From owner-freebsd-current@freebsd.org Mon Aug 6 19:44:31 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 531AE106346A for ; Mon, 6 Aug 2018 19:44:31 +0000 (UTC) (envelope-from mmacy@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EE5AB8653C; Mon, 6 Aug 2018 19:44:30 +0000 (UTC) (envelope-from mmacy@freebsd.org) Received: from mail-it0-f42.google.com (mail-it0-f42.google.com [209.85.214.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) (Authenticated sender: mmacy) by smtp.freebsd.org (Postfix) with ESMTPSA id B28F1CE3A; Mon, 6 Aug 2018 19:44:30 +0000 (UTC) (envelope-from mmacy@freebsd.org) Received: by mail-it0-f42.google.com with SMTP id 72-v6so18983366itw.3; Mon, 06 Aug 2018 12:44:30 -0700 (PDT) X-Gm-Message-State: AOUpUlF08YMOr++FF4cT4zAzrFJ+wJWUfSc9x9BZSd+Q8++llhGo8dED 9EuYer9rjoZ8Pl+emzekG0fGp+t0VMxnCfjhn5U= X-Google-Smtp-Source: AAOMgpdC9/i7brjMaSncO9QlclgBkPghTNAX3aUfgYkX3yBJeyma40YAHdmELtRaCMriHOLUjnTMM4cdDA5ZpRuTvxE= X-Received: by 2002:a24:6c04:: with SMTP id w4-v6mr16143004itb.4.1533584669896; Mon, 06 Aug 2018 12:44:29 -0700 (PDT) MIME-Version: 1.0 References: <20180805153556.GA1957@kloomba> <8acc8f27-29f2-d4c1-7473-f7053b14e7ad@selasky.org> <911d520a-4eb5-02b4-a119-3663a7537e6a@selasky.org> In-Reply-To: <911d520a-4eb5-02b4-a119-3663a7537e6a@selasky.org> From: Matthew Macy Date: Mon, 6 Aug 2018 12:43:06 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: panic after ifioctl/if_clone_destroy To: Hans Petter Selasky Cc: Roman Bogorodskiy , freebsd-current@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2018 19:44:31 -0000 The struct thread is typesafe. The problem is that the link is no longer typesafe now that it=E2=80=99s not part of the thread. Thanks for pointing = this out. I=E2=80=99ll commit a fix later today. -M On Mon, Aug 6, 2018 at 02:39 Hans Petter Selasky wrote: > Hi Matthew, > > On 08/06/18 10:02, Hans Petter Selasky wrote: > > - if ((tdwait =3D TAILQ_FIRST(&record->er_tdlist)) !=3D NUL= L && > > - TD_IS_RUNNING(tdwait->et_td)) { > > At least the TD_IS_RUNNING() check is invalid. The "tdwait" structure is > in the control of the other CPU and "tdwait->et_td" might be invalid at > any time, so accessing any members here is not a good idea. > > It is pretty clear that the epoch was exited during the loop: > > etd->et_td =3D (void*)0xDEADBEEF; > > fault virtual address =3D 0xdeadc2ff > fault code =3D supervisor read data, page not present > > > If you remove the TD_IS_RUNNING() check I'm not sure how useful this > loop will be ... > > --HPS >