From owner-freebsd-current@freebsd.org Mon Aug 17 09:39:34 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E788D3AD722 for ; Mon, 17 Aug 2020 09:39:34 +0000 (UTC) (envelope-from a13xlevy@gmail.com) Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BVTXP5kwwz4Skf for ; Mon, 17 Aug 2020 09:39:33 +0000 (UTC) (envelope-from a13xlevy@gmail.com) Received: by mail-wr1-x444.google.com with SMTP id 88so14293876wrh.3 for ; Mon, 17 Aug 2020 02:39:33 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=njOXHXSmxytb+ad8FkxG6KFvvZ4u0yFzaDb+Ag5mdfM=; b=NuCRt2EsXf91aJPegkIjkFsod6upLlvPtZMIDTWxndQtT6xdzk8K/i/JzGLUgV0m5N Hh1gfUDSohKC1g0sAxVZIlxf+Afq7edN2GQs8HWtRCDHqAACPBVNWU3FjltjYPe6c7ym H1Xni/DmvkfbhXRCd6XaQvjLGtwp7bn+luiVouk8lXE5XloaS8ul6medT/JUndfC+YjJ fZPHNF7SFwKp41BgP4ONIMgHobLecgfzp4YBU/QMz/9sRS1+ugQ9W9LzN8GOo02og9Wr BbHNmDQ9xfZmMqlxhYDXyrc4uvzXGQD0FcN5IdK/BuzqxsX0ggeLKOhL2fNUit7DMrw4 FdOg== X-Gm-Message-State: AOAM5302AZFitDWkAZIORKYZThQbi1hx/RIpOwBBZ6JkZKQQMMNPx+td S4xHmY8cFdrIfjjvVBSSBdhoHQZNpsIxccMG3DAB3AGS6t1OlQ== X-Google-Smtp-Source: ABdhPJzdYn0D/g7xWybHnQGplziHE96E6TXqcTY8PaX3DtCkPfGMzNEY4asxagb/ozUw3TtODhsGDh9uUSYZeIsowmo= X-Received: by 2002:a5d:6589:: with SMTP id q9mr1373423wru.383.1597657172176; Mon, 17 Aug 2020 02:39:32 -0700 (PDT) MIME-Version: 1.0 References: <13793020-1bde-b13f-65e3-909e27d876ad@selasky.org> <4e9d9a89-4883-1f1c-c796-e5925fd171cc@selasky.org> <51a2fe4f-5a3e-8d24-19e2-3cdaa8378015@selasky.org> <5fe820c0-69af-8c41-69d6-a3c33ed55e2e@selasky.org> In-Reply-To: From: Alexandre Levy Date: Mon, 17 Aug 2020 10:39:20 +0100 Message-ID: Subject: Re: Kernel crash during video transcoding To: Hans Petter Selasky Cc: freebsd-current@freebsd.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1597657174; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:dkim-signature; bh=njOXHXSmxytb+ad8FkxG6KFvvZ4u0yFzaDb+Ag5mdfM=; b=jNABeryHIQuBI1pJBcUs4G5ihsKALwwArcUSFurY79ZDpMTm2sRbKctmMtd8HuXhwgZkk5 1Nf3rHMFVqeZurx98GX6+08rgNfHMiceya3I8ADlu5lIhfsjuVMuImB3/mp1jWjSPNcFis 7eWSHyaQyrsATiDI8177KSCUT0HQSxulcp4CT7e6KFi5DH1pbLeQXrQaZX4XsqgluHz0wf 6V5BbPFYy/xzHTiyeRgaf6sHnW7wUNWDqemkXLLM1S6sNem+eWpPdWnYrhrW/7YjEShgyW XB0fLpT68bc6k2afnCOTMgr1b0vDCxSsP5ng8D/Db9KbEZOiyNNHZnx3crR/SQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1597657174; a=rsa-sha256; cv=none; b=ItF18HeTzd3O+O8jEU/3XeoBu2uqQZCtiG9tLAoupagazSctKjWxNtJc4FByo3DwFKFlop 1CKUZ+DCU3exekwvtvj9SK0tEdUX9TNUuANIgTbL3/pO8VkhiSnaL5VtSRu5NoQ+YYqXZP d33u3Ozc3qI8suRa8sbd/6l70XVnZeFjpf97wnAPMKzMC7RlsM/jvNb7o5eA88qatdgXva Au76UIkt4eVPOz21R/pTKIA5CcciwoeB9D96tHQrvGTt+Slz2u1qmpaL3flgDzrP1SrNdb 5gVgRWcRLXW506Dse37TvBtQ2Ihd8yNx/2duLmTR0UZOv2YHfVfBdJRIVr6ERQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=Vy6gQQPQ; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of a13xlevy@gmail.com designates 2a00:1450:4864:20::444 as permitted sender) smtp.mailfrom=a13xlevy@gmail.com X-Rspamd-Queue-Id: 4BVTXP5kwwz4Skf X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.89 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.05)[-1.048]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; ARC_SIGNED(0.00)[i=1]; NEURAL_SPAM_SHORT(0.18)[0.180]; NEURAL_HAM_LONG(-1.02)[-1.019]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::444:from]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Aug 2020 09:39:35 -0000 For reference, below is the backtrace then further down I printed the structures I could access : #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55 #1 doadump (textdump=3D0) at /usr/src/sys/kern/kern_shutdown.c:394 #2 0xffffffff8049c26a in db_dump (dummy=3D, dummy2=3D, dummy3=3D, dummy4=3D) at /usr/src/sys/ddb/db_command.c:575 #3 0xffffffff8049c02c in db_command (last_cmdp=3D, cmd_table=3D, dopager=3D1) at /usr/src/sys/ddb/db_command.c:= 482 #4 0xffffffff8049bd9d in db_command_loop () at /usr/src/sys/ddb/db_command.c:535 #5 0xffffffff8049f048 in db_trap (type=3D, code=3D) at /usr/src/sys/ddb/db_main.c:270 #6 0xffffffff80c1b374 in kdb_trap (type=3D3, code=3D0, tf=3D) at /usr/src/sys/kern/subr_kdb.c:699 #7 0xffffffff8100ca98 in trap (frame=3D0xfffffe00d7567300) at /usr/src/sys/amd64/amd64/trap.c:576 #8 #9 kdb_enter (why=3D0xffffffff811d5de0 "panic", msg=3D) at /usr/src/sys/kern/subr_kdb.c:486 #10 0xffffffff80bd00be in vpanic (fmt=3D, ap=3D) at /usr/src/sys/kern/kern_shutdown.c:902 #11 0xffffffff80bcfe53 in panic (fmt=3D0xffffffff81c8c7c8 "\b\214\031\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:839 #12 0xffffffff8100cee7 in trap_fatal (frame=3D0xfffffe00d7567600, eva=3D0) = at /usr/src/sys/amd64/amd64/trap.c:915 #13 0xffffffff8100c360 in trap (frame=3D0xfffffe00d7567600) at /usr/src/sys/amd64/amd64/trap.c:212 #14 #15 _rw_wowned (c=3D0x2659c92217d5aa52) at /usr/src/sys/kern/kern_rwlock.c:= 270 #16 0xffffffff80ec23ed in vm_page_busy_acquire (m=3D0xfffffe00040ff9e8, allocflags=3D16) at /usr/src/sys/vm/vm_page.c:884 #17 0xffffffff82b4e980 in intel_plane_can_remap (plane_state=3D0xfffff80315148300) at /usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm= /i915/display/intel_display.c:2583 #18 0xffffffff82be1c5f in skl_ddb_get_pipe_allocation_limits (dev_priv=3D0x= 0, cstate=3D0x1, total_data_rate=3D18446735292251509792, ddb=3D0xfffff80368501= 438, alloc=3D0xfffff80315148300, num_active=3D0xfffffe00eb0b6c58) at /usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm= /i915/intel_pm.c:3928 #19 0xffffffff82cb5ddf in ?? () at /usr/src/sys/compat/linuxkpi/common/include/linux/kref.h:68 from /boot/modules/i915kms.ko #20 0xffffffff80ea9e8f in vm_pager_populate (object=3D0x2659c92217d5aa52, pidx=3D18446741874754451944, fault_type=3D0, max_prot=3D0 '\000', first=3D, last=3D) at /usr/src/sys/vm/vm_pager.h:172 #21 vm_fault_populate (fs=3D) at /usr/src/sys/vm/vm_fault.c:= 444 #22 vm_fault_allocate (fs=3D) at /usr/src/sys/vm/vm_fault.c:1028 #23 vm_fault (map=3D, vaddr=3D, fault_type=3D, fault_flags=3D, m_hold=3D) at /usr/src/sys/vm/vm_fault.c:1338 #24 0xffffffff80ea98ee in vm_fault_trap (map=3D0xfffffe00c0f539e8, vaddr=3D, fault_type=3D, fault_flags=3D0, signo=3D0xfffffe00d7567ac4, ucode=3D0xfffffe00d7567ac0) at /usr/src/sys/vm/vm_fault.c:585 #25 0xffffffff8100d0de in trap_pfault (frame=3D0xfffffe00d7567b00, usermode=3D, signo=3D, ucode=3D0xffffffff81d1= de80 ) at /usr/src/sys/amd64/amd64/trap.c:817 #26 0xffffffff8100c72c in trap (frame=3D0xfffffe00d7567b00) at /usr/src/sys/amd64/amd64/trap.c:340 #27 #28 0x000000080296659a in ?? () (kgdb) frame 24 (kgdb) p *map $35 =3D { header =3D { left =3D 0xfffff802b72c4060, right =3D 0xfffff803681965a0, start =3D 140737488355328, end =3D 4096, next_read =3D 0, max_free =3D 0, object =3D { vm_object =3D 0x0, sub_map =3D 0x0 }, offset =3D 0, eflags =3D 524288, protection =3D 0 '\000', max_protection =3D 0 '\000', inheritance =3D 0 '\000', read_ahead =3D 0 '\000', wired_count =3D 0, cred =3D 0x0, wiring_thread =3D 0x0 }, lock =3D { lock_object =3D { lo_name =3D 0xffffffff81183cec "vm map (user)", lo_flags =3D 36896768, lo_data =3D 0, lo_witness =3D 0xfffff8045f575780 }, sx_lock =3D 1 }, system_mtx =3D { lock_object =3D { lo_name =3D 0xffffffff81136b96 "vm map (system)", lo_flags =3D 21168128, lo_data =3D 0, lo_witness =3D 0xfffff8045f575580 }, mtx_lock =3D 0 }, nentries =3D 172, size =3D 199905280, timestamp =3D 792, needs_wakeup =3D 0 '\000', system_map =3D 0 '\000', flags =3D 0 '\000', root =3D 0xfffff803686b1c00, pmap =3D 0xfffffe00c0f53b08, anon_loc =3D 34366283776, busy =3D 0 } (kgdb) frame 15 #15 _rw_wowned (c=3D0x2659c92217d5aa52) at /usr/src/sys/kern/kern_rwlock.c:= 270 270 return (rw_wowner(rwlock2rw(c)) =3D=3D curthread); (kgdb) p/x c $14 =3D 0x2659c92217d5aa52 (kgdb) up #16 0xffffffff80ec23ed in vm_page_busy_acquire (m=3D0xfffffe00040ff9e8, allocflags=3D16) at /usr/src/sys/vm/vm_page.c:884 884 locked =3D VM_OBJECT_WOWNED(obj); (kgdb) p *m $16 =3D { plinks =3D { q =3D { tqe_next =3D 0x578491b51dd60510, tqe_prev =3D 0xd78c11bd9dde8518 }, s =3D { ss =3D { sle_next =3D 0x578491b51dd60510 } }, memguard =3D { p =3D 6306325585301210384, v =3D 15531808720989095192 }, uma =3D { slab =3D 0x578491b51dd60510, zone =3D 0xd78c11bd9dde8518 } }, listq =3D { tqe_next =3D 0xd78c11bd9dde8518, tqe_prev =3D 0x265bc92017d7aa38 }, object =3D 0x2659c92217d5aa3a, pindex =3D 2758957463725517354, phys_addr =3D 2758957463725517354, md =3D { pv_list =3D { tqh_first =3D 0x2e49c1321fc5a22a, tqh_last =3D 0x3e4bd1300fc7b228 }, pv_gen =3D 265794104, pat_mode =3D 1046204704 }, ref_count =3D 257405624, busy_lock =3D 1054593440, a =3D { { flags =3D 4757, queue =3D 48 '0', act_count =3D 134 '\206' }, _bits =3D 2251297429 }, order =3D 98 'b', pool =3D 204 '\314', flags =3D 75 'K', oflags =3D 105 'i', psind =3D -107 '\225', segind =3D 18 '\022', valid =3D 48 '0', dirty =3D 134 '\206' } (kgdb) up #17 0xffffffff82b4e980 in intel_plane_can_remap (plane_state=3D0xfffff80315148300) at /usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm= /i915/display/intel_display.c:2583 2583 if (plane->id =3D=3D PLANE_CURSOR) (kgdb) p *plane_state $18 =3D { base =3D { plane =3D 0x0, crtc =3D 0x300000, fb =3D 0x100000, fence =3D 0x1b, crtc_x =3D 104451, crtc_y =3D 0, crtc_w =3D 734353152, crtc_h =3D 4294965248, src_x =3D 3949985792, src_y =3D 4294966784, src_h =3D 2193719064, src_w =3D 4294967295, alpha =3D 30720, pixel_blend_mode =3D 64271, rotation =3D 4294965250, zpos =3D 0, normalized_zpos =3D 0, color_encoding =3D DRM_COLOR_YCBCR_BT601, color_range =3D DRM_COLOR_YCBCR_LIMITED_RANGE, fb_damage_clips =3D 0x0, src =3D { x1 =3D 0, y1 =3D 0, x2 =3D 353665888, y2 =3D -2045 }, dst =3D { x1 =3D 1750078496, y1 =3D -2045, x2 =3D 0, y2 =3D 0 }, visible =3D false, commit =3D 0xffffffff82cc3370 , state =3D 0x0 }, view =3D { type =3D I915_GGTT_VIEW_NORMAL, { partial =3D { offset =3D 0, size =3D 0 }, rotated =3D { plane =3D {{ width =3D 0, height =3D 0, stride =3D 0, offset =3D 0 }, { width =3D 0, height =3D 0, stride =3D 0, offset =3D 0 }} }, remapped =3D { plane =3D {{ width =3D 0, height =3D 0, stride =3D 0, offset =3D 0 }, { width =3D 0, height =3D 0, stride =3D 0, offset =3D 0 }}, unused_mbz =3D 0 } } }, vma =3D 0x0, flags =3D 0, color_plane =3D {{ offset =3D 0, stride =3D 0, x =3D 0, y =3D 0 }, { offset =3D 0, stride =3D 0, x =3D 0, y =3D 0 }}, ctl =3D 0, color_ctl =3D 0, scaler_id =3D 0, linked_plane =3D 0xfffff80315148500, slave =3D 353665024, ckey =3D { plane_id =3D 4294965251, min_value =3D 3735929054, channel_mask =3D 3735929054, max_value =3D 3735929054, flags =3D 3735928833 } } (kgdb) p *plane_state->linked_plane $19 =3D { base =3D { dev =3D 0xfffff802f50d3910, head =3D { next =3D 0xfffff80315148400, prev =3D 0xdeadc0dedeadc0de }, name =3D 0xdeadc001deadc0de , mutex =3D { mutex =3D { base =3D { sx =3D { lock_object =3D { lo_name =3D 0x28274 , lo_flags =3D 5, lo_data =3D 0, lo_witness =3D 0x60 }, sx_lock =3D 3907697 } }, condvar =3D { cv_description =3D 0x0, cv_waiters =3D 50644 }, ctx =3D 0x3336663265336563 }, head =3D { next =3D 0x6433633439633264, prev =3D 0x3131623462353561 } }, base =3D { id =3D 912548663, type =3D 825506101, properties =3D 0x61632e3436656c2d, refcount =3D { refcount =3D { counter =3D 761620579 } }, free_cb =3D 0xdeadc0dedead004b }, possible_crtcs =3D 3735929054, format_types =3D 0xdeadc0dedeadc0de, format_count =3D 3735929054, format_default =3D 222, modifiers =3D 0xdeadc0dedeadc0de, modifier_count =3D 3735929054, crtc =3D 0xdeadc0dedeadc0de, fb =3D 0xdeadc0dedeadc0de, old_fb =3D 0xdeadc0dedeadc0de, funcs =3D 0xdeadc0dedeadc0de, properties =3D { count =3D -559038242, properties =3D {0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de, 0xffffffff825f20c0 , 0xdeadc0dedeadc0de }, values =3D {16045693110842147038 , 18446744071601856704, 16045693110842147038 } }, type =3D (DRM_PLANE_TYPE_CURSOR | unknown: 3735929052), index =3D 3735929054, helper_private =3D 0xdeadc0dedeadc0de, state =3D 0xdeadc0dedeadc0de, alpha_property =3D 0xdeadc0dedeadc0de, zpos_property =3D 0xdeadc0dedeadc0de, rotation_property =3D 0xdeadc0dedeadc0de, blend_mode_property =3D 0xdeadc0dedeadc0de, color_encoding_property =3D 0xdeadc0dedeadc0de, color_range_property =3D 0xdeadc0dedeadc0de }, i9xx_plane =3D (PLANE_C | unknown: 3735929052), id =3D 3735929054, pipe =3D -559038242, has_fbc =3D 222, has_ccs =3D 192, frontbuffer_bit =3D 3735929054, cursor =3D { base =3D 3735929054, cntl =3D 3735929054, size =3D 3735929054 }, max_stride =3D 0xdeadc0dedeadc0de, update_plane =3D 0xdeadc0dedeadc0de, update_slave =3D 0xdeadc0dedeadc0de, disable_plane =3D 0xdeadc0dedeadc0de, get_hw_state =3D 0xdeadc0dedeadc0de, check_plane =3D 0xdeadc0dedeadc0de } Le lun. 17 ao=C3=BBt 2020 =C3=A0 09:03, Hans Petter Selasky a =C3=A9crit : > On 2020-08-16 22:23, Alexandre Levy wrote: > > (kgdb) p *m > > $2 =3D {plinks =3D {q =3D {tqe_next =3D 0x578491b51dd60510, tqe_prev = =3D > > 0xd78c11bd9dde8518}, s =3D {ss =3D {sle_next =3D 0x578491b51dd60510}}, > memguard =3D > > {p =3D 6306325585301210384, > > v =3D 15531808720989095192}, uma =3D {slab =3D 0x578491b51dd6051= 0, zone > =3D > > 0xd78c11bd9dde8518}}, listq =3D {tqe_next =3D 0xd78c11bd9dde8518, tqe_p= rev =3D > > 0x265bc92017d7aa38}, > > object =3D 0x2659c92217d5aa3a, pindex =3D 2758957463725517354, phys_= addr =3D > > 2758957463725517354, md =3D {pv_list =3D {tqh_first =3D 0x2e49c1321fc5a= 22a, > > tqh_last =3D 0x3e4bd1300fc7b228}, > > pv_gen =3D 265794104, pat_mode =3D 1046204704}, ref_count =3D 2574= 05624, > > busy_lock =3D 1054593440, a =3D {{flags =3D 4757, queue =3D 48 '0', act= _count =3D > 134 > > '\206'}, _bits =3D 2251297429}, > > order =3D 98 'b', pool =3D 204 '\314', flags =3D 75 'K', oflags =3D = 105 'i', > > psind =3D -107 '\225', segind =3D 18 '\022', valid =3D 48 '0', dirty = =3D 134 > '\206'} > > This "m" structure looks freed. > > It looks like a use after free issue. > > Can you enter this in GDB: > > set print pretty on > > Then dump some more structures you can get hold of? > > --HPS >