For reference, below is the backtrace then further down I printed the structures I could access : #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55 #1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:394 #2 0xffffffff8049c26a in db_dump (dummy=<optimized out>, dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at /usr/src/sys/ddb/db_command.c:575 #3 0xffffffff8049c02c in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=1) at /usr/src/sys/ddb/db_command.c:482 #4 0xffffffff8049bd9d in db_command_loop () at /usr/src/sys/ddb/db_command.c:535 #5 0xffffffff8049f048 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/src/sys/ddb/db_main.c:270 #6 0xffffffff80c1b374 in kdb_trap (type=3, code=0, tf=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:699 #7 0xffffffff8100ca98 in trap (frame=0xfffffe00d7567300) at /usr/src/sys/amd64/amd64/trap.c:576 #8 <signal handler called> #9 kdb_enter (why=0xffffffff811d5de0 "panic", msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:486 #10 0xffffffff80bd00be in vpanic (fmt=<optimized out>, ap=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:902 #11 0xffffffff80bcfe53 in panic (fmt=0xffffffff81c8c7c8 <cnputs_mtx> "\b\214\031\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:839 #12 0xffffffff8100cee7 in trap_fatal (frame=0xfffffe00d7567600, eva=0) at /usr/src/sys/amd64/amd64/trap.c:915 #13 0xffffffff8100c360 in trap (frame=0xfffffe00d7567600) at /usr/src/sys/amd64/amd64/trap.c:212 #14 <signal handler called> #15 _rw_wowned (c=0x2659c92217d5aa52) at /usr/src/sys/kern/kern_rwlock.c:270 #16 0xffffffff80ec23ed in vm_page_busy_acquire (m=0xfffffe00040ff9e8, allocflags=16) at /usr/src/sys/vm/vm_page.c:884 #17 0xffffffff82b4e980 in intel_plane_can_remap (plane_state=0xfffff80315148300) at /usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm/i915/display/intel_display.c:2583 #18 0xffffffff82be1c5f in skl_ddb_get_pipe_allocation_limits (dev_priv=0x0, cstate=0x1, total_data_rate=18446735292251509792, ddb=0xfffff80368501438, alloc=0xfffff80315148300, num_active=0xfffffe00eb0b6c58) at /usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm/i915/intel_pm.c:3928 #19 0xffffffff82cb5ddf in ?? () at /usr/src/sys/compat/linuxkpi/common/include/linux/kref.h:68 from /boot/modules/i915kms.ko #20 0xffffffff80ea9e8f in vm_pager_populate (object=0x2659c92217d5aa52, pidx=18446741874754451944, fault_type=0, max_prot=0 '\000', first=<optimized out>, last=<optimized out>) at /usr/src/sys/vm/vm_pager.h:172 #21 vm_fault_populate (fs=<optimized out>) at /usr/src/sys/vm/vm_fault.c:444 #22 vm_fault_allocate (fs=<optimized out>) at /usr/src/sys/vm/vm_fault.c:1028 #23 vm_fault (map=<optimized out>, vaddr=<optimized out>, fault_type=<optimized out>, fault_flags=<optimized out>, m_hold=<optimized out>) at /usr/src/sys/vm/vm_fault.c:1338 #24 0xffffffff80ea98ee in vm_fault_trap (map=0xfffffe00c0f539e8, vaddr=<optimized out>, fault_type=<optimized out>, fault_flags=0, signo=0xfffffe00d7567ac4, ucode=0xfffffe00d7567ac0) at /usr/src/sys/vm/vm_fault.c:585 #25 0xffffffff8100d0de in trap_pfault (frame=0xfffffe00d7567b00, usermode=<optimized out>, signo=<optimized out>, ucode=0xffffffff81d1de80 <w_locklistdata+160624>) at /usr/src/sys/amd64/amd64/trap.c:817 #26 0xffffffff8100c72c in trap (frame=0xfffffe00d7567b00) at /usr/src/sys/amd64/amd64/trap.c:340 #27 <signal handler called> #28 0x000000080296659a in ?? () (kgdb) frame 24 (kgdb) p *map $35 = { header = { left = 0xfffff802b72c4060, right = 0xfffff803681965a0, start = 140737488355328, end = 4096, next_read = 0, max_free = 0, object = { vm_object = 0x0, sub_map = 0x0 }, offset = 0, eflags = 524288, protection = 0 '\000', max_protection = 0 '\000', inheritance = 0 '\000', read_ahead = 0 '\000', wired_count = 0, cred = 0x0, wiring_thread = 0x0 }, lock = { lock_object = { lo_name = 0xffffffff81183cec "vm map (user)", lo_flags = 36896768, lo_data = 0, lo_witness = 0xfffff8045f575780 }, sx_lock = 1 }, system_mtx = { lock_object = { lo_name = 0xffffffff81136b96 "vm map (system)", lo_flags = 21168128, lo_data = 0, lo_witness = 0xfffff8045f575580 }, mtx_lock = 0 }, nentries = 172, size = 199905280, timestamp = 792, needs_wakeup = 0 '\000', system_map = 0 '\000', flags = 0 '\000', root = 0xfffff803686b1c00, pmap = 0xfffffe00c0f53b08, anon_loc = 34366283776, busy = 0 } (kgdb) frame 15 #15 _rw_wowned (c=0x2659c92217d5aa52) at /usr/src/sys/kern/kern_rwlock.c:270 270 return (rw_wowner(rwlock2rw(c)) == curthread); (kgdb) p/x c $14 = 0x2659c92217d5aa52 (kgdb) up #16 0xffffffff80ec23ed in vm_page_busy_acquire (m=0xfffffe00040ff9e8, allocflags=16) at /usr/src/sys/vm/vm_page.c:884 884 locked = VM_OBJECT_WOWNED(obj); (kgdb) p *m $16 = { plinks = { q = { tqe_next = 0x578491b51dd60510, tqe_prev = 0xd78c11bd9dde8518 }, s = { ss = { sle_next = 0x578491b51dd60510 } }, memguard = { p = 6306325585301210384, v = 15531808720989095192 }, uma = { slab = 0x578491b51dd60510, zone = 0xd78c11bd9dde8518 } }, listq = { tqe_next = 0xd78c11bd9dde8518, tqe_prev = 0x265bc92017d7aa38 }, object = 0x2659c92217d5aa3a, pindex = 2758957463725517354, phys_addr = 2758957463725517354, md = { pv_list = { tqh_first = 0x2e49c1321fc5a22a, tqh_last = 0x3e4bd1300fc7b228 }, pv_gen = 265794104, pat_mode = 1046204704 }, ref_count = 257405624, busy_lock = 1054593440, a = { { flags = 4757, queue = 48 '0', act_count = 134 '\206' }, _bits = 2251297429 }, order = 98 'b', pool = 204 '\314', flags = 75 'K', oflags = 105 'i', psind = -107 '\225', segind = 18 '\022', valid = 48 '0', dirty = 134 '\206' } (kgdb) up #17 0xffffffff82b4e980 in intel_plane_can_remap (plane_state=0xfffff80315148300) at /usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm/i915/display/intel_display.c:2583 2583 if (plane->id == PLANE_CURSOR) (kgdb) p *plane_state $18 = { base = { plane = 0x0, crtc = 0x300000, fb = 0x100000, fence = 0x1b, crtc_x = 104451, crtc_y = 0, crtc_w = 734353152, crtc_h = 4294965248, src_x = 3949985792, src_y = 4294966784, src_h = 2193719064, src_w = 4294967295, alpha = 30720, pixel_blend_mode = 64271, rotation = 4294965250, zpos = 0, normalized_zpos = 0, color_encoding = DRM_COLOR_YCBCR_BT601, color_range = DRM_COLOR_YCBCR_LIMITED_RANGE, fb_damage_clips = 0x0, src = { x1 = 0, y1 = 0, x2 = 353665888, y2 = -2045 }, dst = { x1 = 1750078496, y1 = -2045, x2 = 0, y2 = 0 }, visible = false, commit = 0xffffffff82cc3370 <gem_record_fences+48>, state = 0x0 }, view = { type = I915_GGTT_VIEW_NORMAL, { partial = { offset = 0, size = 0 }, rotated = { plane = {{ width = 0, height = 0, stride = 0, offset = 0 }, { width = 0, height = 0, stride = 0, offset = 0 }} }, remapped = { plane = {{ width = 0, height = 0, stride = 0, offset = 0 }, { width = 0, height = 0, stride = 0, offset = 0 }}, unused_mbz = 0 } } }, vma = 0x0, flags = 0, color_plane = {{ offset = 0, stride = 0, x = 0, y = 0 }, { offset = 0, stride = 0, x = 0, y = 0 }}, ctl = 0, color_ctl = 0, scaler_id = 0, linked_plane = 0xfffff80315148500, slave = 353665024, ckey = { plane_id = 4294965251, min_value = 3735929054, channel_mask = 3735929054, max_value = 3735929054, flags = 3735928833 } } (kgdb) p *plane_state->linked_plane $19 = { base = { dev = 0xfffff802f50d3910, head = { next = 0xfffff80315148400, prev = 0xdeadc0dedeadc0de }, name = 0xdeadc001deadc0de <error: Cannot access memory at address 0xdeadc001deadc0de>, mutex = { mutex = { base = { sx = { lock_object = { lo_name = 0x28274 <error: Cannot access memory at address 0x28274>, lo_flags = 5, lo_data = 0, lo_witness = 0x60 }, sx_lock = 3907697 } }, condvar = { cv_description = 0x0, cv_waiters = 50644 }, ctx = 0x3336663265336563 }, head = { next = 0x6433633439633264, prev = 0x3131623462353561 } }, base = { id = 912548663, type = 825506101, properties = 0x61632e3436656c2d, refcount = { refcount = { counter = 761620579 } }, free_cb = 0xdeadc0dedead004b }, possible_crtcs = 3735929054, format_types = 0xdeadc0dedeadc0de, format_count = 3735929054, format_default = 222, modifiers = 0xdeadc0dedeadc0de, modifier_count = 3735929054, crtc = 0xdeadc0dedeadc0de, fb = 0xdeadc0dedeadc0de, old_fb = 0xdeadc0dedeadc0de, funcs = 0xdeadc0dedeadc0de, properties = { count = -559038242, properties = {0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de, 0xffffffff825f20c0 <M_SOLARIS>, 0xdeadc0dedeadc0de <repeats 19 times>}, values = {16045693110842147038 <repeats 12 times>, 18446744071601856704, 16045693110842147038 <repeats 11 times>} }, type = (DRM_PLANE_TYPE_CURSOR | unknown: 3735929052), index = 3735929054, helper_private = 0xdeadc0dedeadc0de, state = 0xdeadc0dedeadc0de, alpha_property = 0xdeadc0dedeadc0de, zpos_property = 0xdeadc0dedeadc0de, rotation_property = 0xdeadc0dedeadc0de, blend_mode_property = 0xdeadc0dedeadc0de, color_encoding_property = 0xdeadc0dedeadc0de, color_range_property = 0xdeadc0dedeadc0de }, i9xx_plane = (PLANE_C | unknown: 3735929052), id = 3735929054, pipe = -559038242, has_fbc = 222, has_ccs = 192, frontbuffer_bit = 3735929054, cursor = { base = 3735929054, cntl = 3735929054, size = 3735929054 }, max_stride = 0xdeadc0dedeadc0de, update_plane = 0xdeadc0dedeadc0de, update_slave = 0xdeadc0dedeadc0de, disable_plane = 0xdeadc0dedeadc0de, get_hw_state = 0xdeadc0dedeadc0de, check_plane = 0xdeadc0dedeadc0de } Le lun. 17 août 2020 à 09:03, Hans Petter Selasky <hps_at_selasky.org> a écrit : > On 2020-08-16 22:23, Alexandre Levy wrote: > > (kgdb) p *m > > $2 = {plinks = {q = {tqe_next = 0x578491b51dd60510, tqe_prev = > > 0xd78c11bd9dde8518}, s = {ss = {sle_next = 0x578491b51dd60510}}, > memguard = > > {p = 6306325585301210384, > > v = 15531808720989095192}, uma = {slab = 0x578491b51dd60510, zone > = > > 0xd78c11bd9dde8518}}, listq = {tqe_next = 0xd78c11bd9dde8518, tqe_prev = > > 0x265bc92017d7aa38}, > > object = 0x2659c92217d5aa3a, pindex = 2758957463725517354, phys_addr = > > 2758957463725517354, md = {pv_list = {tqh_first = 0x2e49c1321fc5a22a, > > tqh_last = 0x3e4bd1300fc7b228}, > > pv_gen = 265794104, pat_mode = 1046204704}, ref_count = 257405624, > > busy_lock = 1054593440, a = {{flags = 4757, queue = 48 '0', act_count = > 134 > > '\206'}, _bits = 2251297429}, > > order = 98 'b', pool = 204 '\314', flags = 75 'K', oflags = 105 'i', > > psind = -107 '\225', segind = 18 '\022', valid = 48 '0', dirty = 134 > '\206'} > > This "m" structure looks freed. > > It looks like a use after free issue. > > Can you enter this in GDB: > > set print pretty on > > Then dump some more structures you can get hold of? > > --HPS >Received on Mon Aug 17 2020 - 07:39:34 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:24 UTC