Date: Sun, 26 Jun 2016 21:34:59 -0700 From: Matthew Macy <mmacy@nextbsd.org> To: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>, "freebsd-x11@freebsd.org" <freebsd-x11@freebsd.org> Subject: Mapping drm's OBJT_DEFAULT causes crash on munmap Message-ID: <155902395d9.d34b06494266.4441962980252209617@nextbsd.org>
next in thread | raw e-mail | index | archive | help
Clicking 2 times on the following WebGL demo will cause a panic using drm 3.8/4.6 (this particular usage of OBJT_DEFAULT is one of the few remaining pieces of shared code). http://myshards.com/ This is the backtrace from HEAD as of f1bd70502f890a8668985030c0aecc3aeacb10ac running the latest Xorg / xf86-video-intel. (kgdb) bt #0 doadump (textdump=1) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:298 #1 0xffffffff80fa4da0 in kern_reboot (howto=260) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:366 #2 0xffffffff80fa57df in vpanic (fmt=0xffffffff818a582d "%s", ap=0xfffffe011b84ef50) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:759 #3 0xffffffff80fa5850 in panic (fmt=0xffffffff818a582d "%s") at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:690 #4 0xffffffff81640e77 in trap_fatal (frame=0xfffffe011b84f520, eva=90) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:841 #5 0xffffffff81640fe8 in trap_pfault (frame=0xfffffe011b84f520, usermode=0) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:691 #6 0xffffffff816400d2 in trap (frame=0xfffffe011b84f520) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:442 #7 0xffffffff8164152a in trap_check (frame=0xfffffe011b84f520) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:635 #8 <signal handler called> #9 0xffffffff814ab510 in vm_page_dirty_KBI (m=0x0) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_page.c:1095 #10 0xffffffff8162d4c5 in vm_page_dirty (m=0x0) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_page.h:651 #11 0xffffffff8162c733 in pmap_remove_pte (pmap=0xfffff80066f03138, ptq=0xfffff80075b87018, va=639643648, ptepde=1975017575, free=0xfffffe011b84f720, lockp=0xfffffe011b84f770) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/pmap.c:3705 #12 0xffffffff8162b63a in pmap_remove (pmap=0xfffff80066f03138, sva=639643648, eva=637692800) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/pmap.c:3876 #13 0xffffffff814979c3 in vm_map_delete (map=0xfffff80066f03000, start=637689856, end=667054080) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_map.c:3050 #14 0xffffffff814a020a in sys_munmap (td=0xfffff80066cff500, uap=0xfffffe011b84fa58) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_mmap.c:570 #15 0xffffffff81642091 in syscallenter (td=0xfffff80066cff500, sa=0xfffffe011b84fa48) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/../../kern/subr_syscall.c:135 #16 0xffffffff816418da in amd64_syscall (td=0xfffff80066cff500, traced=0) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:942 #17 <signal handler called> #18 0x000000080fd2d6ba in ?? () Backtrace stopped: Cannot access memory at address 0x7fffffffc408 The problem is that the pt entry is marked PG_MANAGED, but there is no corresponding pv_entry. -M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?155902395d9.d34b06494266.4441962980252209617>