC)
Received: from tom.home (kostik@localhost [127.0.0.1])
 by kib.kiev.ua (8.14.7/8.14.7) with ESMTP id r897BCmA090075;
 Mon, 9 Sep 2013 10:11:12 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua r897BCmA090075
Received: (from kostik@localhost)
 by tom.home (8.14.7/8.14.7/Submit) id r897BCjB090074;
 Mon, 9 Sep 2013 10:11:12 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Mon, 9 Sep 2013 10:11:12 +0300
From: Konstantin Belousov <kostikbel@gmail.com>
To: Oliver Pinter <oliver.pntr@gmail.com>
Subject: Re: 9.2-STABLE: supervisor read data, page not present
Message-ID: <20130909071112.GI41229@kib.kiev.ua>
References: <CAPjTQNFxUFAUx9U3heVgDH9D8_TJ9NuOwcwUfSEi_RegQ5-wpw@mail.gmail.com>
 <CAPjTQNGusVYJpUxb-uuUwBD+8tJijLAB6u=pbFWvbE0+19-RXQ@mail.gmail.com>
 <20130909051444.GG41229@kib.kiev.ua>
 <CAPjTQNHe8=Q4OH5vfqTHWdUQJXkBfM4Xw3a=Z85=m8NYvxQP6Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="SWXyBy1zHAaCX+aB"
Content-Disposition: inline
In-Reply-To: <CAPjTQNHe8=Q4OH5vfqTHWdUQJXkBfM4Xw3a=Z85=m8NYvxQP6Q@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no
 version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home
Cc: stable@freebsd.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 07:11:23 -0000


--SWXyBy1zHAaCX+aB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 09, 2013 at 08:45:21AM +0200, Oliver Pinter wrote:
> On 9/9/13, Konstantin Belousov <kostikbel@gmail.com> wrote:
> > On Sun, Sep 08, 2013 at 11:40:01PM +0200, Oliver Pinter wrote:
> >> #6  0xffffffff806a2ab3 in cpuctl_ioctl (dev=3D<value optimized out>,
> >>     cmd=3D<value optimized out>, data=3D<value optimized out>, flags=
=3D0,
> >>     td=3D<value optimized out>) at /usr/src/sys/dev/cpuctl/cpuctl.c:478
> >> 	cpu =3D <value optimized out>
> >> 	ret =3D <value optimized out>
> >
> > Do you indeed posses VIA CPU ?  Was it due to some violence act ?
>=20
> Nope, this is an Intel Q9300.
>=20
> FreeBSD clang version 3.3 (tags/RELEASE_33/final 183502) 20130610
> CPU: Intel(R) Core(TM)2 Quad  CPU   Q9300  @ 2.50GHz (2499.76-MHz K8-clas=
s CPU)
>   Origin =3D "GenuineIntel"  Id =3D 0x10677  Family =3D 0x6  Model =3D 0x=
17
> Stepping =3D 7
>   Features=3D0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,=
PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
>   Features2=3D0x8e3fd<SSE3,DTES64,MON,DS_CPL,VMX,SMX,EST,TM2,SSSE3,CX16,x=
TPR,PDCM,SSE4.1>
>   AMD Features=3D0x20100800<SYSCALL,NX,LM>
>   AMD Features2=3D0x1<LAHF>
>   TSC: P-state invariant, performance statistics
> real memory  =3D 4294967296 (4096 MB)
> avail memory =3D 4103024640 (3912 MB)
> Event timer "LAPIC" quality 400
> ACPI APIC Table: <A_M_I_ OEMAPIC >
> FreeBSD/SMP: Multiprocessor System Detected: 4 CPUs
> FreeBSD/SMP: 1 package(s) x 4 core(s)
>  cpu0 (BSP): APIC ID:  0
>  cpu1 (AP): APIC ID:  1
>  cpu2 (AP): APIC ID:  2
>  cpu3 (AP): APIC ID:  3
Intel update code has the same issue.  Still, it is weird that the debugger
reported the line from the update_via().

>=20
>=20
> >
> > I am not sure about the first panic, lets fix the malloc/free corruption
> > and see. The proc_reap() issue might be a consequence of the memory
> > corruption from the wrong free().
> >
> > There is no public documentation for VIA CPUs, at least I was not
> > able to find anything when I looked. According to the comment in the
> > update_via(), all what is needed is that update buffer was 4-bytes
> > aligned, which is always guaranteed by our malloc(9), at least for the
> > allocation of size >=3D4.
> >
> > Try this.

Updated patch.

diff --git a/sys/dev/cpuctl/cpuctl.c b/sys/dev/cpuctl/cpuctl.c
index 4e5abb2..317fc08 100644
--- a/sys/dev/cpuctl/cpuctl.c
+++ b/sys/dev/cpuctl/cpuctl.c
@@ -295,10 +295,10 @@ cpuctl_do_update(int cpu, cpuctl_update_args_t *data,=
 struct thread *td)
 static int
 update_intel(int cpu, cpuctl_update_args_t *args, struct thread *td)
 {
-	void *ptr =3D NULL;
+	void *ptr;
 	uint64_t rev0, rev1;
 	uint32_t tmp[4];
-	int is_bound =3D 0;
+	int is_bound;
 	int oldcpu;
 	int ret;
=20
@@ -312,10 +312,11 @@ update_intel(int cpu, cpuctl_update_args_t *args, str=
uct thread *td)
 	}
=20
 	/*
-	 * 16 byte alignment required.
+	 * 16 byte alignment required.  Rely on the fact that
+	 * malloc(9) always returns the pointer aligned at least on
+	 * the size of the allocation.
 	 */
 	ptr =3D malloc(args->size + 16, M_CPUCTL, M_WAITOK);
-	ptr =3D (void *)(16 + ((intptr_t)ptr & ~0xf));
 	if (copyin(args->data, ptr, args->size) !=3D 0) {
 		DPRINTF("[cpuctl,%d]: copyin %p->%p of %zd bytes failed",
 		    __LINE__, args->data, ptr, args->size);
@@ -408,10 +409,10 @@ fail:
 static int
 update_via(int cpu, cpuctl_update_args_t *args, struct thread *td)
 {
-	void *ptr =3D NULL;
+	void *ptr;
 	uint64_t rev0, rev1, res;
 	uint32_t tmp[4];
-	int is_bound =3D 0;
+	int is_bound;
 	int oldcpu;
 	int ret;
=20
@@ -427,8 +428,7 @@ update_via(int cpu, cpuctl_update_args_t *args, struct =
thread *td)
 	/*
 	 * 4 byte alignment required.
 	 */
-	ptr =3D malloc(args->size + 16, M_CPUCTL, M_WAITOK);
-	ptr =3D (void *)(16 + ((intptr_t)ptr & ~0xf));
+	ptr =3D malloc(args->size, M_CPUCTL, M_WAITOK);
 	if (copyin(args->data, ptr, args->size) !=3D 0) {
 		DPRINTF("[cpuctl,%d]: copyin %p->%p of %zd bytes failed",
 		    __LINE__, args->data, ptr, args->size);

--SWXyBy1zHAaCX+aB
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (FreeBSD)

iQIcBAEBAgAGBQJSLXSPAAoJEJDCuSvBvK1Bv84P/3cmggIntT24YsCN9/qnt1a5
px4mDPkRyMH+Up+R2FOdewryiKdstDi61RtA/4C4WPBe8cqork6x9V5RHzwTnSvU
3YAgtv/PSK5ABMtwv2IgfejzAowGivwxpFYj+i+jibq4DpiF56upS8iElQMI/HQi
uL7JX5zDWZE7ePMWIE3HZddRahKUyJUrHLdCdaUJyNen77V/sOSPuDalvvNbrrAJ
qh9JWkZvmvgH/ei3iKLGa+GWVYD/w5KvfL1MAoLJyatVque0Sakn3JCb1+8dmVgZ
68lQv4v3kCThEZlM7y1QTxE6iCBx7x1IHQYBhNyd4JtgCzJuqe45fpvtCq9snmyf
j83jMEGya5+LWBnNtxubtCexNt57KEM4C14T4A0wNq7gJ1CjylegZ5ppG/BCVpEj
WB63QZCmtdfdaYAblbnCB1uq2E7YKKxCzbx/hi1xRRLa8cWKJt7fxKvxjqpK8t78
mM6yKktes8pGQxBLJAqv39aCOdKcVLK9SxN0lx1mi2E3QV/vqaaekpXxAm/VZ9RK
qJciPYeSXzuZMT66E/4GO2pWGo9G6d59GFS5VlhuxurVIxHf5aCpusKv0SNNW+ON
kpQjTVUsHFp940tSQIWr6MqjI3MeHQeK+CDU39ERAeJZWdn0hwH/tQIpKZCiS+Df
4kU/s/rIAU67/vBds6AK
=1qPV
-----END PGP SIGNATURE-----

--SWXyBy1zHAaCX+aB--