From owner-freebsd-x11@freebsd.org Mon Jun 27 04:35:01 2016 Return-Path: Delivered-To: freebsd-x11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 25115B8060D; Mon, 27 Jun 2016 04:35:01 +0000 (UTC) (envelope-from mmacy@nextbsd.org) Received: from sender163-mail.zoho.com (sender163-mail.zoho.com [74.201.84.163]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F24702F56; Mon, 27 Jun 2016 04:35:00 +0000 (UTC) (envelope-from mmacy@nextbsd.org) Received: from mail.zoho.com by mx.zohomail.com with SMTP id 1467002099216278.1373967219805; Sun, 26 Jun 2016 21:34:59 -0700 (PDT) Date: Sun, 26 Jun 2016 21:34:59 -0700 From: Matthew Macy To: "freebsd-current@freebsd.org" , "freebsd-x11@freebsd.org" Message-ID: <155902395d9.d34b06494266.4441962980252209617@nextbsd.org> Subject: Mapping drm's OBJT_DEFAULT causes crash on munmap MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Priority: Medium User-Agent: Zoho Mail X-Mailer: Zoho Mail X-BeenThere: freebsd-x11@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: X11 on FreeBSD -- maintaining and support List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2016 04:35:01 -0000 Clicking 2 times on the following WebGL demo will cause a panic using drm 3.8/4.6 (this particular usage of OBJT_DEFAULT is one of the few remaining pieces of shared code). http://myshards.com/ This is the backtrace from HEAD as of f1bd70502f890a8668985030c0aecc3aeacb10ac running the latest Xorg / xf86-video-intel. (kgdb) bt #0 doadump (textdump=1) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:298 #1 0xffffffff80fa4da0 in kern_reboot (howto=260) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:366 #2 0xffffffff80fa57df in vpanic (fmt=0xffffffff818a582d "%s", ap=0xfffffe011b84ef50) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:759 #3 0xffffffff80fa5850 in panic (fmt=0xffffffff818a582d "%s") at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:690 #4 0xffffffff81640e77 in trap_fatal (frame=0xfffffe011b84f520, eva=90) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:841 #5 0xffffffff81640fe8 in trap_pfault (frame=0xfffffe011b84f520, usermode=0) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:691 #6 0xffffffff816400d2 in trap (frame=0xfffffe011b84f520) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:442 #7 0xffffffff8164152a in trap_check (frame=0xfffffe011b84f520) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:635 #8 #9 0xffffffff814ab510 in vm_page_dirty_KBI (m=0x0) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_page.c:1095 #10 0xffffffff8162d4c5 in vm_page_dirty (m=0x0) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_page.h:651 #11 0xffffffff8162c733 in pmap_remove_pte (pmap=0xfffff80066f03138, ptq=0xfffff80075b87018, va=639643648, ptepde=1975017575, free=0xfffffe011b84f720, lockp=0xfffffe011b84f770) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/pmap.c:3705 #12 0xffffffff8162b63a in pmap_remove (pmap=0xfffff80066f03138, sva=639643648, eva=637692800) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/pmap.c:3876 #13 0xffffffff814979c3 in vm_map_delete (map=0xfffff80066f03000, start=637689856, end=667054080) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_map.c:3050 #14 0xffffffff814a020a in sys_munmap (td=0xfffff80066cff500, uap=0xfffffe011b84fa58) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_mmap.c:570 #15 0xffffffff81642091 in syscallenter (td=0xfffff80066cff500, sa=0xfffffe011b84fa48) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/../../kern/subr_syscall.c:135 #16 0xffffffff816418da in amd64_syscall (td=0xfffff80066cff500, traced=0) at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:942 #17 #18 0x000000080fd2d6ba in ?? () Backtrace stopped: Cannot access memory at address 0x7fffffffc408 The problem is that the pt entry is marked PG_MANAGED, but there is no corresponding pv_entry. -M