Date: Mon, 17 Aug 2020 10:39:20 +0100 From: Alexandre Levy <a13xlevy@gmail.com> To: Hans Petter Selasky <hps@selasky.org> Cc: freebsd-current@freebsd.org Subject: Re: Kernel crash during video transcoding Message-ID: <CAEWSB30g%2Bh7X5NLDcbVuOFyxOQfo%2Bvz2SnvShPf4uVO%2Bw3TsTg@mail.gmail.com> In-Reply-To: <c2e0385d-8860-be33-7e79-e09bef8c8703@selasky.org> References: <CAEWSB323c2zapSG30OS5T30Wd_bpT=7NbvrPtsyQDRRHQUf7qA@mail.gmail.com> <13793020-1bde-b13f-65e3-909e27d876ad@selasky.org> <CAEWSB323KtVrixgRyKsekdgcGjFm4kUqG6qDE59Aev3Cc6sYBg@mail.gmail.com> <4e9d9a89-4883-1f1c-c796-e5925fd171cc@selasky.org> <CAEWSB30YNwQ7Bpv00P-B=TTHCqT_aFm30552n51Pic1uN5hnZQ@mail.gmail.com> <CAEWSB33_ka2aQb81UmODu72Be_9Vvqi4Qb-jfXHEZ1HgCqwADQ@mail.gmail.com> <51a2fe4f-5a3e-8d24-19e2-3cdaa8378015@selasky.org> <CAEWSB32oKbaE4M=V3H8F9rJv%2BL1ivKejhGAXmHMxOKkyYQLCxg@mail.gmail.com> <CAEWSB33-harOEk3v4rWBMQQJwfOtJmap-qBqAjc33__nLYKLrQ@mail.gmail.com> <5fe820c0-69af-8c41-69d6-a3c33ed55e2e@selasky.org> <CAEWSB32P47nCfa7%2BKhBNg89hPx_rrsWrRobVV6v4zxX0UGzNJw@mail.gmail.com> <c2e0385d-8860-be33-7e79-e09bef8c8703@selasky.org>
next in thread | previous in thread | raw e-mail | index | archive | help
For reference, below is the backtrace then further down I printed the
structures I could access :
#0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
#1 doadump (textdump=3D0) at /usr/src/sys/kern/kern_shutdown.c:394
#2 0xffffffff8049c26a in db_dump (dummy=3D<optimized out>,
dummy2=3D<unavailable>, dummy3=3D<unavailable>, dummy4=3D<unavailable>) at
/usr/src/sys/ddb/db_command.c:575
#3 0xffffffff8049c02c in db_command (last_cmdp=3D<optimized out>,
cmd_table=3D<optimized out>, dopager=3D1) at /usr/src/sys/ddb/db_command.c:=
482
#4 0xffffffff8049bd9d in db_command_loop () at
/usr/src/sys/ddb/db_command.c:535
#5 0xffffffff8049f048 in db_trap (type=3D<optimized out>, code=3D<optimize=
d
out>) at /usr/src/sys/ddb/db_main.c:270
#6 0xffffffff80c1b374 in kdb_trap (type=3D3, code=3D0, tf=3D<optimized out=
>) at
/usr/src/sys/kern/subr_kdb.c:699
#7 0xffffffff8100ca98 in trap (frame=3D0xfffffe00d7567300) at
/usr/src/sys/amd64/amd64/trap.c:576
#8 <signal handler called>
#9 kdb_enter (why=3D0xffffffff811d5de0 "panic", msg=3D<optimized out>) at
/usr/src/sys/kern/subr_kdb.c:486
#10 0xffffffff80bd00be in vpanic (fmt=3D<optimized out>, ap=3D<optimized ou=
t>)
at /usr/src/sys/kern/kern_shutdown.c:902
#11 0xffffffff80bcfe53 in panic (fmt=3D0xffffffff81c8c7c8 <cnputs_mtx>
"\b\214\031\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:839
#12 0xffffffff8100cee7 in trap_fatal (frame=3D0xfffffe00d7567600, eva=3D0) =
at
/usr/src/sys/amd64/amd64/trap.c:915
#13 0xffffffff8100c360 in trap (frame=3D0xfffffe00d7567600) at
/usr/src/sys/amd64/amd64/trap.c:212
#14 <signal handler called>
#15 _rw_wowned (c=3D0x2659c92217d5aa52) at /usr/src/sys/kern/kern_rwlock.c:=
270
#16 0xffffffff80ec23ed in vm_page_busy_acquire (m=3D0xfffffe00040ff9e8,
allocflags=3D16) at /usr/src/sys/vm/vm_page.c:884
#17 0xffffffff82b4e980 in intel_plane_can_remap
(plane_state=3D0xfffff80315148300)
at
/usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm=
/i915/display/intel_display.c:2583
#18 0xffffffff82be1c5f in skl_ddb_get_pipe_allocation_limits (dev_priv=3D0x=
0,
cstate=3D0x1, total_data_rate=3D18446735292251509792, ddb=3D0xfffff80368501=
438,
alloc=3D0xfffff80315148300,
num_active=3D0xfffffe00eb0b6c58) at
/usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm=
/i915/intel_pm.c:3928
#19 0xffffffff82cb5ddf in ?? () at
/usr/src/sys/compat/linuxkpi/common/include/linux/kref.h:68 from
/boot/modules/i915kms.ko
#20 0xffffffff80ea9e8f in vm_pager_populate (object=3D0x2659c92217d5aa52,
pidx=3D18446741874754451944, fault_type=3D0, max_prot=3D0 '\000',
first=3D<optimized out>, last=3D<optimized out>)
at /usr/src/sys/vm/vm_pager.h:172
#21 vm_fault_populate (fs=3D<optimized out>) at /usr/src/sys/vm/vm_fault.c:=
444
#22 vm_fault_allocate (fs=3D<optimized out>) at
/usr/src/sys/vm/vm_fault.c:1028
#23 vm_fault (map=3D<optimized out>, vaddr=3D<optimized out>,
fault_type=3D<optimized out>, fault_flags=3D<optimized out>, m_hold=3D<opti=
mized
out>) at /usr/src/sys/vm/vm_fault.c:1338
#24 0xffffffff80ea98ee in vm_fault_trap (map=3D0xfffffe00c0f539e8,
vaddr=3D<optimized out>, fault_type=3D<optimized out>, fault_flags=3D0,
signo=3D0xfffffe00d7567ac4,
ucode=3D0xfffffe00d7567ac0) at /usr/src/sys/vm/vm_fault.c:585
#25 0xffffffff8100d0de in trap_pfault (frame=3D0xfffffe00d7567b00,
usermode=3D<optimized out>, signo=3D<optimized out>, ucode=3D0xffffffff81d1=
de80
<w_locklistdata+160624>)
at /usr/src/sys/amd64/amd64/trap.c:817
#26 0xffffffff8100c72c in trap (frame=3D0xfffffe00d7567b00) at
/usr/src/sys/amd64/amd64/trap.c:340
#27 <signal handler called>
#28 0x000000080296659a in ?? ()
(kgdb) frame 24
(kgdb) p *map
$35 =3D {
header =3D {
left =3D 0xfffff802b72c4060,
right =3D 0xfffff803681965a0,
start =3D 140737488355328,
end =3D 4096,
next_read =3D 0,
max_free =3D 0,
object =3D {
vm_object =3D 0x0,
sub_map =3D 0x0
},
offset =3D 0,
eflags =3D 524288,
protection =3D 0 '\000',
max_protection =3D 0 '\000',
inheritance =3D 0 '\000',
read_ahead =3D 0 '\000',
wired_count =3D 0,
cred =3D 0x0,
wiring_thread =3D 0x0
},
lock =3D {
lock_object =3D {
lo_name =3D 0xffffffff81183cec "vm map (user)",
lo_flags =3D 36896768,
lo_data =3D 0,
lo_witness =3D 0xfffff8045f575780
},
sx_lock =3D 1
},
system_mtx =3D {
lock_object =3D {
lo_name =3D 0xffffffff81136b96 "vm map (system)",
lo_flags =3D 21168128,
lo_data =3D 0,
lo_witness =3D 0xfffff8045f575580
},
mtx_lock =3D 0
},
nentries =3D 172,
size =3D 199905280,
timestamp =3D 792,
needs_wakeup =3D 0 '\000',
system_map =3D 0 '\000',
flags =3D 0 '\000',
root =3D 0xfffff803686b1c00,
pmap =3D 0xfffffe00c0f53b08,
anon_loc =3D 34366283776,
busy =3D 0
}
(kgdb) frame 15
#15 _rw_wowned (c=3D0x2659c92217d5aa52) at /usr/src/sys/kern/kern_rwlock.c:=
270
270 return (rw_wowner(rwlock2rw(c)) =3D=3D curthread);
(kgdb) p/x c
$14 =3D 0x2659c92217d5aa52
(kgdb) up
#16 0xffffffff80ec23ed in vm_page_busy_acquire (m=3D0xfffffe00040ff9e8,
allocflags=3D16) at /usr/src/sys/vm/vm_page.c:884
884 locked =3D VM_OBJECT_WOWNED(obj);
(kgdb) p *m
$16 =3D {
plinks =3D {
q =3D {
tqe_next =3D 0x578491b51dd60510,
tqe_prev =3D 0xd78c11bd9dde8518
},
s =3D {
ss =3D {
sle_next =3D 0x578491b51dd60510
}
},
memguard =3D {
p =3D 6306325585301210384,
v =3D 15531808720989095192
},
uma =3D {
slab =3D 0x578491b51dd60510,
zone =3D 0xd78c11bd9dde8518
}
},
listq =3D {
tqe_next =3D 0xd78c11bd9dde8518,
tqe_prev =3D 0x265bc92017d7aa38
},
object =3D 0x2659c92217d5aa3a,
pindex =3D 2758957463725517354,
phys_addr =3D 2758957463725517354,
md =3D {
pv_list =3D {
tqh_first =3D 0x2e49c1321fc5a22a,
tqh_last =3D 0x3e4bd1300fc7b228
},
pv_gen =3D 265794104,
pat_mode =3D 1046204704
},
ref_count =3D 257405624,
busy_lock =3D 1054593440,
a =3D {
{
flags =3D 4757,
queue =3D 48 '0',
act_count =3D 134 '\206'
},
_bits =3D 2251297429
},
order =3D 98 'b',
pool =3D 204 '\314',
flags =3D 75 'K',
oflags =3D 105 'i',
psind =3D -107 '\225',
segind =3D 18 '\022',
valid =3D 48 '0',
dirty =3D 134 '\206'
}
(kgdb) up
#17 0xffffffff82b4e980 in intel_plane_can_remap
(plane_state=3D0xfffff80315148300)
at
/usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm=
/i915/display/intel_display.c:2583
2583 if (plane->id =3D=3D PLANE_CURSOR)
(kgdb) p *plane_state
$18 =3D {
base =3D {
plane =3D 0x0,
crtc =3D 0x300000,
fb =3D 0x100000,
fence =3D 0x1b,
crtc_x =3D 104451,
crtc_y =3D 0,
crtc_w =3D 734353152,
crtc_h =3D 4294965248,
src_x =3D 3949985792,
src_y =3D 4294966784,
src_h =3D 2193719064,
src_w =3D 4294967295,
alpha =3D 30720,
pixel_blend_mode =3D 64271,
rotation =3D 4294965250,
zpos =3D 0,
normalized_zpos =3D 0,
color_encoding =3D DRM_COLOR_YCBCR_BT601,
color_range =3D DRM_COLOR_YCBCR_LIMITED_RANGE,
fb_damage_clips =3D 0x0,
src =3D {
x1 =3D 0,
y1 =3D 0,
x2 =3D 353665888,
y2 =3D -2045
},
dst =3D {
x1 =3D 1750078496,
y1 =3D -2045,
x2 =3D 0,
y2 =3D 0
},
visible =3D false,
commit =3D 0xffffffff82cc3370 <gem_record_fences+48>,
state =3D 0x0
},
view =3D {
type =3D I915_GGTT_VIEW_NORMAL,
{
partial =3D {
offset =3D 0,
size =3D 0
},
rotated =3D {
plane =3D {{
width =3D 0,
height =3D 0,
stride =3D 0,
offset =3D 0
}, {
width =3D 0,
height =3D 0,
stride =3D 0,
offset =3D 0
}}
},
remapped =3D {
plane =3D {{
width =3D 0,
height =3D 0,
stride =3D 0,
offset =3D 0
}, {
width =3D 0,
height =3D 0,
stride =3D 0,
offset =3D 0
}},
unused_mbz =3D 0
}
}
},
vma =3D 0x0,
flags =3D 0,
color_plane =3D {{
offset =3D 0,
stride =3D 0,
x =3D 0,
y =3D 0
}, {
offset =3D 0,
stride =3D 0,
x =3D 0,
y =3D 0
}},
ctl =3D 0,
color_ctl =3D 0,
scaler_id =3D 0,
linked_plane =3D 0xfffff80315148500,
slave =3D 353665024,
ckey =3D {
plane_id =3D 4294965251,
min_value =3D 3735929054,
channel_mask =3D 3735929054,
max_value =3D 3735929054,
flags =3D 3735928833
}
}
(kgdb) p *plane_state->linked_plane
$19 =3D {
base =3D {
dev =3D 0xfffff802f50d3910,
head =3D {
next =3D 0xfffff80315148400,
prev =3D 0xdeadc0dedeadc0de
},
name =3D 0xdeadc001deadc0de <error: Cannot access memory at address
0xdeadc001deadc0de>,
mutex =3D {
mutex =3D {
base =3D {
sx =3D {
lock_object =3D {
lo_name =3D 0x28274 <error: Cannot access memory at address
0x28274>,
lo_flags =3D 5,
lo_data =3D 0,
lo_witness =3D 0x60
},
sx_lock =3D 3907697
}
},
condvar =3D {
cv_description =3D 0x0,
cv_waiters =3D 50644
},
ctx =3D 0x3336663265336563
},
head =3D {
next =3D 0x6433633439633264,
prev =3D 0x3131623462353561
}
},
base =3D {
id =3D 912548663,
type =3D 825506101,
properties =3D 0x61632e3436656c2d,
refcount =3D {
refcount =3D {
counter =3D 761620579
}
},
free_cb =3D 0xdeadc0dedead004b
},
possible_crtcs =3D 3735929054,
format_types =3D 0xdeadc0dedeadc0de,
format_count =3D 3735929054,
format_default =3D 222,
modifiers =3D 0xdeadc0dedeadc0de,
modifier_count =3D 3735929054,
crtc =3D 0xdeadc0dedeadc0de,
fb =3D 0xdeadc0dedeadc0de,
old_fb =3D 0xdeadc0dedeadc0de,
funcs =3D 0xdeadc0dedeadc0de,
properties =3D {
count =3D -559038242,
properties =3D {0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de,
0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de, 0xffffffff825f20c0 <M_SOLARIS>,
0xdeadc0dedeadc0de <repeats 19 times>},
values =3D {16045693110842147038 <repeats 12 times>,
18446744071601856704, 16045693110842147038 <repeats 11 times>}
},
type =3D (DRM_PLANE_TYPE_CURSOR | unknown: 3735929052),
index =3D 3735929054,
helper_private =3D 0xdeadc0dedeadc0de,
state =3D 0xdeadc0dedeadc0de,
alpha_property =3D 0xdeadc0dedeadc0de,
zpos_property =3D 0xdeadc0dedeadc0de,
rotation_property =3D 0xdeadc0dedeadc0de,
blend_mode_property =3D 0xdeadc0dedeadc0de,
color_encoding_property =3D 0xdeadc0dedeadc0de,
color_range_property =3D 0xdeadc0dedeadc0de
},
i9xx_plane =3D (PLANE_C | unknown: 3735929052),
id =3D 3735929054,
pipe =3D -559038242,
has_fbc =3D 222,
has_ccs =3D 192,
frontbuffer_bit =3D 3735929054,
cursor =3D {
base =3D 3735929054,
cntl =3D 3735929054,
size =3D 3735929054
},
max_stride =3D 0xdeadc0dedeadc0de,
update_plane =3D 0xdeadc0dedeadc0de,
update_slave =3D 0xdeadc0dedeadc0de,
disable_plane =3D 0xdeadc0dedeadc0de,
get_hw_state =3D 0xdeadc0dedeadc0de,
check_plane =3D 0xdeadc0dedeadc0de
}
Le lun. 17 ao=C3=BBt 2020 =C3=A0 09:03, Hans Petter Selasky <hps@selasky.or=
g> a
=C3=A9crit :
> On 2020-08-16 22:23, Alexandre Levy wrote:
> > (kgdb) p *m
> > $2 =3D {plinks =3D {q =3D {tqe_next =3D 0x578491b51dd60510, tqe_prev =
=3D
> > 0xd78c11bd9dde8518}, s =3D {ss =3D {sle_next =3D 0x578491b51dd60510}},
> memguard =3D
> > {p =3D 6306325585301210384,
> > v =3D 15531808720989095192}, uma =3D {slab =3D 0x578491b51dd6051=
0, zone
> =3D
> > 0xd78c11bd9dde8518}}, listq =3D {tqe_next =3D 0xd78c11bd9dde8518, tqe_p=
rev =3D
> > 0x265bc92017d7aa38},
> > object =3D 0x2659c92217d5aa3a, pindex =3D 2758957463725517354, phys_=
addr =3D
> > 2758957463725517354, md =3D {pv_list =3D {tqh_first =3D 0x2e49c1321fc5a=
22a,
> > tqh_last =3D 0x3e4bd1300fc7b228},
> > pv_gen =3D 265794104, pat_mode =3D 1046204704}, ref_count =3D 2574=
05624,
> > busy_lock =3D 1054593440, a =3D {{flags =3D 4757, queue =3D 48 '0', act=
_count =3D
> 134
> > '\206'}, _bits =3D 2251297429},
> > order =3D 98 'b', pool =3D 204 '\314', flags =3D 75 'K', oflags =3D =
105 'i',
> > psind =3D -107 '\225', segind =3D 18 '\022', valid =3D 48 '0', dirty =
=3D 134
> '\206'}
>
> This "m" structure looks freed.
>
> It looks like a use after free issue.
>
> Can you enter this in GDB:
>
> set print pretty on
>
> Then dump some more structures you can get hold of?
>
> --HPS
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEWSB30g%2Bh7X5NLDcbVuOFyxOQfo%2Bvz2SnvShPf4uVO%2Bw3TsTg>