i386 wire_count panic finally tracked down

Matthew Dillon dillon at apollo.backplane.com
Wed Sep 26 10:08:26 PDT 2012


    I may have finally tracked down the i386 wire_count panic.  I noticed
    that the pmap pointer in the last pkgbox32 crash dump doesn't seem to
    be to any process's active pmap, meaning that it is related to a process
    which had exited.

    It appears to be a race against a pmap structure being dtor'd after
    a process exit and a vm_page_protect() call on a vm_page.  In this
    situation page table pages can be removed from the pmap's VM object
    unconditonally without vm_token being held, racing against a
    vm_page_protect() occuring at the same time.

    I will commit a likely fix in the next hour.

    x86-64 does not seem to be vulnerable to this particular issue but I
    am reviewing the code.

						-Matt



More information about the Users mailing list