panic after ifioctl/if_clone_destroy

Hans Petter Selasky hps at selasky.org
Mon Aug 6 09:39:28 UTC 2018


Hi Matthew,

On 08/06/18 10:02, Hans Petter Selasky wrote:
> -		if ((tdwait = TAILQ_FIRST(&record->er_tdlist)) != NULL &&
> -		    TD_IS_RUNNING(tdwait->et_td)) {

At least the TD_IS_RUNNING() check is invalid. The "tdwait" structure is 
in the control of the other CPU and "tdwait->et_td" might be invalid at 
any time, so accessing any members here is not a good idea.

It is pretty clear that the epoch was exited during the loop:

         etd->et_td = (void*)0xDEADBEEF;

fault virtual address   = 0xdeadc2ff
fault code              = supervisor read data, page not present


If you remove the TD_IS_RUNNING() check I'm not sure how useful this 
loop will be ...

--HPS


More information about the freebsd-current mailing list