Date: Mon, 6 Aug 2018 11:39:04 +0200 From: Hans Petter Selasky <hps@selasky.org> To: Matthew Macy <mmacy@freebsd.org>, Roman Bogorodskiy <novel@freebsd.org> Cc: freebsd-current@freebsd.org Subject: Re: panic after ifioctl/if_clone_destroy Message-ID: <911d520a-4eb5-02b4-a119-3663a7537e6a@selasky.org> In-Reply-To: <8acc8f27-29f2-d4c1-7473-f7053b14e7ad@selasky.org> References: <20180805153556.GA1957@kloomba> <CAPrugNqVUoP0V8%2ByKTbCZgMoDu22xvCfUuga2LbKabjyi_=__A@mail.gmail.com> <a03803e6-5f1e-1960-c6a1-c7477f0ac9d4@selasky.org> <8acc8f27-29f2-d4c1-7473-f7053b14e7ad@selasky.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Matthew,
On 08/06/18 10:02, Hans Petter Selasky wrote:
> - if ((tdwait = TAILQ_FIRST(&record->er_tdlist)) != NULL &&
> - TD_IS_RUNNING(tdwait->et_td)) {
At least the TD_IS_RUNNING() check is invalid. The "tdwait" structure is
in the control of the other CPU and "tdwait->et_td" might be invalid at
any time, so accessing any members here is not a good idea.
It is pretty clear that the epoch was exited during the loop:
etd->et_td = (void*)0xDEADBEEF;
fault virtual address = 0xdeadc2ff
fault code = supervisor read data, page not present
If you remove the TD_IS_RUNNING() check I'm not sure how useful this
loop will be ...
--HPS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?911d520a-4eb5-02b4-a119-3663a7537e6a>