From owner-freebsd-net@FreeBSD.ORG  Sat Dec 22 11:08:24 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 63129288;
 Sat, 22 Dec 2012 11:08:24 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
 by mx1.freebsd.org (Postfix) with ESMTP id 57AE48FC14;
 Sat, 22 Dec 2012 11:08:22 +0000 (UTC)
Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua
 [212.40.38.100])
 by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id NAA18035;
 Sat, 22 Dec 2012 13:08:13 +0200 (EET) (envelope-from avg@FreeBSD.org)
Received: from localhost ([127.0.0.1])
 by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD))
 id 1TmMw9-000E0e-3s; Sat, 22 Dec 2012 13:08:13 +0200
Message-ID: <50D5949A.1060505@FreeBSD.org>
Date: Sat, 22 Dec 2012 13:08:10 +0200
From: Andriy Gapon <avg@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: Garrett Cooper <yanegomi@gmail.com>
Subject: Fatal trap 1 [Was: "Memory modified after free" - by whom?]
References: <CAGH67wQKUDLQmL8cnWwgzQpWAN2OhKLu0AemPNuy7EOC-i1p9g@mail.gmail.com>
 <CAJ-Vmo=MsSV3DhAVEP36d+FccHDdQz7+y7v5xTjYKyBP0PfQoQ@mail.gmail.com>
 <CAMBSHm96ZEiF4mOhUyk-aDS+Gs+hDsh_dMsd-WFcmZ+Sm6Zk+A@mail.gmail.com>
 <CAGH67wQ8L5R8H7G7s+6b+iKaAz54es8scnASUQ8Env10x1iqzg@mail.gmail.com>
In-Reply-To: <CAGH67wQ8L5R8H7G7s+6b+iKaAz54es8scnASUQ8Env10x1iqzg@mail.gmail.com>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@FreeBSD.org, FreeBSD Current <freebsd-current@FreeBSD.org>
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Dec 2012 11:08:24 -0000

on 22/12/2012 02:21 Garrett Cooper said the following:
> Fatal trap 1: privileged instruction fault while in kernel mode
> Fatal trap 1: privileged instruction fault while in kernel mode

Unrelated to the original topic - this looks very weird.
I mean all the CPUs getting this unusual trap...
Could you please do 'disassemble 0xffffffff80af5099' in kgdb with the same
kernel.  Or if you have a different kernel now, please use "instruction pointer"
value from a trap with that kernel.

> Memory modified after free 0xffffff800040d000(9216) val=5a5a5a5a @
> 0xffffff800040d000
> Fatal trap 1: privileged instruction fault while in kernel mode
> cpuid = 3;
> cpuid = 1;
> apic id = 02
> cpuid = 0; apic id = 06
> apic id = 00
> instruction pointer     = 0x20:0xffffffff80af5099
> instruction pointer     = 0x20:0xffffffff80af5099
> instruction pointer     = 0x20:0xffffffff80af5099
> Fatal trap 1: privileged instruction fault while in kernel mode
> stack pointer           = 0x28:0xffffff8496fff880
> stack pointer           = 0x28:0xffffff8496fe1880
> cpuid = 2; frame pointer                = 0x28:0xffffff8496fff8b0
> frame pointer           = 0x28:0xffffff8496fe18b0
> stack pointer           = 0x28:0xffffff849705d880
> code segment            = base 0x0, limit 0xfffff, type 0x1b
> frame pointer           = 0x28:0xffffff849705d8b0
> apic id = 04
> code segment            = base 0x0, limit 0xfffff, type 0x1b
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, long 1, def32 0, gran 1
>                         = DPL 0, pres 1, long 1, def32 0, gran 1
> instruction pointer     = 0x20:0xffffffff80af5099
> processor eflags        =                       = DPL 0, pres 1, long
> 1, def32 0, gran 1
> interrupt enabled, processor eflags     = stack pointer         =
> 0x28:0xffffff8497067880
> interrupt enabled, resume, resume, frame pointer                =
> 0x28:0xffffff84970678b0
> IOPL = 0
> code segment            = base 0x0, limit 0xfffff, type 0x1b
> current process         =                       = DPL 0, pres 1, long
> 1, def32 0, gran 1
> processor eflags        = 12 (irq280: ix0:que 3)
> ilock order reversal: (Giant after non-sleepable)
>  1st 0xfffffe0078148b38 ix0:rx(3) (ix0:rx(3)) @
> /usr/src/sys/modules/ixgbe/../../dev/ixgbe/ixgbe.c:4296
>  2nd 0xffffffff814457b8 Giant (Giant) @ /usr/src/sys/dev/usb/input/ukbd.c:1946
> KDB: stack backtrace:
> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xffffff8496fff320
> kdb_backtrace() at kdb_backtrace+0x39/frame 0xffffff8496fff3d0
> witness_checkorder() at witness_checkorder+0xc47/frame 0xffffff8496fff450
> __mtx_lock_flags() at __mtx_lock_flags+0x89/frame 0xffffff8496fff490
> ukbd_poll() at ukbd_poll+0x28/frame 0xffffff8496fff4b0
> kbdmux_poll() at kbdmux_poll+0x5b/frame 0xffffff8496fff4d0
> cngrab() at cngrab+0x35/frame 0xffffff8496fff4f0
> kdb_trap() at kdb_trap+0x124/frame 0xffffff8496fff550
> trap_fatal() at trap_fatal+0x345/frame 0xffffff8496fff5b0
> trap() at trap+0x836/frame 0xffffff8496fff7c0
> calltrap() at calltrap+0x8/frame 0xffffff8496fff7c0
> --- trap 0x1, rip = 0xffffffff80af5099, rsp = 0xffffff8496fff880, rbp
> = 0xffffff8496fff8b0 ---
> uma_find_refcnt() at uma_find_refcnt+0x79/frame 0xffffff8496fff8b0


-- 
Andriy Gapon