Mapping drm's OBJT_DEFAULT causes crash on munmap

From: Matthew Macy <mmacy_at_nextbsd.org>
Date: Sun, 26 Jun 2016 21:34:59 -0700
Clicking 2 times on the following WebGL demo will cause a panic using drm 3.8/4.6 (this particular usage of OBJT_DEFAULT is one of the few remaining pieces of shared code).

http://myshards.com/

This is the backtrace from  HEAD as of f1bd70502f890a8668985030c0aecc3aeacb10ac running the latest Xorg / xf86-video-intel.
(kgdb) bt
#0  doadump (textdump=1)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:298
#1  0xffffffff80fa4da0 in kern_reboot (howto=260)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:366
#2  0xffffffff80fa57df in vpanic (fmt=0xffffffff818a582d "%s", 
    ap=0xfffffe011b84ef50)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:759
#3  0xffffffff80fa5850 in panic (fmt=0xffffffff818a582d "%s")
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/kern/kern_shutdown.c:690
#4  0xffffffff81640e77 in trap_fatal (frame=0xfffffe011b84f520, eva=90)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:841
#5  0xffffffff81640fe8 in trap_pfault (frame=0xfffffe011b84f520, usermode=0)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:691
#6  0xffffffff816400d2 in trap (frame=0xfffffe011b84f520)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:442
#7  0xffffffff8164152a in trap_check (frame=0xfffffe011b84f520)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:635
#8  <signal handler called>
#9  0xffffffff814ab510 in vm_page_dirty_KBI (m=0x0)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_page.c:1095
#10 0xffffffff8162d4c5 in vm_page_dirty (m=0x0)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_page.h:651
#11 0xffffffff8162c733 in pmap_remove_pte (pmap=0xfffff80066f03138, 
    ptq=0xfffff80075b87018, va=639643648, ptepde=1975017575, 
    free=0xfffffe011b84f720, lockp=0xfffffe011b84f770)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/pmap.c:3705
#12 0xffffffff8162b63a in pmap_remove (pmap=0xfffff80066f03138, sva=639643648, 
    eva=637692800)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/pmap.c:3876
#13 0xffffffff814979c3 in vm_map_delete (map=0xfffff80066f03000, start=637689856, 
    end=667054080)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_map.c:3050
#14 0xffffffff814a020a in sys_munmap (td=0xfffff80066cff500, 
    uap=0xfffffe011b84fa58)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/vm/vm_mmap.c:570
#15 0xffffffff81642091 in syscallenter (td=0xfffff80066cff500, 
    sa=0xfffffe011b84fa48)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/../../kern/subr_syscall.c:135
#16 0xffffffff816418da in amd64_syscall (td=0xfffff80066cff500, traced=0)
    at /mnt/storage/mmacy/devel/HEAD_MERGE-master/sys/amd64/amd64/trap.c:942
#17 <signal handler called>
#18 0x000000080fd2d6ba in ?? ()
Backtrace stopped: Cannot access memory at address 0x7fffffffc408


The problem is that the pt entry is marked PG_MANAGED, but there is no corresponding pv_entry.

-M
Received on Mon Jun 27 2016 - 02:35:01 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:06 UTC