[Bug 213856] Fatal trap12: page fault while in kernel mode; Supervisor read data, page not present

Sat Nov 5 22:07:21 UTC 2016

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=213856

--- Comment #13 from Mark Johnston <markj at FreeBSD.org> ---
In both cases, we crashed in bucket_drain() when resetting bucket->ub_cnt to 0:

   0xffffffff80e17d90 <+256>:   movslq %r13d,%r13
   0xffffffff80e17d93 <+259>:   mov    0x18(%rbx,%r13,8),%rdi
   0xffffffff80e17d98 <+264>:   mov    0x10c(%r14),%esi
   0xffffffff80e17d9f <+271>:   callq  *0xe8(%r14)
   0xffffffff80e17da6 <+278>:   inc    %r13d
   0xffffffff80e17da9 <+281>:   movswl 0x10(%rbx),%eax
   0xffffffff80e17dad <+285>:   cmp    %eax,%r13d
   0xffffffff80e17db0 <+288>:   jl     0xffffffff80e17d90
<bucket_cache_drain+256>
   0xffffffff80e17db2 <+290>:   mov    0x100(%r14),%rdi
   0xffffffff80e17db9 <+297>:   movswl %ax,%edx
   0xffffffff80e17dbc <+300>:   mov    %r12,%rsi
   0xffffffff80e17dbf <+303>:   callq  *0xf8(%r14)
   0xffffffff80e17dc6 <+310>:   movw   $0x0,0x10(%rbx) <--

rbx is a callee-saved register that is dereferenced after every call to
uz_fini,
so it seems as though the uz_release function for the zone is somehow
corrupting
its frame. Because this is happening in the context of uma_reclaim(), we know
that this can't be a cache zone, so uz_release is zone_release().

-- 
You are receiving this mail because:
You are the assignee for the bug.