Re: panic: vm_object_madvise: page 0xfffffe0413c58630 is fictiti

On 27.11.2012 17:42, Alan Cox wrote:
> On 11/27/2012 09:06, Konstantin Belousov wrote:
>> On Tue, Nov 27, 2012 at 12:26:44PM +0100, Andre Oppermann wrote:
>>> FreeBSD bbb.ccc 10.0-CURRENT FreeBSD 10.0-CURRENT #0:
>>> Fri Nov 23 17:00:40 CET 2012
>>> aaa@bbb.ccc:/usr/obj/usr/src/head/sys/GENERIC  amd64
>>>
>>> #0  doadump (textdump=3D-2014022336) at pcpu.h:229
>>> #1  0xffffffff8033e2d2 in db_fncall (dummy1=3D<value optimized out>,
>>> dummy2=3D<value optimized out>,
>>>       dummy3=3D<value optimized out>, dummy4=3D<value optimized out>)
>>>       at /usr/src/head/sys/ddb/db_command.c:578
>>> #2  0xffffffff8033e074 in db_command (last_cmdp=3D<value optimized out>,
>>>       cmd_table=3D<value optimized out>, dopager=3D1) at
>>> /usr/src/head/sys/ddb/db_command.c:449
>>> #3  0xffffffff8033dd62 in db_command_loop () at
>>> /usr/src/head/sys/ddb/db_command.c:502
>>> #4  0xffffffff80340690 in db_trap (type=3D<value optimized out>, code=
=3D0)
>>>       at /usr/src/head/sys/ddb/db_main.c:231
>>> #5  0xffffffff808b375e in kdb_trap (type=3D3, code=3D0, tf=3D<value opt=
imized
>>> out>)
>>>       at /usr/src/head/sys/kern/subr_kdb.c:654
>>> #6  0xffffffff80bfc71a in trap (frame=3D0xffffff8487f478a0)
>>>       at /usr/src/head/sys/amd64/amd64/trap.c:579
>>> #7  0xffffffff80be65b2 in calltrap () at /tmp/exception-3nQ6Cf.s:179
>>> #8  0xffffffff808b2f5e in kdb_enter (why=3D0xffffffff80e5e23b "panic",
>>> msg=3D<value optimized out>)
>>>       at cpufunc.h:63
>>> #9  0xffffffff8088086f in panic (fmt=3D<value optimized out>)
>>>       at /usr/src/head/sys/kern/kern_shutdown.c:628
>>> #10 0xffffffff80adea4a in vm_object_madvise (object=3D<value optimized =
out>,
>>>       pindex=3D<value optimized out>, end=3D8952, advise=3D<value optim=
ized out>)
>>>       at /usr/src/head/sys/vm/vm_object.c:1101
>>> #11 0xffffffff80ad759a in vm_map_madvise (map=3D0xfffffe0018260188,
>>> start=3D<value optimized out>,
>>>       end=3D<value optimized out>, behav=3D5) at
>>> /usr/src/head/sys/vm/vm_map.c:2140
>>> #12 0xffffffff80adbd8d in sys_madvise (td=3D<value optimized out>,
>>> uap=3D<value optimized out>)
>>>       at /usr/src/head/sys/vm/vm_mmap.c:752
>>> #13 0xffffffff80bfd3a5 in amd64_syscall (td=3D0xfffffe0018230000,
>>> traced=3D0) at subr_syscall.c:135
>>> #14 0xffffffff80be689b in Xfast_syscall () at /tmp/exception-3nQ6Cf.s:3=
29
>>> #15 0x00000000016f3bfa in ?? ()
>> I think this is an omission in the check for the object types. BTW, this
>> pattern already repeats in several places, I thought about adding either
>> new pager method, like boolean_t vm_pager_is_pageable(), or just a flag
>> fields to the struct vm_pager to classify the vm objects.
>
>
> A fictitious page should always have a non-zero wire count.  In fact, it
> should always be one and never change.  (See vm_page_unwire().)  In
> vm_object_madvise(), there is a check against the page's wire count that
> precedes the KASSERT().  This check should prevent the KASSERT() from
> being reached for the various device-backed object types.  So, something
> else has gone wrong here, or rather something has gone wrong elsewhere
> that caused the KASSERT() failure here.
>
> Andre, can we see the contents of the offending struct vm_page and also
> the struct vm_object to which the offending page belongs to?  Also, are
> you running a kernel with any experimental zero-copy send support?

No experimental zero-copy support, or anything else, just a stock GENERIC k=
ernel.

(kgdb) frame 11
#11 0xffffffff80ad759a in vm_map_madvise (map=3D0xfffffe0018260188, start=
=3D<value optimized out>,
     end=3D<value optimized out>, behav=3D5) at /usr/src/head/sys/vm/vm_map=
..c:2140
2140                            vm_object_madvise(current->object.vm_object=
, pstart,
(kgdb) p *map
$1 =3D {header =3D {prev =3D 0xfffffe025631c438, next =3D 0xfffffe0248f119d=
8, left =3D 0x0, right =3D 0x0,
     start =3D 4096, end =3D 140737488355328, avail_ssize =3D 0, adj_free =
=3D 0, max_free =3D 0, object =3D {
       vm_object =3D 0x0, sub_map =3D 0x0}, offset =3D 0, eflags =3D 0, pro=
tection =3D 0 '\0',
     max_protection =3D 0 '\0', inheritance =3D 0 '\0', read_ahead =3D 0 '\=
0', wired_count =3D 0,
     next_read =3D 0, cred =3D 0x0}, lock =3D {lock_object =3D {
       lo_name =3D 0xffffffff80e66905 "vm map (user)", lo_flags =3D 3689676=
8, lo_data =3D 0,
       lo_witness =3D 0xffffff80006c9700}, sx_lock =3D 17}, system_mtx =3D =
{lock_object =3D {
       lo_name =3D 0xffffffff80e668d7 "vm map (system)", lo_flags =3D 21168=
128, lo_data =3D 0,
       lo_witness =3D 0xffffff80006c9500}, mtx_lock =3D 4}, nentries =3D 32=
, size =3D 64647168,
   timestamp =3D 52, needs_wakeup =3D 0 '\0', system_map =3D 0 '\0', flags =
=3D 0 '\0',
   root =3D 0xfffffe02560a6258, pmap =3D 0xfffffe00182602b8, busy =3D 0}
(kgdb) p* map->pmap
$6 =3D {pm_mtx =3D {lock_object =3D {lo_name =3D 0xffffffff80e66934 "pmap",=
 lo_flags =3D 21168128,
       lo_data =3D 0, lo_witness =3D 0xffffff80006c9900}, mtx_lock =3D 4}, =
pm_pml4 =3D 0xfffffe0256458000,
   pm_pvchunk =3D {tqh_first =3D 0xfffffe0256142000, tqh_last =3D 0xfffffe0=
25644c008}, pm_active =3D {
     __bits =3D {1}}, pm_stats =3D {resident_count =3D 12683, wired_count =
=3D 0},
   pm_root =3D 0xfffffe041289e040}
(kgdb) p* map->root
$7 =3D {prev =3D 0xfffffe0018ed0708, next =3D 0xfffffe02560a6870, left =3D =
0xfffffe0018ed0708,
   right =3D 0xfffffe02560a6870, start =3D 34393292800, end =3D 34431041536=
, avail_ssize =3D 0,
   adj_free =3D 140703057047552, max_free =3D 140703057047552, object =3D {
     vm_object =3D 0xfffffe0256484570, sub_map =3D 0xfffffe0256484570}, off=
set =3D 1810432, eflags =3D 0,
   protection =3D 3 '\003', max_protection =3D 7 '\a', inheritance =3D 1 '\=
001', read_ahead =3D 15 '\017',
   wired_count =3D 0, next_read =3D 0, cred =3D 0x0}

(kgdb) p *current
$2 =3D {prev =3D 0xfffffe025631c438, next =3D 0xfffffe0248f119d8, left =3D =
0x0, right =3D 0x0, start =3D 4096,
   end =3D 140737488355328, avail_ssize =3D 0, adj_free =3D 0, max_free =3D=
 0, object =3D {vm_object =3D 0x0,
     sub_map =3D 0x0}, offset =3D 0, eflags =3D 0, protection =3D 0 '\0', m=
ax_protection =3D 0 '\0',
   inheritance =3D 0 '\0', read_ahead =3D 0 '\0', wired_count =3D 0, next_r=
ead =3D 0, cred =3D 0x0}

(kgdb) p *entry
$3 =3D {prev =3D 0xfffffe0018ed0708, next =3D 0xfffffe02560a6870, left =3D =
0xfffffe0018ed0708,
   right =3D 0xfffffe02560a6870, start =3D 34393292800, end =3D 34431041536=
, avail_ssize =3D 0,
   adj_free =3D 140703057047552, max_free =3D 140703057047552, object =3D {
     vm_object =3D 0xfffffe0256484570, sub_map =3D 0xfffffe0256484570}, off=
set =3D 1810432, eflags =3D 0,
   protection =3D 3 '\003', max_protection =3D 7 '\a', inheritance =3D 1 '\=
001', read_ahead =3D 15 '\017',
   wired_count =3D 0, next_read =3D 0, cred =3D 0x0}
(kgdb) p *entry->object.vm_object
$4 =3D {mtx =3D {lock_object =3D {lo_name =3D 0xffffffff80e66913 "vm object=
", lo_flags =3D 21168128,
       lo_data =3D 0, lo_witness =3D 0xffffff80006cdd00}, mtx_lock =3D 1844=
6741875091243008},
   object_list =3D {tqe_next =3D 0xfffffe0248ffb910, tqe_prev =3D 0xfffffe0=
25618e020}, shadow_head =3D {
     lh_first =3D 0x0}, shadow_list =3D {le_next =3D 0x0, le_prev =3D 0x0},=
 memq =3D {
     tqh_first =3D 0xfffffe0413891880, tqh_last =3D 0xfffffe0413a3a570}, ro=
ot =3D 0xfffffe0413c58630,
   size =3D 9658, generation =3D 1, ref_count =3D 1, shadow_count =3D 0, me=
mattr =3D 6 '\006', type =3D 0 '\0',
   flags =3D 12288, pg_color =3D 7750, paging_in_progress =3D 0, resident_p=
age_count =3D 7650,
   backing_object =3D 0x0, backing_object_offset =3D 0, pager_object_list =
=3D {tqe_next =3D 0x0,
     tqe_prev =3D 0x0}, rvq =3D {lh_first =3D 0xfffffe0400ff07c0}, cache =
=3D 0x0, handle =3D 0x0, un_pager =3D {
     vnp =3D {vnp_size =3D 0, writemappings =3D 0}, devp =3D {devp_pglist =
=3D {tqh_first =3D 0x0,
         tqh_last =3D 0x0}, ops =3D 0x0}, sgp =3D {sgp_pglist =3D {tqh_firs=
t =3D 0x0, tqh_last =3D 0x0}},
     swp =3D {swp_bcount =3D 0}}, cred =3D 0xfffffe0018244c00, charge =3D 3=
9559168}
(kgdb) p *entry->object.sub_map
$5 =3D {header =3D {prev =3D 0xffffffff80e66913, next =3D 0x1430000, left =
=3D 0xffffff80006cdd00,
     right =3D 0xfffffe0018230000, start =3D 18446741884500949264, end =3D =
18446741884720701472,
     avail_ssize =3D 0, adj_free =3D 0, max_free =3D 0, object =3D {vm_obje=
ct =3D 0xfffffe0413891880,
       sub_map =3D 0xfffffe0413891880}, offset =3D -2181513894544, eflags =
=3D 331712048,
     protection =3D 4 '\004', max_protection =3D 254 '=FE', inheritance =3D=
 -1 '=FF', read_ahead =3D 255 '=FF',
     wired_count =3D 9658, next_read =3D 4294967297, cred =3D 0x30000006000=
00000}, lock =3D {lock_object =3D {
       lo_name =3D 0x1e46 <Address 0x1e46 out of bounds>, lo_flags =3D 7650=
, lo_data =3D 0,
       lo_witness =3D 0x0}, sx_lock =3D 0}, system_mtx =3D {lock_object =3D=
 {lo_name =3D 0x0, lo_flags =3D 0,
       lo_data =3D 0, lo_witness =3D 0xfffffe0400ff07c0}, mtx_lock =3D 0}, =
nentries =3D 0, size =3D 0,
   timestamp =3D 0, needs_wakeup =3D 0 '\0', system_map =3D 0 '\0', flags =
=3D 0 '\0', root =3D 0x0,
   pmap =3D 0xfffffe0018244c00, busy =3D 39559168}
(kgdb) p *entry->object.sub_map->pmap
$8 =3D {pm_mtx =3D {lock_object =3D {lo_name =3D 0x3e900000114 <Address 0x3=
e900000114 out of bounds>,
       lo_flags =3D 1001, lo_data =3D 1001, lo_witness =3D 0x3e900000003}, =
mtx_lock =3D 1001},
   pm_pml4 =3D 0xfffffe0018e53c00, pm_pvchunk =3D {tqh_first =3D 0xfffffe00=
18e53c00,
     tqh_last =3D 0xffffffff811e74a0}, pm_active =3D {__bits =3D {-21989021=
53216}}, pm_stats =3D {
     resident_count =3D 0, wired_count =3D 0}, pm_root =3D 0x0}

-- =

Andre

> (Kostik, by the way, I would be happy to see attribute flags added to
> the vm object to take the place of the type checks.)
>
>
>> I am curious, what was the process which caused the panic ?
>>
>> diff --git a/sys/vm/vm_object.c b/sys/vm/vm_object.c
>> index e19750c..5b8ed23 100644
>> --- a/sys/vm/vm_object.c
>> +++ b/sys/vm/vm_object.c
>> @@ -1060,7 +1060,10 @@ shadowlookup:
>>   			    (tobject->flags & OBJ_ONEMAPPING) =3D=3D 0) {
>>   				goto unlock_tobject;
>>   			}
>> -		} else if (tobject->type =3D=3D OBJT_PHYS)
>> +		} else if (tobject->type =3D=3D OBJT_PHYS ||
>> +		    tobject->type =3D=3D OBJT_SG ||
>> +		    tobject->type =3D=3D OBJT_MGTDEVICE ||
>> +		    tobject->type =3D=3D OBJT_DEVICE)
>>   			goto unlock_tobject;
>>   		m =3D vm_page_lookup(tobject, tpindex);
>>   		if (m =3D=3D NULL && advise =3D=3D MADV_WILLNEED) {
>
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
>
>

_______________________________________________
freebsd-current@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"