From owner-freebsd-current@freebsd.org  Mon Aug  6 09:39:27 2018
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id DAC9010513A0
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Mon,  6 Aug 2018 09:39:27 +0000 (UTC) (envelope-from hps@selasky.org)
Received: from mail.turbocat.net (turbocat.net [88.99.82.50])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7126870EBA;
 Mon,  6 Aug 2018 09:39:27 +0000 (UTC) (envelope-from hps@selasky.org)
Received: from hps2016.home.selasky.org (unknown [62.141.128.70])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by mail.turbocat.net (Postfix) with ESMTPSA id 0A2072601B1;
 Mon,  6 Aug 2018 11:39:25 +0200 (CEST)
Subject: Re: panic after ifioctl/if_clone_destroy
From: Hans Petter Selasky <hps@selasky.org>
To: Matthew Macy <mmacy@freebsd.org>, Roman Bogorodskiy <novel@freebsd.org>
Cc: freebsd-current@freebsd.org
References: <20180805153556.GA1957@kloomba>
 <CAPrugNqVUoP0V8+yKTbCZgMoDu22xvCfUuga2LbKabjyi_=__A@mail.gmail.com>
 <a03803e6-5f1e-1960-c6a1-c7477f0ac9d4@selasky.org>
 <8acc8f27-29f2-d4c1-7473-f7053b14e7ad@selasky.org>
Message-ID: <911d520a-4eb5-02b4-a119-3663a7537e6a@selasky.org>
Date: Mon, 6 Aug 2018 11:39:04 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <8acc8f27-29f2-d4c1-7473-f7053b14e7ad@selasky.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Aug 2018 09:39:28 -0000

Hi Matthew,

On 08/06/18 10:02, Hans Petter Selasky wrote:
> -		if ((tdwait = TAILQ_FIRST(&record->er_tdlist)) != NULL &&
> -		    TD_IS_RUNNING(tdwait->et_td)) {

At least the TD_IS_RUNNING() check is invalid. The "tdwait" structure is 
in the control of the other CPU and "tdwait->et_td" might be invalid at 
any time, so accessing any members here is not a good idea.

It is pretty clear that the epoch was exited during the loop:

         etd->et_td = (void*)0xDEADBEEF;

fault virtual address   = 0xdeadc2ff
fault code              = supervisor read data, page not present


If you remove the TD_IS_RUNNING() check I'm not sure how useful this 
loop will be ...

--HPS