From freaky@voi.aagh.net  Wed Dec  9 21:31:36 2009
Return-Path: <freaky@voi.aagh.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 869FC1065672
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 Dec 2009 21:31:36 +0000 (UTC)
	(envelope-from freaky@voi.aagh.net)
Received: from ita.aagh.net (ita.aagh.net [208.86.225.114])
	by mx1.freebsd.org (Postfix) with ESMTP id 0FEC98FC0C
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 Dec 2009 21:31:35 +0000 (UTC)
Received: from cpc1-hart9-2-0-cust900.11-3.cable.virginmedia.com
	([86.30.3.133] helo=voi.aagh.net ident=mailnull)
	by ita.aagh.net with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.69 (FreeBSD))
	(envelope-from <freaky@voi.aagh.net>)
	id 1NITdO-0002gh-Ja
	for FreeBSD-gnats-submit@freebsd.org; Wed, 09 Dec 2009 20:59:42 +0000
Received: from freaky by voi.aagh.net with local (Exim 4.71 (FreeBSD))
	(envelope-from <freaky@voi.aagh.net>)
	id 1NITd5-000FhL-Pa
	for FreeBSD-gnats-submit@freebsd.org; Wed, 09 Dec 2009 20:59:23 +0000
Message-Id: <E1NITd5-000FhL-Pa@voi.aagh.net>
Date: Wed, 09 Dec 2009 20:59:23 +0000
From: Thomas Hurst <tom@hur.st>
Reply-To: Thomas Hurst <tom@hur.st>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Xen: gstat exit causes kernel panic from unmanaged virtual address
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         141328
>Category:       kern
>Synopsis:       [xen] [panic] gstat exit causes kernel panic from unmanaged virtual address
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-xen
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 09 21:40:01 UTC 2009
>Closed-Date:    Thu Jan 06 23:03:12 UTC 2011
>Last-Modified:  Thu Jan 06 23:03:12 UTC 2011
>Originator:     Thomas Hurst
>Release:        FreeBSD 8.0-STABLE
>Organization:
>Environment:
System: FreeBSD mzu.aagh.net 8.0-STABLE FreeBSD 8.0-STABLE #0: Wed Dec  9 19:59:29 GMT 2009     root@mzu.aagh.net:/usr/obj/usr/src/sys/MZU_XEN  i386

Dom0 is 64bit Debian Lenny (stable) running Xen 3.2.1. VM is paravirtualized.

>Description:
	Under Xen paravirtualisation, running and then exiting gstat results in
	the following error and kernel panic:

va=0x2823f000 is unmanaged :-( pte=0x80000007062d0025


Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x21:0xc0329faa
stack pointer           = 0x29:0xe4b9bb10
frame pointer           = 0x29:0xe4b9bb24
code segment            = base 0x0, limit 0xf9800, type 0x1b
                        = DPL 1, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 726 (gstat)
[thread pid 726 tid 100051 ]
Stopped at      pmap_mapdev+0x25a:      movl    0x4(%ebx),%edx

Tracing pid 726 tid 100051 td 0xc3839d80
pmap_mapdev(c08be6cc,80,62d0025,80000007,0,...) at pmap_mapdev+0x25a
pmap_remove_all(e4b9bb90,7,0,2823d000,0,...) at pmap_remove_all+0x51e
pmap_remove(c3438288,2823f000,28242000,9,0,...) at pmap_remove+0x2a3
vm_map_delete(c34381d8,1000,bf800000,1,c34381d8,...) at vm_map_delete+0x189
vm_map_remove(c34381d8,1000,bf800000,c35b9540,0,...) at vm_map_remove+0x51
vmspace_exit(c3839d80,c381faa0,3,e4b9bc74,0,...) at vmspace_exit+0xbe
exit1(c3839d80,0,e4b9bd3c,c0334455,c3839d80,...) at exit1+0x663
sys_exit(c3839d80,e4b9bd08,4,c,c,...) at sys_exit+0x1d
syscall(e4b9bd48) at syscall+0x325
Xint0x80_syscall() at Xint0x80_syscall+0x22
--- syscall (1, FreeBSD ELF32, sys_exit), eip = 0x2818d0af, esp = 0xbf7fe9bc, ebp = 0xbf7fe9c8 ---

	I guess this is related to it mmapping /dev/devstat via geom_stats_*().
	procstat -v shows the address is indeed mapped:

  PID      START        END PRT  RES PRES REF SHD FL TP PATH
  822  0x8048000  0x804c000 r-x    4    0   1   0 CN vn /usr/sbin/gstat
  822  0x804c000  0x8100000 rw-    1    0   1   0 -- df 
  822 0x2804c000 0x2807c000 r-x   43    0  50  24 CN vn /libexec/ld-elf.so.1
  822 0x2807c000 0x2807e000 rw-    2    0   1   0 C- vn /libexec/ld-elf.so.1
  822 0x2807e000 0x28091000 rw-   13    0   1   0 -- df 
  822 0x28091000 0x28095000 r-x    4    5   2   1 CN vn /lib/libdevstat.so.7
  822 0x28095000 0x28096000 rw-    1    0   1   0 C- vn /lib/libdevstat.so.7
  822 0x28096000 0x2809e000 r-x    8    8   2   1 CN vn /lib/libkvm.so.5
  822 0x2809e000 0x2809f000 rw-    1    0   1   0 C- vn /lib/libkvm.so.5
  822 0x2809f000 0x280a3000 r-x    4    4   2   1 CN vn /lib/libgeom.so.5
  822 0x280a3000 0x280a4000 rw-    1    0   1   0 C- vn /lib/libgeom.so.5
  822 0x280a4000 0x280c1000 r-x   29   30   2   1 CN vn /lib/libbsdxml.so.4
  822 0x280c1000 0x280c3000 rw-    2    0   1   0 C- vn /lib/libbsdxml.so.4
  822 0x280c3000 0x280c5000 r-x    2    2   2   1 CN vn /lib/libsbuf.so.5
  822 0x280c5000 0x280c6000 rw-    1    0   1   0 C- vn /lib/libsbuf.so.5
  822 0x280c6000 0x280da000 r-x   20    0   6   3 CN vn /lib/libedit.so.7
  822 0x280da000 0x280db000 rw-    1    0   1   0 C- vn /lib/libedit.so.7
  822 0x280db000 0x28118000 r-x   60    0  10   5 CN vn /lib/libncurses.so.8
  822 0x28118000 0x2811b000 rw-    3    0   1   0 C- vn /lib/libncurses.so.8
  822 0x2811b000 0x28217000 r-x   98    0  50  24 CN vn /lib/libc.so.7
  822 0x28217000 0x2821d000 rw-    6    0   1   0 C- vn /lib/libc.so.7
  822 0x2821d000 0x28233000 rw-    7    0   1   0 -- df 
  822 0x28233000 0x2823c000 rw-    2    0   2   0 -- df 
  822 0x2823c000 0x2823d000 r--    0    0   3   0 -- dv 
  822 0x2823d000 0x2823f000 r--    0    0   3   0 -- dv 
==>  822 0x2823f000 0x28242000 r--    3    0   3   0 -- dv 
  822 0x28300000 0x28400000 rw-   49    0   2   0 -- df 
  822 0xbf7e0000 0xbf800000 rwx    5    0   1   0 -- df

	Adding a call to geom_stats_close() at the end of gstat.c results in
	kernel livelock; it responds to ping but nothing else.

	This problem seems to be well known, including being mentioned on
	the FreeBSD wiki, but I couldn't find an associated PR.

>How-To-Repeat:
	Run gstat under a PV Xen instance, quit.
>Fix:

	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-xen 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Dec 10 00:29:28 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=141328 

From: Colin Percival <cperciva@freebsd.org>
To: bug-followup@FreeBSD.org, tom@hur.st
Cc:  
Subject: Re: kern/141328: [xen] [panic] gstat exit causes kernel panic from
 unmanaged virtual address
Date: Sun, 28 Nov 2010 07:30:51 -0800

 Still present in HEAD @ 2010-11-27.
 
 Another test case: 'mdconfig -l'.
 
 -- 
 Colin Percival
 Security Officer, FreeBSD | freebsd.org | The power to serve
 Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
State-Changed-From-To: open->patched 
State-Changed-By: cperciva 
State-Changed-When: Tue Dec 28 14:37:01 UTC 2010 
State-Changed-Why:  
Fixed in HEAD, will MFC soon. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=141328 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/141328: commit references a PR
Date: Tue, 28 Dec 2010 14:36:39 +0000 (UTC)

 Author: cperciva
 Date: Tue Dec 28 14:36:32 2010
 New Revision: 216762
 URL: http://svn.freebsd.org/changeset/base/216762
 
 Log:
   Remove a "not strictly correct" (and panic-inducing) workaround for a bug
   which doesn't seem to exist.
   
   PR:		kern/141328
   MFC after:	3 days
 
 Modified:
   head/sys/i386/xen/pmap.c
 
 Modified: head/sys/i386/xen/pmap.c
 ==============================================================================
 --- head/sys/i386/xen/pmap.c	Tue Dec 28 13:28:24 2010	(r216761)
 +++ head/sys/i386/xen/pmap.c	Tue Dec 28 14:36:32 2010	(r216762)
 @@ -2225,27 +2225,14 @@ pmap_remove_pte(pmap_t pmap, pt_entry_t 
  	if (oldpte & PG_G)
  		pmap_invalidate_page(kernel_pmap, va);
  	pmap->pm_stats.resident_count -= 1;
 -	/*
 -	 * XXX This is not strictly correctly, but somewhere along the line
 -	 * we are losing the managed bit on some pages. It is unclear to me
 -	 * why, but I think the most likely explanation is that xen's writable
 -	 * page table implementation doesn't respect the unused bits.
 -	 */
 -	if ((oldpte & PG_MANAGED) || ((oldpte & PG_V) && (va < VM_MAXUSER_ADDRESS))
 -		) {
 +	if (oldpte & PG_MANAGED) {
  		m = PHYS_TO_VM_PAGE(xpmap_mtop(oldpte) & PG_FRAME);
 -
 -		if (!(oldpte & PG_MANAGED))
 -			printf("va=0x%x is unmanaged :-( pte=0x%llx\n", va, oldpte);
 -
  		if ((oldpte & (PG_M | PG_RW)) == (PG_M | PG_RW))
  			vm_page_dirty(m);
  		if (oldpte & PG_A)
  			vm_page_flag_set(m, PG_REFERENCED);
  		pmap_remove_entry(pmap, m, va);
 -	} else if ((va < VM_MAXUSER_ADDRESS) && (oldpte & PG_V))
 -		printf("va=0x%x is unmanaged :-( pte=0x%llx\n", va, oldpte);
 -
 +	}
  	return (pmap_unuse_pt(pmap, va, free));
  }
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/141328: commit references a PR
Date: Thu,  6 Jan 2011 22:54:00 +0000 (UTC)

 Author: cperciva
 Date: Thu Jan  6 22:53:55 2011
 New Revision: 217081
 URL: http://svn.freebsd.org/changeset/base/217081
 
 Log:
   MFS r217052: Fix a panic when gstat exits or when 'mdconfig -l' is run,
   on i386/XEN.
   
   PR:		kern/141328
   Approved by:	re (rwatson)
 
 Modified:
   releng/8.2/sys/i386/xen/pmap.c
 Directory Properties:
   releng/8.2/sys/   (props changed)
   releng/8.2/sys/amd64/include/xen/   (props changed)
   releng/8.2/sys/cddl/contrib/opensolaris/   (props changed)
   releng/8.2/sys/contrib/dev/acpica/   (props changed)
   releng/8.2/sys/contrib/pf/   (props changed)
 
 Modified: releng/8.2/sys/i386/xen/pmap.c
 ==============================================================================
 --- releng/8.2/sys/i386/xen/pmap.c	Thu Jan  6 22:52:52 2011	(r217080)
 +++ releng/8.2/sys/i386/xen/pmap.c	Thu Jan  6 22:53:55 2011	(r217081)
 @@ -2293,19 +2293,8 @@ pmap_remove_pte(pmap_t pmap, pt_entry_t 
  	if (oldpte & PG_G)
  		pmap_invalidate_page(kernel_pmap, va);
  	pmap->pm_stats.resident_count -= 1;
 -	/*
 -	 * XXX This is not strictly correctly, but somewhere along the line
 -	 * we are losing the managed bit on some pages. It is unclear to me
 -	 * why, but I think the most likely explanation is that xen's writable
 -	 * page table implementation doesn't respect the unused bits.
 -	 */
 -	if ((oldpte & PG_MANAGED) || ((oldpte & PG_V) && (va < VM_MAXUSER_ADDRESS))
 -		) {
 +	if (oldpte & PG_MANAGED) {
  		m = PHYS_TO_VM_PAGE(xpmap_mtop(oldpte) & PG_FRAME);
 -
 -		if (!(oldpte & PG_MANAGED))
 -			printf("va=0x%x is unmanaged :-( pte=0x%llx\n", va, oldpte);
 -
  		if (oldpte & PG_M) {
  			KASSERT((oldpte & PG_RW),
  	("pmap_remove_pte: modified page not writable: va: %#x, pte: %#jx",
 @@ -2315,9 +2304,7 @@ pmap_remove_pte(pmap_t pmap, pt_entry_t 
  		if (oldpte & PG_A)
  			vm_page_flag_set(m, PG_REFERENCED);
  		pmap_remove_entry(pmap, m, va);
 -	} else if ((va < VM_MAXUSER_ADDRESS) && (oldpte & PG_V))
 -		printf("va=0x%x is unmanaged :-( pte=0x%llx\n", va, oldpte);
 -
 +	}
  	return (pmap_unuse_pt(pmap, va, free));
  }
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: cperciva 
State-Changed-When: Thu Jan 6 23:02:54 UTC 2011 
State-Changed-Why:  
Fixed in HEAD, 8-STABLE, and 8.2-RC2. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=141328 
>Unformatted:
