From owner-freebsd-amd64@FreeBSD.ORG  Wed Feb 25 18:40:04 2009
Return-Path: <owner-freebsd-amd64@FreeBSD.ORG>
Delivered-To: freebsd-amd64@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C6ADD1065675
	for <freebsd-amd64@hub.freebsd.org>;
	Wed, 25 Feb 2009 18:40:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id AA6388FC14
	for <freebsd-amd64@hub.freebsd.org>;
	Wed, 25 Feb 2009 18:40:04 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1PIe3KI059705
	for <freebsd-amd64@freefall.freebsd.org>; Wed, 25 Feb 2009 18:40:03 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1PIe36k059704;
	Wed, 25 Feb 2009 18:40:03 GMT (envelope-from gnats)
Date: Wed, 25 Feb 2009 18:40:03 GMT
Message-Id: <200902251840.n1PIe36k059704@freefall.freebsd.org>
To: freebsd-amd64@FreeBSD.org
From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@freenas.org>
X-Mailman-Approved-At: Wed, 25 Feb 2009 19:01:15 +0000
Cc: 
Subject: Re: amd64/132042: drm module crash the system when closing gnome 
	session
X-BeenThere: freebsd-amd64@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@freenas.org>
List-Id: Porting FreeBSD to the AMD64 platform <freebsd-amd64.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-amd64>,
	<mailto:freebsd-amd64-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-amd64>
List-Post: <mailto:freebsd-amd64@freebsd.org>
List-Help: <mailto:freebsd-amd64-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-amd64>,
	<mailto:freebsd-amd64-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2009 18:40:05 -0000

The following reply was made to PR amd64/132042; it has been noted by GNATS.

From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@freenas.org>
To: John Baldwin <jhb@freebsd.org>
Cc: freebsd-amd64@freebsd.org, freebsd-gnats-submit@freebsd.org, 
	rnoland@freebsd.org
Subject: Re: amd64/132042: drm module crash the system when closing gnome 
	session
Date: Wed, 25 Feb 2009 19:14:38 +0100

 --001636458198773a110463c235d4
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
 Dear FreeBSD kernel guru,
 
 
 >
 >
 > This is drm specific and not amd64-specific.
 
 
 I know, but on the web page http://www.freebsd.org/send-pr.html, the
 category selection don't propose "drm".
 Then I choose the category related to the kernel that I'm using.
 
 
 >
 > Please go to frame 8 and 'p *m'.  If the 'mtx_lock' member is 6, then the
 > mutex is destroyed and it is a use-after-free bug in drm(4).
 >
 
 (kgdb) frame 8
 #8  0xffffffff802d47aa in _mtx_lock_sleep (m=0xffffff000348a968,
     tid=18446742974229954560, opts=Variable "opts" is not available.
 ) at /usr/src/sys/kern/kern_mutex.c:339
 339                owner = (struct thread *)(v & ~MTX_FLAGMASK);
 (kgdb) p *m
 $1 = {lock_object = {lo_name = 0xffffffffaf198e0f "DRM IRQ lock",
     lo_type = 0xffffffffaf198e0f "DRM IRQ lock", lo_flags = 16908288,
     lo_witness_data = {lod_list = {stqe_next = 0x0}, lod_witness = 0x0}},
   mtx_lock = 6, mtx_recurse = 0}
 
 The mtx_lock is 6, as you predicted.
 
 Regards,
 
 Olivier
 (reading gnu gdb documentation for understanding what "frame" and "p *m"
 mean)
 
 --001636458198773a110463c235d4
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 <div class=3D"gmail_quote"><div>Dear FreeBSD kernel guru,<br>=A0<br></div><=
 blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 2=
 04, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
 <br>
 This is drm specific and not amd64-specific.</blockquote><div><br>I know, b=
 ut on the web page <a href=3D"http://www.freebsd.org/send-pr.html">http://w=
 ww.freebsd.org/send-pr.html</a>, the category selection don&#39;t propose &=
 quot;drm&quot;.<br>
 Then I choose the category related to the kernel that I&#39;m using.<br>=A0=
 <br></div><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid=
  rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
 <br>
 Please go to frame 8 and &#39;p *m&#39;. =A0If the &#39;mtx_lock&#39; membe=
 r is 6, then the<br>
 mutex is destroyed and it is a use-after-free bug in drm(4).<br>
 <font color=3D"#888888"></font></blockquote><div><br>(kgdb) frame 8<br>#8=
 =A0 0xffffffff802d47aa in _mtx_lock_sleep (m=3D0xffffff000348a968, <br>=A0=
 =A0=A0 tid=3D18446742974229954560, opts=3DVariable &quot;opts&quot; is not =
 available.<br>
 ) at /usr/src/sys/kern/kern_mutex.c:339<br>339=A0=A0=A0 =A0=A0=A0 =A0=A0=A0=
  =A0=A0=A0 owner =3D (struct thread *)(v &amp; ~MTX_FLAGMASK);<br>(kgdb) p =
 *m<br>$1 =3D {lock_object =3D {lo_name =3D 0xffffffffaf198e0f &quot;DRM IRQ=
  lock&quot;, <br>=A0=A0=A0 lo_type =3D 0xffffffffaf198e0f &quot;DRM IRQ loc=
 k&quot;, lo_flags =3D 16908288, <br>
 =A0=A0=A0 lo_witness_data =3D {lod_list =3D {stqe_next =3D 0x0}, lod_witnes=
 s =3D 0x0}}, <br>=A0 mtx_lock =3D 6, mtx_recurse =3D 0}<br><br>The mtx_lock=
  is 6, as you predicted.<br><br>Regards,<br><br>Olivier<br></div></div>(rea=
 ding gnu gdb documentation for understanding what &quot;frame&quot; and &qu=
 ot;p *m&quot; mean)<br>
 
 --001636458198773a110463c235d4--