amd64/132042: drm module crash the system when closing gnome
session
Olivier Cochard-Labbé
olivier at freenas.org
Wed Feb 25 10:40:05 PST 2009
The following reply was made to PR amd64/132042; it has been noted by GNATS.
From: =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier at freenas.org>
To: John Baldwin <jhb at freebsd.org>
Cc: freebsd-amd64 at freebsd.org, freebsd-gnats-submit at freebsd.org,
rnoland at freebsd.org
Subject: Re: amd64/132042: drm module crash the system when closing gnome
session
Date: Wed, 25 Feb 2009 19:14:38 +0100
--001636458198773a110463c235d4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Dear FreeBSD kernel guru,
>
>
> This is drm specific and not amd64-specific.
I know, but on the web page http://www.freebsd.org/send-pr.html, the
category selection don't propose "drm".
Then I choose the category related to the kernel that I'm using.
>
> Please go to frame 8 and 'p *m'. If the 'mtx_lock' member is 6, then the
> mutex is destroyed and it is a use-after-free bug in drm(4).
>
(kgdb) frame 8
#8 0xffffffff802d47aa in _mtx_lock_sleep (m=0xffffff000348a968,
tid=18446742974229954560, opts=Variable "opts" is not available.
) at /usr/src/sys/kern/kern_mutex.c:339
339 owner = (struct thread *)(v & ~MTX_FLAGMASK);
(kgdb) p *m
$1 = {lock_object = {lo_name = 0xffffffffaf198e0f "DRM IRQ lock",
lo_type = 0xffffffffaf198e0f "DRM IRQ lock", lo_flags = 16908288,
lo_witness_data = {lod_list = {stqe_next = 0x0}, lod_witness = 0x0}},
mtx_lock = 6, mtx_recurse = 0}
The mtx_lock is 6, as you predicted.
Regards,
Olivier
(reading gnu gdb documentation for understanding what "frame" and "p *m"
mean)
--001636458198773a110463c235d4
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div class=3D"gmail_quote"><div>Dear FreeBSD kernel guru,<br>=A0<br></div><=
blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 2=
04, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
<br>
This is drm specific and not amd64-specific.</blockquote><div><br>I know, b=
ut on the web page <a href=3D"http://www.freebsd.org/send-pr.html">http://w=
ww.freebsd.org/send-pr.html</a>, the category selection don't propose &=
quot;drm".<br>
Then I choose the category related to the kernel that I'm using.<br>=A0=
<br></div><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid=
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Please go to frame 8 and 'p *m'. =A0If the 'mtx_lock' membe=
r is 6, then the<br>
mutex is destroyed and it is a use-after-free bug in drm(4).<br>
<font color=3D"#888888"></font></blockquote><div><br>(kgdb) frame 8<br>#8=
=A0 0xffffffff802d47aa in _mtx_lock_sleep (m=3D0xffffff000348a968, <br>=A0=
=A0=A0 tid=3D18446742974229954560, opts=3DVariable "opts" is not =
available.<br>
) at /usr/src/sys/kern/kern_mutex.c:339<br>339=A0=A0=A0 =A0=A0=A0 =A0=A0=A0=
=A0=A0=A0 owner =3D (struct thread *)(v & ~MTX_FLAGMASK);<br>(kgdb) p =
*m<br>$1 =3D {lock_object =3D {lo_name =3D 0xffffffffaf198e0f "DRM IRQ=
lock", <br>=A0=A0=A0 lo_type =3D 0xffffffffaf198e0f "DRM IRQ loc=
k", lo_flags =3D 16908288, <br>
=A0=A0=A0 lo_witness_data =3D {lod_list =3D {stqe_next =3D 0x0}, lod_witnes=
s =3D 0x0}}, <br>=A0 mtx_lock =3D 6, mtx_recurse =3D 0}<br><br>The mtx_lock=
is 6, as you predicted.<br><br>Regards,<br><br>Olivier<br></div></div>(rea=
ding gnu gdb documentation for understanding what "frame" and &qu=
ot;p *m" mean)<br>
--001636458198773a110463c235d4--
More information about the freebsd-amd64
mailing list