Kernel crash during video transcoding
Alexandre Levy
a13xlevy at gmail.com
Mon Aug 17 09:39:35 UTC 2020
For reference, below is the backtrace then further down I printed the
structures I could access :
#0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
#1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:394
#2 0xffffffff8049c26a in db_dump (dummy=<optimized out>,
dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at
/usr/src/sys/ddb/db_command.c:575
#3 0xffffffff8049c02c in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=1) at /usr/src/sys/ddb/db_command.c:482
#4 0xffffffff8049bd9d in db_command_loop () at
/usr/src/sys/ddb/db_command.c:535
#5 0xffffffff8049f048 in db_trap (type=<optimized out>, code=<optimized
out>) at /usr/src/sys/ddb/db_main.c:270
#6 0xffffffff80c1b374 in kdb_trap (type=3, code=0, tf=<optimized out>) at
/usr/src/sys/kern/subr_kdb.c:699
#7 0xffffffff8100ca98 in trap (frame=0xfffffe00d7567300) at
/usr/src/sys/amd64/amd64/trap.c:576
#8 <signal handler called>
#9 kdb_enter (why=0xffffffff811d5de0 "panic", msg=<optimized out>) at
/usr/src/sys/kern/subr_kdb.c:486
#10 0xffffffff80bd00be in vpanic (fmt=<optimized out>, ap=<optimized out>)
at /usr/src/sys/kern/kern_shutdown.c:902
#11 0xffffffff80bcfe53 in panic (fmt=0xffffffff81c8c7c8 <cnputs_mtx>
"\b\214\031\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:839
#12 0xffffffff8100cee7 in trap_fatal (frame=0xfffffe00d7567600, eva=0) at
/usr/src/sys/amd64/amd64/trap.c:915
#13 0xffffffff8100c360 in trap (frame=0xfffffe00d7567600) at
/usr/src/sys/amd64/amd64/trap.c:212
#14 <signal handler called>
#15 _rw_wowned (c=0x2659c92217d5aa52) at /usr/src/sys/kern/kern_rwlock.c:270
#16 0xffffffff80ec23ed in vm_page_busy_acquire (m=0xfffffe00040ff9e8,
allocflags=16) at /usr/src/sys/vm/vm_page.c:884
#17 0xffffffff82b4e980 in intel_plane_can_remap
(plane_state=0xfffff80315148300)
at
/usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm/i915/display/intel_display.c:2583
#18 0xffffffff82be1c5f in skl_ddb_get_pipe_allocation_limits (dev_priv=0x0,
cstate=0x1, total_data_rate=18446735292251509792, ddb=0xfffff80368501438,
alloc=0xfffff80315148300,
num_active=0xfffffe00eb0b6c58) at
/usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm/i915/intel_pm.c:3928
#19 0xffffffff82cb5ddf in ?? () at
/usr/src/sys/compat/linuxkpi/common/include/linux/kref.h:68 from
/boot/modules/i915kms.ko
#20 0xffffffff80ea9e8f in vm_pager_populate (object=0x2659c92217d5aa52,
pidx=18446741874754451944, fault_type=0, max_prot=0 '\000',
first=<optimized out>, last=<optimized out>)
at /usr/src/sys/vm/vm_pager.h:172
#21 vm_fault_populate (fs=<optimized out>) at /usr/src/sys/vm/vm_fault.c:444
#22 vm_fault_allocate (fs=<optimized out>) at
/usr/src/sys/vm/vm_fault.c:1028
#23 vm_fault (map=<optimized out>, vaddr=<optimized out>,
fault_type=<optimized out>, fault_flags=<optimized out>, m_hold=<optimized
out>) at /usr/src/sys/vm/vm_fault.c:1338
#24 0xffffffff80ea98ee in vm_fault_trap (map=0xfffffe00c0f539e8,
vaddr=<optimized out>, fault_type=<optimized out>, fault_flags=0,
signo=0xfffffe00d7567ac4,
ucode=0xfffffe00d7567ac0) at /usr/src/sys/vm/vm_fault.c:585
#25 0xffffffff8100d0de in trap_pfault (frame=0xfffffe00d7567b00,
usermode=<optimized out>, signo=<optimized out>, ucode=0xffffffff81d1de80
<w_locklistdata+160624>)
at /usr/src/sys/amd64/amd64/trap.c:817
#26 0xffffffff8100c72c in trap (frame=0xfffffe00d7567b00) at
/usr/src/sys/amd64/amd64/trap.c:340
#27 <signal handler called>
#28 0x000000080296659a in ?? ()
(kgdb) frame 24
(kgdb) p *map
$35 = {
header = {
left = 0xfffff802b72c4060,
right = 0xfffff803681965a0,
start = 140737488355328,
end = 4096,
next_read = 0,
max_free = 0,
object = {
vm_object = 0x0,
sub_map = 0x0
},
offset = 0,
eflags = 524288,
protection = 0 '\000',
max_protection = 0 '\000',
inheritance = 0 '\000',
read_ahead = 0 '\000',
wired_count = 0,
cred = 0x0,
wiring_thread = 0x0
},
lock = {
lock_object = {
lo_name = 0xffffffff81183cec "vm map (user)",
lo_flags = 36896768,
lo_data = 0,
lo_witness = 0xfffff8045f575780
},
sx_lock = 1
},
system_mtx = {
lock_object = {
lo_name = 0xffffffff81136b96 "vm map (system)",
lo_flags = 21168128,
lo_data = 0,
lo_witness = 0xfffff8045f575580
},
mtx_lock = 0
},
nentries = 172,
size = 199905280,
timestamp = 792,
needs_wakeup = 0 '\000',
system_map = 0 '\000',
flags = 0 '\000',
root = 0xfffff803686b1c00,
pmap = 0xfffffe00c0f53b08,
anon_loc = 34366283776,
busy = 0
}
(kgdb) frame 15
#15 _rw_wowned (c=0x2659c92217d5aa52) at /usr/src/sys/kern/kern_rwlock.c:270
270 return (rw_wowner(rwlock2rw(c)) == curthread);
(kgdb) p/x c
$14 = 0x2659c92217d5aa52
(kgdb) up
#16 0xffffffff80ec23ed in vm_page_busy_acquire (m=0xfffffe00040ff9e8,
allocflags=16) at /usr/src/sys/vm/vm_page.c:884
884 locked = VM_OBJECT_WOWNED(obj);
(kgdb) p *m
$16 = {
plinks = {
q = {
tqe_next = 0x578491b51dd60510,
tqe_prev = 0xd78c11bd9dde8518
},
s = {
ss = {
sle_next = 0x578491b51dd60510
}
},
memguard = {
p = 6306325585301210384,
v = 15531808720989095192
},
uma = {
slab = 0x578491b51dd60510,
zone = 0xd78c11bd9dde8518
}
},
listq = {
tqe_next = 0xd78c11bd9dde8518,
tqe_prev = 0x265bc92017d7aa38
},
object = 0x2659c92217d5aa3a,
pindex = 2758957463725517354,
phys_addr = 2758957463725517354,
md = {
pv_list = {
tqh_first = 0x2e49c1321fc5a22a,
tqh_last = 0x3e4bd1300fc7b228
},
pv_gen = 265794104,
pat_mode = 1046204704
},
ref_count = 257405624,
busy_lock = 1054593440,
a = {
{
flags = 4757,
queue = 48 '0',
act_count = 134 '\206'
},
_bits = 2251297429
},
order = 98 'b',
pool = 204 '\314',
flags = 75 'K',
oflags = 105 'i',
psind = -107 '\225',
segind = 18 '\022',
valid = 48 '0',
dirty = 134 '\206'
}
(kgdb) up
#17 0xffffffff82b4e980 in intel_plane_can_remap
(plane_state=0xfffff80315148300)
at
/usr/ports/graphics/drm-devel-kmod/work/drm-kmod-drm_v5.3_4/drivers/gpu/drm/i915/display/intel_display.c:2583
2583 if (plane->id == PLANE_CURSOR)
(kgdb) p *plane_state
$18 = {
base = {
plane = 0x0,
crtc = 0x300000,
fb = 0x100000,
fence = 0x1b,
crtc_x = 104451,
crtc_y = 0,
crtc_w = 734353152,
crtc_h = 4294965248,
src_x = 3949985792,
src_y = 4294966784,
src_h = 2193719064,
src_w = 4294967295,
alpha = 30720,
pixel_blend_mode = 64271,
rotation = 4294965250,
zpos = 0,
normalized_zpos = 0,
color_encoding = DRM_COLOR_YCBCR_BT601,
color_range = DRM_COLOR_YCBCR_LIMITED_RANGE,
fb_damage_clips = 0x0,
src = {
x1 = 0,
y1 = 0,
x2 = 353665888,
y2 = -2045
},
dst = {
x1 = 1750078496,
y1 = -2045,
x2 = 0,
y2 = 0
},
visible = false,
commit = 0xffffffff82cc3370 <gem_record_fences+48>,
state = 0x0
},
view = {
type = I915_GGTT_VIEW_NORMAL,
{
partial = {
offset = 0,
size = 0
},
rotated = {
plane = {{
width = 0,
height = 0,
stride = 0,
offset = 0
}, {
width = 0,
height = 0,
stride = 0,
offset = 0
}}
},
remapped = {
plane = {{
width = 0,
height = 0,
stride = 0,
offset = 0
}, {
width = 0,
height = 0,
stride = 0,
offset = 0
}},
unused_mbz = 0
}
}
},
vma = 0x0,
flags = 0,
color_plane = {{
offset = 0,
stride = 0,
x = 0,
y = 0
}, {
offset = 0,
stride = 0,
x = 0,
y = 0
}},
ctl = 0,
color_ctl = 0,
scaler_id = 0,
linked_plane = 0xfffff80315148500,
slave = 353665024,
ckey = {
plane_id = 4294965251,
min_value = 3735929054,
channel_mask = 3735929054,
max_value = 3735929054,
flags = 3735928833
}
}
(kgdb) p *plane_state->linked_plane
$19 = {
base = {
dev = 0xfffff802f50d3910,
head = {
next = 0xfffff80315148400,
prev = 0xdeadc0dedeadc0de
},
name = 0xdeadc001deadc0de <error: Cannot access memory at address
0xdeadc001deadc0de>,
mutex = {
mutex = {
base = {
sx = {
lock_object = {
lo_name = 0x28274 <error: Cannot access memory at address
0x28274>,
lo_flags = 5,
lo_data = 0,
lo_witness = 0x60
},
sx_lock = 3907697
}
},
condvar = {
cv_description = 0x0,
cv_waiters = 50644
},
ctx = 0x3336663265336563
},
head = {
next = 0x6433633439633264,
prev = 0x3131623462353561
}
},
base = {
id = 912548663,
type = 825506101,
properties = 0x61632e3436656c2d,
refcount = {
refcount = {
counter = 761620579
}
},
free_cb = 0xdeadc0dedead004b
},
possible_crtcs = 3735929054,
format_types = 0xdeadc0dedeadc0de,
format_count = 3735929054,
format_default = 222,
modifiers = 0xdeadc0dedeadc0de,
modifier_count = 3735929054,
crtc = 0xdeadc0dedeadc0de,
fb = 0xdeadc0dedeadc0de,
old_fb = 0xdeadc0dedeadc0de,
funcs = 0xdeadc0dedeadc0de,
properties = {
count = -559038242,
properties = {0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de,
0xdeadc0dedeadc0de, 0xdeadc0dedeadc0de, 0xffffffff825f20c0 <M_SOLARIS>,
0xdeadc0dedeadc0de <repeats 19 times>},
values = {16045693110842147038 <repeats 12 times>,
18446744071601856704, 16045693110842147038 <repeats 11 times>}
},
type = (DRM_PLANE_TYPE_CURSOR | unknown: 3735929052),
index = 3735929054,
helper_private = 0xdeadc0dedeadc0de,
state = 0xdeadc0dedeadc0de,
alpha_property = 0xdeadc0dedeadc0de,
zpos_property = 0xdeadc0dedeadc0de,
rotation_property = 0xdeadc0dedeadc0de,
blend_mode_property = 0xdeadc0dedeadc0de,
color_encoding_property = 0xdeadc0dedeadc0de,
color_range_property = 0xdeadc0dedeadc0de
},
i9xx_plane = (PLANE_C | unknown: 3735929052),
id = 3735929054,
pipe = -559038242,
has_fbc = 222,
has_ccs = 192,
frontbuffer_bit = 3735929054,
cursor = {
base = 3735929054,
cntl = 3735929054,
size = 3735929054
},
max_stride = 0xdeadc0dedeadc0de,
update_plane = 0xdeadc0dedeadc0de,
update_slave = 0xdeadc0dedeadc0de,
disable_plane = 0xdeadc0dedeadc0de,
get_hw_state = 0xdeadc0dedeadc0de,
check_plane = 0xdeadc0dedeadc0de
}
Le lun. 17 août 2020 à 09:03, Hans Petter Selasky <hps at selasky.org> a
écrit :
> On 2020-08-16 22:23, Alexandre Levy wrote:
> > (kgdb) p *m
> > $2 = {plinks = {q = {tqe_next = 0x578491b51dd60510, tqe_prev =
> > 0xd78c11bd9dde8518}, s = {ss = {sle_next = 0x578491b51dd60510}},
> memguard =
> > {p = 6306325585301210384,
> > v = 15531808720989095192}, uma = {slab = 0x578491b51dd60510, zone
> =
> > 0xd78c11bd9dde8518}}, listq = {tqe_next = 0xd78c11bd9dde8518, tqe_prev =
> > 0x265bc92017d7aa38},
> > object = 0x2659c92217d5aa3a, pindex = 2758957463725517354, phys_addr =
> > 2758957463725517354, md = {pv_list = {tqh_first = 0x2e49c1321fc5a22a,
> > tqh_last = 0x3e4bd1300fc7b228},
> > pv_gen = 265794104, pat_mode = 1046204704}, ref_count = 257405624,
> > busy_lock = 1054593440, a = {{flags = 4757, queue = 48 '0', act_count =
> 134
> > '\206'}, _bits = 2251297429},
> > order = 98 'b', pool = 204 '\314', flags = 75 'K', oflags = 105 'i',
> > psind = -107 '\225', segind = 18 '\022', valid = 48 '0', dirty = 134
> '\206'}
>
> This "m" structure looks freed.
>
> It looks like a use after free issue.
>
> Can you enter this in GDB:
>
> set print pretty on
>
> Then dump some more structures you can get hold of?
>
> --HPS
>
More information about the freebsd-current
mailing list