Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Dec 2012 13:21:24 +0200
From:      Konstantin Belousov <kostikbel@gmail.com>
To:        Andriy Gapon <avg@freebsd.org>
Cc:        Garrett Cooper <yanegomi@gmail.com>, freebsd-net@freebsd.org, FreeBSD Current <freebsd-current@freebsd.org>
Subject:   Re: Fatal trap 1 [Was: "Memory modified after free" - by whom?]
Message-ID:  <20121222112124.GN53644@kib.kiev.ua>
In-Reply-To: <50D5949A.1060505@FreeBSD.org>
References:  <CAGH67wQKUDLQmL8cnWwgzQpWAN2OhKLu0AemPNuy7EOC-i1p9g@mail.gmail.com> <CAJ-Vmo=MsSV3DhAVEP36d%2BFccHDdQz7%2By7v5xTjYKyBP0PfQoQ@mail.gmail.com> <CAMBSHm96ZEiF4mOhUyk-aDS%2BGs%2BhDsh_dMsd-WFcmZ%2BSm6Zk%2BA@mail.gmail.com> <CAGH67wQ8L5R8H7G7s%2B6b%2BiKaAz54es8scnASUQ8Env10x1iqzg@mail.gmail.com> <50D5949A.1060505@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--Zbynv6TNPa9FrOf6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Dec 22, 2012 at 01:08:10PM +0200, Andriy Gapon wrote:
> on 22/12/2012 02:21 Garrett Cooper said the following:
> > Fatal trap 1: privileged instruction fault while in kernel mode
> > Fatal trap 1: privileged instruction fault while in kernel mode
>=20
> Unrelated to the original topic - this looks very weird.
> I mean all the CPUs getting this unusual trap...
> Could you please do 'disassemble 0xffffffff80af5099' in kgdb with the same
> kernel.  Or if you have a different kernel now, please use "instruction p=
ointer"
> value from a trap with that kernel.
>=20
This is due to the vtoslab() returning NULL. Since slabref is
dereferenced later, clang tries to be helpful as usual and converts
the !(p->flags & PG_SLAB) case from vtoslab() into the jump to un2
instruction if vtoslab() result is NULL.

So instead of KASSERT triggering the next line, you see this improvement.

> > Memory modified after free 0xffffff800040d000(9216) val=3D5a5a5a5a @
> > 0xffffff800040d000
> > Fatal trap 1: privileged instruction fault while in kernel mode
> > cpuid =3D 3;
> > cpuid =3D 1;
> > apic id =3D 02
> > cpuid =3D 0; apic id =3D 06
> > apic id =3D 00
> > instruction pointer     =3D 0x20:0xffffffff80af5099
> > instruction pointer     =3D 0x20:0xffffffff80af5099
> > instruction pointer     =3D 0x20:0xffffffff80af5099
> > Fatal trap 1: privileged instruction fault while in kernel mode
> > stack pointer           =3D 0x28:0xffffff8496fff880
> > stack pointer           =3D 0x28:0xffffff8496fe1880
> > cpuid =3D 2; frame pointer                =3D 0x28:0xffffff8496fff8b0
> > frame pointer           =3D 0x28:0xffffff8496fe18b0
> > stack pointer           =3D 0x28:0xffffff849705d880
> > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> > frame pointer           =3D 0x28:0xffffff849705d8b0
> > apic id =3D 04
> > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> >                         =3D DPL 0, pres 1, long 1, def32 0, gran 1
> >                         =3D DPL 0, pres 1, long 1, def32 0, gran 1
> > instruction pointer     =3D 0x20:0xffffffff80af5099
> > processor eflags        =3D                       =3D DPL 0, pres 1, lo=
ng
> > 1, def32 0, gran 1
> > interrupt enabled, processor eflags     =3D stack pointer         =3D
> > 0x28:0xffffff8497067880
> > interrupt enabled, resume, resume, frame pointer                =3D
> > 0x28:0xffffff84970678b0
> > IOPL =3D 0
> > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> > current process         =3D                       =3D DPL 0, pres 1, lo=
ng
> > 1, def32 0, gran 1
> > processor eflags        =3D 12 (irq280: ix0:que 3)
> > ilock order reversal: (Giant after non-sleepable)
> >  1st 0xfffffe0078148b38 ix0:rx(3) (ix0:rx(3)) @
> > /usr/src/sys/modules/ixgbe/../../dev/ixgbe/ixgbe.c:4296
> >  2nd 0xffffffff814457b8 Giant (Giant) @ /usr/src/sys/dev/usb/input/ukbd=
=2Ec:1946
> > KDB: stack backtrace:
> > db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xffffff849=
6fff320
> > kdb_backtrace() at kdb_backtrace+0x39/frame 0xffffff8496fff3d0
> > witness_checkorder() at witness_checkorder+0xc47/frame 0xffffff8496fff4=
50
> > __mtx_lock_flags() at __mtx_lock_flags+0x89/frame 0xffffff8496fff490
> > ukbd_poll() at ukbd_poll+0x28/frame 0xffffff8496fff4b0
> > kbdmux_poll() at kbdmux_poll+0x5b/frame 0xffffff8496fff4d0
> > cngrab() at cngrab+0x35/frame 0xffffff8496fff4f0
> > kdb_trap() at kdb_trap+0x124/frame 0xffffff8496fff550
> > trap_fatal() at trap_fatal+0x345/frame 0xffffff8496fff5b0
> > trap() at trap+0x836/frame 0xffffff8496fff7c0
> > calltrap() at calltrap+0x8/frame 0xffffff8496fff7c0
> > --- trap 0x1, rip =3D 0xffffffff80af5099, rsp =3D 0xffffff8496fff880, r=
bp
> > =3D 0xffffff8496fff8b0 ---
> > uma_find_refcnt() at uma_find_refcnt+0x79/frame 0xffffff8496fff8b0
>=20
>=20
> --=20
> Andriy Gapon
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

--Zbynv6TNPa9FrOf6
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlDVl7QACgkQC3+MBN1Mb4i/AACcDPDRTKUrOx+7sGBKr/uDvlWe
guAAnAkEl1FAAovlA4oWmJZKvjbHSVs2
=0QM1
-----END PGP SIGNATURE-----

--Zbynv6TNPa9FrOf6--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121222112124.GN53644>