From owner-freebsd-current@FreeBSD.ORG  Sat Dec 22 11:21:32 2012
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 1304A659;
 Sat, 22 Dec 2012 11:21:32 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 by mx1.freebsd.org (Postfix) with ESMTP id 7535E8FC17;
 Sat, 22 Dec 2012 11:21:31 +0000 (UTC)
Received: from tom.home (kostik@localhost [127.0.0.1])
 by kib.kiev.ua (8.14.5/8.14.5) with ESMTP id qBMBLO3s056016;
 Sat, 22 Dec 2012 13:21:24 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.7.3 kib.kiev.ua qBMBLO3s056016
Received: (from kostik@localhost)
 by tom.home (8.14.5/8.14.5/Submit) id qBMBLOib056015;
 Sat, 22 Dec 2012 13:21:24 +0200 (EET)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Sat, 22 Dec 2012 13:21:24 +0200
From: Konstantin Belousov <kostikbel@gmail.com>
To: Andriy Gapon <avg@freebsd.org>
Subject: Re: Fatal trap 1 [Was: "Memory modified after free" - by whom?]
Message-ID: <20121222112124.GN53644@kib.kiev.ua>
References: <CAGH67wQKUDLQmL8cnWwgzQpWAN2OhKLu0AemPNuy7EOC-i1p9g@mail.gmail.com>
 <CAJ-Vmo=MsSV3DhAVEP36d+FccHDdQz7+y7v5xTjYKyBP0PfQoQ@mail.gmail.com>
 <CAMBSHm96ZEiF4mOhUyk-aDS+Gs+hDsh_dMsd-WFcmZ+Sm6Zk+A@mail.gmail.com>
 <CAGH67wQ8L5R8H7G7s+6b+iKaAz54es8scnASUQ8Env10x1iqzg@mail.gmail.com>
 <50D5949A.1060505@FreeBSD.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature"; boundary="Zbynv6TNPa9FrOf6"
Content-Disposition: inline
In-Reply-To: <50D5949A.1060505@FreeBSD.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no
 version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on tom.home
Cc: Garrett Cooper <yanegomi@gmail.com>, freebsd-net@freebsd.org,
 FreeBSD Current <freebsd-current@freebsd.org>
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Dec 2012 11:21:32 -0000


--Zbynv6TNPa9FrOf6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Dec 22, 2012 at 01:08:10PM +0200, Andriy Gapon wrote:
> on 22/12/2012 02:21 Garrett Cooper said the following:
> > Fatal trap 1: privileged instruction fault while in kernel mode
> > Fatal trap 1: privileged instruction fault while in kernel mode
>=20
> Unrelated to the original topic - this looks very weird.
> I mean all the CPUs getting this unusual trap...
> Could you please do 'disassemble 0xffffffff80af5099' in kgdb with the same
> kernel.  Or if you have a different kernel now, please use "instruction p=
ointer"
> value from a trap with that kernel.
>=20
This is due to the vtoslab() returning NULL. Since slabref is
dereferenced later, clang tries to be helpful as usual and converts
the !(p->flags & PG_SLAB) case from vtoslab() into the jump to un2
instruction if vtoslab() result is NULL.

So instead of KASSERT triggering the next line, you see this improvement.

> > Memory modified after free 0xffffff800040d000(9216) val=3D5a5a5a5a @
> > 0xffffff800040d000
> > Fatal trap 1: privileged instruction fault while in kernel mode
> > cpuid =3D 3;
> > cpuid =3D 1;
> > apic id =3D 02
> > cpuid =3D 0; apic id =3D 06
> > apic id =3D 00
> > instruction pointer     =3D 0x20:0xffffffff80af5099
> > instruction pointer     =3D 0x20:0xffffffff80af5099
> > instruction pointer     =3D 0x20:0xffffffff80af5099
> > Fatal trap 1: privileged instruction fault while in kernel mode
> > stack pointer           =3D 0x28:0xffffff8496fff880
> > stack pointer           =3D 0x28:0xffffff8496fe1880
> > cpuid =3D 2; frame pointer                =3D 0x28:0xffffff8496fff8b0
> > frame pointer           =3D 0x28:0xffffff8496fe18b0
> > stack pointer           =3D 0x28:0xffffff849705d880
> > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> > frame pointer           =3D 0x28:0xffffff849705d8b0
> > apic id =3D 04
> > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> >                         =3D DPL 0, pres 1, long 1, def32 0, gran 1
> >                         =3D DPL 0, pres 1, long 1, def32 0, gran 1
> > instruction pointer     =3D 0x20:0xffffffff80af5099
> > processor eflags        =3D                       =3D DPL 0, pres 1, lo=
ng
> > 1, def32 0, gran 1
> > interrupt enabled, processor eflags     =3D stack pointer         =3D
> > 0x28:0xffffff8497067880
> > interrupt enabled, resume, resume, frame pointer                =3D
> > 0x28:0xffffff84970678b0
> > IOPL =3D 0
> > code segment            =3D base 0x0, limit 0xfffff, type 0x1b
> > current process         =3D                       =3D DPL 0, pres 1, lo=
ng
> > 1, def32 0, gran 1
> > processor eflags        =3D 12 (irq280: ix0:que 3)
> > ilock order reversal: (Giant after non-sleepable)
> >  1st 0xfffffe0078148b38 ix0:rx(3) (ix0:rx(3)) @
> > /usr/src/sys/modules/ixgbe/../../dev/ixgbe/ixgbe.c:4296
> >  2nd 0xffffffff814457b8 Giant (Giant) @ /usr/src/sys/dev/usb/input/ukbd=
=2Ec:1946
> > KDB: stack backtrace:
> > db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xffffff849=
6fff320
> > kdb_backtrace() at kdb_backtrace+0x39/frame 0xffffff8496fff3d0
> > witness_checkorder() at witness_checkorder+0xc47/frame 0xffffff8496fff4=
50
> > __mtx_lock_flags() at __mtx_lock_flags+0x89/frame 0xffffff8496fff490
> > ukbd_poll() at ukbd_poll+0x28/frame 0xffffff8496fff4b0
> > kbdmux_poll() at kbdmux_poll+0x5b/frame 0xffffff8496fff4d0
> > cngrab() at cngrab+0x35/frame 0xffffff8496fff4f0
> > kdb_trap() at kdb_trap+0x124/frame 0xffffff8496fff550
> > trap_fatal() at trap_fatal+0x345/frame 0xffffff8496fff5b0
> > trap() at trap+0x836/frame 0xffffff8496fff7c0
> > calltrap() at calltrap+0x8/frame 0xffffff8496fff7c0
> > --- trap 0x1, rip =3D 0xffffffff80af5099, rsp =3D 0xffffff8496fff880, r=
bp
> > =3D 0xffffff8496fff8b0 ---
> > uma_find_refcnt() at uma_find_refcnt+0x79/frame 0xffffff8496fff8b0
>=20
>=20
> --=20
> Andriy Gapon
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"

--Zbynv6TNPa9FrOf6
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlDVl7QACgkQC3+MBN1Mb4i/AACcDPDRTKUrOx+7sGBKr/uDvlWe
guAAnAkEl1FAAovlA4oWmJZKvjbHSVs2
=0QM1
-----END PGP SIGNATURE-----

--Zbynv6TNPa9FrOf6--