Bug 252833

Summary: panic changing vt font with gfx-enabled EFI loader
Product: Base System Reporter: ben
Component: kernAssignee: Toomas Soome <tsoome>
Status: Closed FIXED    
Severity: Affects Some People CC: emaste, tsoome
Priority: --- Keywords: crash, vt
Version: CURRENT   
Hardware: amd64   
OS: Any   

Description ben 2021-01-19 16:32:52 UTC 
After booting with the new gfx EFI loader, changing the vt font causes a panic:

--- trap 0xc, rip = 0xffffffff80b65bfd, rsp = 0xfffffe01a1c02560, rbp = 0xfffffe01a1c02590 ---
free() at free+0x4d/frame 0xfffffe01a1c02590
vt_change_font() at vt_change_font+0x19a/frame 0xfffffe01a1c025e0
vtterm_ioctl() at vtterm_ioctl+0xf30/frame 0xfffffe01a1c02630
termtty_ioctl() at termtty_ioctl+0xc5/frame 0xfffffe01a1c02680
tty_ioctl() at tty_ioctl+0x3b/frame 0xfffffe01a1c026c0

#11 0xffffffff809e5f4a in vt_change_font (vw=vw@entry=0xfffff8002888fd80, vf=0xfffff8003a286880)
    at /usr/src/sys/dev/vt/vt_core.c:1901
1901			vtfont_unref(vw->vw_font);
(kgdb) p vw->vw_font
$6 = (struct vt_font *) 0xffffffff81c50400 <vt_font_loader>

#10 0xffffffff809e73c0 in vtfont_unref (vf=<optimized out>) at /usr/src/sys/dev/vt/vt_font.c:135
135			free(vf, M_VTFONT);

FreeBSD 13.0-ALPHA1 #0 main-c256114-g5290493a200-dirty
Comment 1 Toomas Soome freebsd_committer freebsd_triage 2021-01-24 18:59:00 UTC 
(In reply to ben from comment #0)
tsoome@freebsd:/usr/src % git diff
diff --git a/sys/dev/vt/vt_core.c b/sys/dev/vt/vt_core.c
index 2352ed823424..ac89d8635e78 100644
--- a/sys/dev/vt/vt_core.c
+++ b/sys/dev/vt/vt_core.c
@@ -1528,6 +1528,8 @@ parse_font_info(struct font_info *fi)
        ptr = roundup2(ptr, 8);
 
        vfp = &vt_font_loader;
+       /* This is default font, set refcount 1 to disable removal. */
+       vfp->vf_refcount = 1;
        vfp->vf_height = fi->fi_height;
        vfp->vf_width = fi->fi_width;
        for (unsigned i = 0; i < VFNT_MAPS; i++) {
tsoome@freebsd:/usr/src %

This patch should fix it.
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-01-26 23:07:27 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=93ebd6307efeb95a29bc614edd0c67c2af850e98

commit 93ebd6307efeb95a29bc614edd0c67c2af850e98
Author:     Toomas Soome <tsoome@FreeBSD.org>
AuthorDate: 2021-01-24 18:59:36 +0000
Commit:     Toomas Soome <tsoome@FreeBSD.org>
CommitDate: 2021-01-26 23:07:03 +0000

    vt: panic while changing vt font

    Set refcount for loader provided font to 1 to prevent this font
    from being released (so we can reset to default).

    PR: 252833

 sys/dev/vt/vt_core.c | 2 ++
 1 file changed, 2 insertions(+)
Comment 3 commit-hook freebsd_committer freebsd_triage 2021-02-02 12:56:51 UTC 
A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=b79f2bc6c5c7431fa1f7c02937ec97a64653ade1

commit b79f2bc6c5c7431fa1f7c02937ec97a64653ade1
Author:     Toomas Soome <tsoome@FreeBSD.org>
AuthorDate: 2021-01-24 18:59:36 +0000
Commit:     Toomas Soome <tsoome@FreeBSD.org>
CommitDate: 2021-02-02 10:11:38 +0000

    vt: panic while changing vt font

    Set refcount for loader provided font to 1 to prevent this font
    from being released (so we can reset to default).

    As we get started with no memory allocator, we set up static font data
    for font passed by loader (if there is any). At this time, we also must
    set refcount 1, and refcount will get incremented in cnprobe() callback.

    At some point the memory allocator will be available, and we will set up
    properly allocated font data, but we should not disturb the refcount.

    PR: 252833
    PR: 253147

    (cherry picked and squashed 93ebd6307efeb95a29bc614edd0c67c2af850e98 and
    1912d2b15e6d6f4a1d8c3886b03ab30d2f21f3fd)

 sys/dev/vt/vt_core.c | 8 ++++++++
 1 file changed, 8 insertions(+)