Bug 214705 - Kernel panic trying to playback encrypted DVD, "Fatal trap 12: page fault while in kernel mode"
Summary: Kernel panic trying to playback encrypted DVD, "Fatal trap 12: page fault whi...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 11.0-RELEASE
Hardware: amd64 Any
: --- Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2016-11-21 15:42 UTC by Joshua Kinard
Modified: 2019-01-23 06:12 UTC (History)
3 users (show)

See Also:
op: mfc-stable10?


Attachments
Proposed fix (485 bytes, patch)
2016-11-22 11:24 UTC, Konstantin Belousov
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joshua Kinard 2016-11-21 15:42:13 UTC
Hi,

First FreeBSD bug, so let me know if I miss any details.

I tripped up a kernel panic in FreeBSD-11.0-RELEASE trying to test playing back a standard DVD on a laptop (HP 2000-2b19wm).  I suspect the core issue is one of two (maybe three) things:

1. Trying to use VLC to access /dev/cd0 as an unpriv user w/o fixing device permissions or adding to 'operator' group

2. Trying to use VLC to access /dev/cd0 as a raw device while it was mounted onto /media

3. DVD is encrypted and this appears to handled as-if it was damaged.  This seems similar to Bug #208275, which affected 11.0's pre-release earlier this year.

I finally got it to play, after fixing the perms for /dev/cd0 so my unpriv user could access it, and also unmounted the /media mountpoint.  Plays great thus far.

Using the binary packages for all of this, nothing from ports and nothing rolled by hand, so I am skipping the inclusion of make.conf.

Here's the crash detail, including errors from the bottom of dmesg:

(cd0:ahcich1:0:0:0): Retrying command (per sense data)
(cd0:ahcich1:0:0:0): READ(10). CDB: 28 00 00 00 01 a6 00 00 04 00
(cd0:ahcich1:0:0:0): CAM status: SCSI Status Error
(cd0:ahcich1:0:0:0): SCSI status: Check Condition
(cd0:ahcich1:0:0:0): SCSI sense: ILLEGAL REQUEST asc:6f,3 (Read of scrambled sector without authentication)
(cd0:ahcich1:0:0:0): Retrying command (per sense data)
(cd0:ahcich1:0:0:0): READ(10). CDB: 28 00 00 00 01 a6 00 00 04 00
(cd0:ahcich1:0:0:0): CAM status: SCSI Status Error
(cd0:ahcich1:0:0:0): SCSI status: Check Condition
(cd0:ahcich1:0:0:0): SCSI sense: ILLEGAL REQUEST asc:6f,3 (Read of scrambled sector without authentication)
(cd0:ahcich1:0:0:0): Error 5, Retries exhausted
(cd0:ahcich1:0:0:0): cddone: got error 0x5 back
g_vfs_done():cd0[READ(offset=864256, length=8192)]error = 5


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 01
fault virtual address   = 0x30
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff82bc6fb3
stack pointer           = 0x28:0xfffffe0220881830
frame pointer           = 0x28:0xfffffe02208818b0
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 994 (vlc)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff80b24077 at kdb_backtrace+0x67
#1 0xffffffff80ad93e2 at vpanic+0x182
#2 0xffffffff80ad9253 at panic+0x43
#3 0xffffffff80fa0d51 at trap_fatal+0x351
#4 0xffffffff80fa0f43 at trap_pfault+0x1e3
#5 0xffffffff80fa04ec at trap+0x26c
#6 0xffffffff80f84141 at calltrap+0x8
#7 0xffffffff8110b469 at VOP_READ_APV+0x89
#8 0xffffffff80bc0977 at vn_read+0x157
#9 0xffffffff80bbc18d at vn_io_fault+0x10d
#10 0xffffffff80b40df8 at dofileread+0x98
#11 0xffffffff80b40ac8 at kern_readv+0x68
#12 0xffffffff80b40a54 at sys_read+0x84
#13 0xffffffff80fa16ae at amd64_syscall+0x4ce
#14 0xffffffff80f8442b at Xfast_syscall+0xfb

---

dmesg:
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.0-RELEASE-p2 #0: Mon Oct 24 06:55:27 UTC 2016
    root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on LLVM 3.8.0)
VT(efifb): resolution 1366x768
CPU: AMD E-300 APU with Radeon(tm) HD Graphics (1297.67-MHz K8-class CPU)
  Origin="AuthenticAMD"  Id=0x500f20  Family=0x14  Model=0x2  Stepping=0
  Features=0x178bfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,MMX,FXSR,SSE,SSE2,HTT>
  Features2=0x802209<SSE3,MON,SSSE3,CX16,POPCNT>
  AMD Features=0x2e500800<SYSCALL,NX,MMX+,FFXSR,Page1GB,RDTSCP,LM>
  AMD Features2=0x35ff<LAHF,CMP,SVM,ExtAPIC,CR8,ABM,SSE4A,MAS,Prefetch,IBS,SKINIT,WDT>
  SVM: NP,NRIP,NAsids=8
  TSC: P-state invariant, performance statistics
real memory  = 8589934592 (8192 MB)
avail memory = 7842193408 (7478 MB)
Event timer "LAPIC" quality 400
ACPI APIC Table: <HPQOEM 188B    >
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
random: unblocking device.
ioapic0: Changing APIC ID to 4
ioapic0 <Version 2.1> irqs 0-23 on motherboard
random: entropy device external interface
kbd1 at kbdmux0
netmap: loaded module
module_register_init: MOD_LOAD (vesa, 0xffffffff8101c970, 0) error 19
cryptosoft0: <software crypto> on motherboard
acpi0: <HPQOEM SLIC-MPC> on motherboard
acpi0: Power Button (fixed)
cpu0: <ACPI CPU> on acpi0
cpu1: <ACPI CPU> on acpi0
hpet0: <High Precision Event Timer> iomem 0xfed00000-0xfed003ff irq 0,8 on acpi0
Timecounter "HPET" frequency 14318180 Hz quality 950
atrtc0: <AT realtime clock> port 0x70-0x71 on acpi0
Event timer "RTC" frequency 32768 Hz quality 0
attimer0: <AT timer> port 0x40-0x43 on acpi0
Timecounter "i8254" frequency 1193182 Hz quality 0
Event timer "i8254" frequency 1193182 Hz quality 100
Timecounter "ACPI-fast" frequency 3579545 Hz quality 900
acpi_timer0: <32-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0
acpi_ec0: <Embedded Controller: GPE 0x3> port 0x62,0x66 on acpi0
acpi_button0: <Power Button> on acpi0
pcib0: <ACPI Host-PCI bridge> port 0xcf8-0xcff on acpi0
pcib0: _OSC returned error 0x10
pci0: <ACPI PCI bus> on pcib0
vgapci0: <VGA-compatible display> port 0x3000-0x30ff mem 0xe0000000-0xefffffff,0xf0400000-0xf043ffff irq 18 at device 1.0 on pci0
vgapci0: Boot video device
hdac0: <ATI (0x1314) HDA Controller> mem 0xf0444000-0xf0447fff irq 19 at device 1.1 on pci0
pcib1: <ACPI PCI-PCI bridge> irq 19 at device 7.0 on pci0
pcib1: [GIANT-LOCKED]
ahci0: <AMD Hudson-2 AHCI SATA controller> port 0x3118-0x311f,0x3124-0x3127,0x3110-0x3117,0x3120-0x3123,0x3100-0x310f mem 0xf044c000-0xf044c7ff irq 19 at device 17.0 on pci0
ahci0: AHCI v1.30 with 2 6Gbps ports, Port Multiplier supported
ahcich0: <AHCI channel> at channel 0 on ahci0
ahcich1: <AHCI channel> at channel 1 on ahci0
ohci0: <AMD FCH USB Controller> mem 0xf044b000-0xf044bfff irq 18 at device 18.0 on pci0
usbus0 on ohci0
ehci0: <AMD FCH USB 2.0 controller> mem 0xf044a000-0xf044a0ff irq 17 at device 18.2 on pci0
usbus1: EHCI version 1.0
usbus1 on ehci0
ohci1: <AMD FCH USB Controller> mem 0xf0449000-0xf0449fff irq 18 at device 19.0 on pci0
usbus2 on ohci1
ehci1: <AMD FCH USB 2.0 controller> mem 0xf0448000-0xf04480ff irq 17 at device 19.2 on pci0
usbus3: EHCI version 1.0
usbus3 on ehci1
hdac1: <AMD Hudson-2 HDA Controller> mem 0xf0440000-0xf0443fff irq 16 at device 20.2 on pci0
isab0: <PCI-ISA bridge> at device 20.3 on pci0
isa0: <ISA bus> on isab0
pcib2: <ACPI PCI-PCI bridge> at device 20.4 on pci0
pci1: <ACPI PCI bus> on pcib2
pcib3: <ACPI PCI-PCI bridge> at device 21.0 on pci0
pci2: <ACPI PCI bus> on pcib3
re0: <RealTek 810xE PCIe 10/100baseTX> port 0x2000-0x20ff mem 0xf0004000-0xf0004fff,0xf0000000-0xf0003fff irq 16 at device 0.0 on pci2
re0: Using 1 MSI-X message
re0: ASPM disabled
re0: Chip rev. 0x40800000
re0: MAC rev. 0x00400000
miibus0: <MII bus> on re0
rlphy0: <RTL8201E 10/100 media interface> PHY 1 on miibus0
rlphy0:  10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto, auto-flow
re0: Using defaults for TSO: 65518/35/2048
re0: Ethernet address: d8:9d:67:7f:ca:7e
re0: netmap queues/slots: TX 1/256, RX 1/256
pcib4: <ACPI PCI-PCI bridge> at device 21.1 on pci0
pci3: <ACPI PCI bus> on pcib4
ath0: <Atheros AR9485> mem 0xf0200000-0xf027ffff irq 17 at device 0.0 on pci3
ar9300_attach: calling ar9300_hw_attach
ar9300_hw_attach: calling ar9300_eeprom_attach
ar9300_flash_map: unimplemented for now
Restoring Cal data from DRAM
Restoring Cal data from EEPROM
Restoring Cal data from Flash
Restoring Cal data from Flash
Restoring Cal data from OTP
ar9300_hw_attach: ar9300_eeprom_attach returned 0
ath0: [HT] enabling HT modes
ath0: [HT] enabling short-GI in 20MHz mode
ath0: [HT] 1 stream STBC receive enabled
ath0: [HT] 1 RX streams; 1 TX streams
ath0: AR9485 mac 576.1 RF5110 phy 0.0
ath0: 2GHz radio: 0x0000; 5GHz radio: 0x0000
pcib5: <ACPI PCI-PCI bridge> at device 21.2 on pci0
pci4: <ACPI PCI bus> on pcib5
pci4: <unknown> at device 0.0 (no driver attached)
amdtemp0: <AMD CPU On-Die Thermal Sensors> on hostb4
acpi_acad0: <AC Adapter> on acpi0
battery0: <ACPI Control Method Battery> on acpi0
acpi_lid0: <Control Method Lid Switch> on acpi0
acpi_tz0: <Thermal Zone> on acpi0
atkbdc0: <Keyboard controller (i8042)> port 0x60,0x64 irq 1 on acpi0
atkbd0: <AT Keyboard> irq 1 on atkbdc0
kbd0 at atkbd0
atkbd0: [GIANT-LOCKED]
psm0: <PS/2 Mouse> irq 12 on atkbdc0
psm0: [GIANT-LOCKED]
psm0: model Synaptics Touchpad, device ID 3
ppc0: cannot reserve I/O port range
hwpstate0: <Cool`n'Quiet 2.0> on cpu0
ZFS filesystem version: 5
ZFS storage pool version: features support (5000)
Timecounters tick every 1.000 msec
nvme cam probe device init
hdacc0: <ATI R6xx HDA CODEC> at cad 0 on hdac0
hdaa0: <ATI R6xx Audio Function Group> at nid 1 on hdacc0
pcm0: <ATI R6xx (HDMI)> at nid 3 on hdaa0
hdacc1: <Realtek ALC269 HDA CODEC> at cad 0 on hdac1
hdaa1: <Realtek ALC269 Audio Function Group> at nid 1 on hdacc1
pcm1: <Realtek ALC269 (Analog 2.0+HP/2.0)> at nid 20,21 and 24 on hdaa1
pcm2: <Realtek ALC269 (Onboard Analog Mic)> at nid 18 on hdaa1
usbus0: 12Mbps Full Speed USB v1.0
usbus1: 480Mbps High Speed USB v2.0
ugen0.1: <AMD> at usbus0
uhub0: <AMD OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus0
ugen1.1: <AMD> at usbus1
uhub1: <AMD EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus1
usbus2: 12Mbps Full Speed USB v1.0
usbus3: 480Mbps High Speed USB v2.0
ugen2.1: <AMD> at usbus2
uhub2: <AMD OHCI root HUB, class 9/0, rev 1.00/1.00, addr 1> on usbus2
ugen3.1: <AMD> at usbus3
uhub3: <AMD EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus3
uhub0: 5 ports with 5 removable, self powered
ada0 at ahcich0 bus 0 scbus0 target 0 lun 0
ada0: <ST500LM030-1RK17D SDM1> ACS-3 ATA SATA 3.x device
ada0: Serial Number WES1J9DD
uhub2: 5 ports with 5 removable, self powered
ada0: 600.000MB/s transfers (SATA 3.x, UDMA6, PIO 8192bytes)
ada0: Command Queueing enabled
ada0: 476940MB (976773168 512 byte sectors)
cd0 at ahcich1 bus 0 scbus1 target 0 lun 0
cd0: <hp CDDVDW SN-208DB HH01> Removable CD-ROM SCSI device
cd0: Serial Number R8Y66GLD1005Z2
cd0: 150.000MB/s transfers (SATA 1.x, UDMA5, ATAPI 12bytes, PIO 8192bytes)
cd0: Attempt to query device size failed: NOT READY, Medium not present - tray open
SMP: AP CPU #1 Launched!
Timecounter "TSC" frequency 1297666607 Hz quality 800
Trying to mount root from zfs:core/env/fbsd-20161120 []...
Root mount waiting for: usbus3 usbus1
Root mount waiting for: usbus3 usbus1
uhub1: 5 ports with 5 removable, self powered
uhub3: 5 ports with 5 removable, self powered
Root mount waiting for: usbus3 usbus1
ugen3.2: <Chicony Electronics Co.,Ltd.> at usbus3
ugen0.2: <vendor 0x04f3> at usbus0
ugen0.3: <FTDI> at usbus0
Comment 1 Konstantin Belousov freebsd_committer 2016-11-21 17:12:29 UTC
Can you get a core file for the panic, and backtrace using kgdb ?  I will request additional information once I see that.
Comment 2 Joshua Kinard 2016-11-22 01:11:41 UTC
(In reply to Konstantin Belousov from comment #1)

Well, I am running GENERIC-11.0-p2, but it looks like I can only find the debug symbols from the original RELEASE kernel.  Doesn't seem that kgdb minds that, though:

# kgdb kernel.debug /var/crash/vmcore.last
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xffffffff80b24077 at kdb_backtrace+0x67
#1 0xffffffff80ad93e2 at vpanic+0x182
#2 0xffffffff80ad9253 at panic+0x43
#3 0xffffffff80fa0d51 at trap_fatal+0x351
#4 0xffffffff80fa0f43 at trap_pfault+0x1e3
#5 0xffffffff80fa04ec at trap+0x26c
#6 0xffffffff80f84141 at calltrap+0x8
#7 0xffffffff8110b469 at VOP_READ_APV+0x89
#8 0xffffffff80bc0977 at vn_read+0x157
#9 0xffffffff80bbc18d at vn_io_fault+0x10d
#10 0xffffffff80b40df8 at dofileread+0x98
#11 0xffffffff80b40ac8 at kern_readv+0x68
#12 0xffffffff80b40a54 at sys_read+0x84
#13 0xffffffff80fa16ae at amd64_syscall+0x4ce
#14 0xffffffff80f8442b at Xfast_syscall+0xfb
Uptime: 6m21s
Dumping 529 out of 7743 MB:..4%..13%..22%..31%..43%..52%..61%..73%..82%..91%

Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/zfs.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/zfs.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/opensolaris.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/opensolaris.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/amdtemp.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/amdtemp.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/tmpfs.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/tmpfs.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/ums.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/ums.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/uftdi.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/uftdi.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/ucom.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/ucom.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/fdescfs.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/fdescfs.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/radeonkms.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/radeonkms.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/drm2.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/drm2.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/iicbus.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/iicbus.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/iic.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/iic.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/iicbb.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/iicbb.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/radeonkmsfw_PALM_pfp.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/radeonkmsfw_PALM_pfp.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/radeonkmsfw_PALM_me.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/radeonkmsfw_PALM_me.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/radeonkmsfw_SUMO_rlc.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/radeonkmsfw_SUMO_rlc.ko.debug
Reading symbols from /usr/obj/usr/lib/debug/boot/kernel/udf.ko.debug...done.
Loaded symbols for /usr/obj/usr/lib/debug/boot/kernel/udf.ko.debug
#0  doadump (textdump=<value optimized out>) at pcpu.h:221
221     pcpu.h: No such file or directory.
        in pcpu.h

Backtrace:
(kgdb) bt
#0  doadump (textdump=<value optimized out>) at pcpu.h:221
#1  0xffffffff80ad8e69 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:366
#2  0xffffffff80ad941b in vpanic (fmt=<value optimized out>, ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:759
#3  0xffffffff80ad9253 in panic (fmt=0x0) at /usr/src/sys/kern/kern_shutdown.c:690
#4  0xffffffff80fa0d51 in trap_pfault (frame=0x0, usermode=0) at /usr/src/sys/amd64/amd64/trap.c:642
#5  0xffffffff80fa0f43 in trap_pfault (frame=0xfffffe0220881780, usermode=<value optimized out>) at /usr/src/sys/amd64/amd64/trap.c:750
#6  0xffffffff80fa04ec in trap (frame=0xfffffe0220881780) at /usr/src/sys/amd64/amd64/trap.c:576
#7  0xffffffff80f84141 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:236
#8  0xffffffff82bc6fb3 in udf_read (ap=0xfffffe0220881910) at /usr/src/sys/modules/udf/../../fs/udf/udf_vnops.c:490
#9  0xffffffff8110b469 in VOP_READ_APV (vop=<value optimized out>, a=<value optimized out>) at vnode_if.c:936
#10 0xffffffff80bc0977 in vn_read (fp=<value optimized out>, uio=0xfffffe0220881aa0, active_cred=0x800, flags=<value optimized out>, td=0x0) at vnode_if.h:384
#11 0xffffffff80bbc18d in vn_io_fault (fp=<value optimized out>, uio=<value optimized out>, active_cred=<value optimized out>, flags=0, td=<value optimized out>)
    at /usr/src/sys/kern/vfs_vnops.c:1168
#12 0xffffffff80b40df8 in dofileread (td=0xfffff800c8ecfa00, fd=<value optimized out>, fp=0xfffff801160b7780, auio=0xfffffe0220881aa0, offset=<value optimized out>,
    flags=<value optimized out>) at file.h:303
#13 0xffffffff80b40ac8 in kern_readv (td=0xfffff800c8ecfa00, fd=21, auio=0xfffffe0220881aa0) at /usr/src/sys/kern/sys_generic.c:293
#14 0xffffffff80b40a54 in sys_read (td=0x0, uap=<value optimized out>) at /usr/src/sys/kern/sys_generic.c:206
#15 0xffffffff80fa16ae in amd64_syscall (td=<value optimized out>, traced=0) at subr_syscall.c:139
#16 0xffffffff80f8442b in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:396
#17 0x0000000800dbd75a in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal


Tracing the address at the instruction pointer:
(kgdb) l *(0xffffffff82bc6fb3)
0xffffffff82bc6fb3 is in udf_read (/usr/src/sys/modules/udf/../../fs/udf/udf_vnops.c:490).
485                                     error = bread(vp, lbn, size, NOCRED, &bp);
486                             }
487                     } else {
488                             error = bread(vp, lbn, size, NOCRED, &bp);
489                     }
490                     n = min(n, size - bp->b_resid);
491                     if (error) {
492                             brelse(bp);
493                             return (error);
494                     }
(kgdb)


This code looks remarkably similar to the cd9660_read() code from #208275, just in this instance, it's in udf_read().  So my bet is udf_read needs the same fix that solved #208275 applied, to check 'bp' for NULL before attempting to dereference it and the 'min' call moved to come after the conditional.

Also maybe swap 'min()' out for 'MIN()', unless that's a local macro specific to the UDF driver.
Comment 3 Konstantin Belousov freebsd_committer 2016-11-22 11:24:27 UTC
Created attachment 177271 [details]
Proposed fix
Comment 4 Konstantin Belousov freebsd_committer 2016-11-22 11:24:51 UTC
(In reply to Joshua Kinard from comment #2)
Sure.  Please test the patch attached.
Comment 5 Joshua Kinard 2016-11-22 12:04:46 UTC
(In reply to Konstantin Belousov from comment #4)

Rolling a new GENERIC kernel now on a VM I quickly setup.

I did confirm that the panic is triggered by telling VLC to try and play the DVD as a "disc", while the DVD was mounted to /media.
Comment 6 Joshua Kinard 2016-11-22 12:44:34 UTC
Looks like the patch fixes the panic issue.  Instead of crashing the whole OS now, VLC just kinda spins the drive up and down once or twice, then stops.  Seems there's still issues in the kernel dealing with basic movie DVDs that are CSS encoded (given the CAM driver's spamming of dmesg), but the main problem here appears to be solved.
Comment 7 commit-hook freebsd_committer 2016-11-22 13:25:20 UTC
A commit references this bug:

Author: kib
Date: Tue Nov 22 13:24:57 UTC 2016
New revision: 308995
URL: https://svnweb.freebsd.org/changeset/base/308995

Log:
  On error, bread(9) zeroes buffer pointer, do not dereference it.
  See r294954 for the bread(9) change and r297401 for similar cd9660 fix.

  Reported and tested by:	Joshua Kinard <kumba@gentoo.org>
  PR:	214705
  Sponsored by:	The FreeBSD Foundation
  MFC after:	1 week

Changes:
  head/sys/fs/udf/udf_vnops.c
Comment 8 Oleksandr Tymoshenko freebsd_committer freebsd_triage 2019-01-21 19:22:55 UTC
There is a commit referencing this PR, but it's still not closed and has been inactive for some time. Closing the PR as fixed but feel free to re-open it if the issue hasn't been completely resolved.

Thanks
Comment 9 Joshua Kinard 2019-01-23 06:12:18 UTC
(In reply to Oleksandr Tymoshenko from comment #8)

All good.  The same laptop is on 12.0-RELEASE and hasn't had any problems w/ DVD playback in over a year.  Thanks!