From nobody@FreeBSD.org  Tue Apr 27 04:35:20 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E456C16A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Apr 2004 04:35:19 -0700 (PDT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C9D3243D54
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Apr 2004 04:35:19 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i3RBZJ5e062657
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 27 Apr 2004 04:35:19 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i3RBZJ4S062656;
	Tue, 27 Apr 2004 04:35:19 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200404271135.i3RBZJ4S062656@www.freebsd.org>
Date: Tue, 27 Apr 2004 04:35:19 -0700 (PDT)
From: Kostik Belousov <kostya@tessart.kiev.ua>
To: freebsd-gnats-submit@FreeBSD.org
Subject: kernel panic in pagedaemon (triggered by vmware ?)
X-Send-Pr-Version: www-2.3

>Number:         66025
>Category:       kern
>Synopsis:       [panic]: kernel panic in pagedaemon with vmware3 port
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    remko
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 27 04:40:14 PDT 2004
>Closed-Date:    Mon Dec 25 11:22:06 GMT 2006
>Last-Modified:  Mon Dec 25 11:22:06 GMT 2006
>Originator:     Kostik Belousov
>Release:        FREEBSD 4.10-RC
>Organization:
tessart
>Environment:
FreeBSD deviant.tessart.kiev.ua 4.10-RC FreeBSD 4.10-RC #2: Mon Apr 26 10:35:45 EEST 2004     root@deviant.tessart.kiev.ua:/usr/obj/usr/src/sys/DEVIANT  i386  
>Description:
      I have installed fresh vmware port (vmware3-3.2.1.2242_6,1) on FreeBSD 4.10-RC.
By short time (approx 5, max 10 minutes) after vmware started and guest OS finis
hed loading, I consistently get the kernel panic.

IdlePTD at physical address 0x0039c000
initial pcb at physical address 0x002d5d80
panicstr: page fault
panic messages:
---
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x24
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc022b573
stack pointer           = 0x10:0xd2d2af14
frame pointer           = 0x10:0xd2d2af84
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 3 (pagedaemon)
interrupt mask          = none
trap number             = 12
panic: page fault

syncing disks... 8
done


Backtrace:

#0  dumpsys () at /usr/src/sys/kern/kern_shutdown.c:487
#1  0xc01645bb in boot (howto=256) at /usr/src/sys/kern/kern_shutdown.c:316
#2  0xc01649f9 in panic (fmt=0xc02a838c "%s")
    at /usr/src/sys/kern/kern_shutdown.c:595
#3  0xc025848f in trap_fatal (frame=0xd2d2aed4, eva=36)
    at /usr/src/sys/i386/i386/trap.c:974
#4  0xc025813d in trap_pfault (frame=0xd2d2aed4, usermode=0, eva=36)
    at /usr/src/sys/i386/i386/trap.c:867
#5  0xc0257ce3 in trap (frame={tf_fs = -1058996208, tf_es = -1059389424,
      tf_ds = -1063518192, tf_edi = 0, tf_esi = 0, tf_ebp = -757944444,
      tf_isp = -757944576, tf_ebx = -1063086944, tf_edx = -1063088804,
      tf_ecx = -1074786292, tf_eax = 0, tf_trapno = 12, tf_err = 0,
      tf_eip = -1071467149, tf_cs = 8, tf_eflags = 66118, tf_esp = 0,
      tf_ecx = -1074786292, tf_eax = 0, tf_trapno = 12, tf_err = 0,
      tf_eip = -1071467149, tf_cs = 8, tf_eflags = 66118, tf_esp = 0,
      tf_ss = 0}) at /usr/src/sys/i386/i386/trap.c:466
#6  0xc022b573 in vm_pageout_scan (pass=0) at /usr/src/sys/vm/vm_pageout.c:1001
#7  0xc022bd63 in vm_pageout () at /usr/src/sys/vm/vm_pageout.c:1405
    
Code at the frame #6:

(kgdb) frame 6
#6  0xc022b573 in vm_pageout_scan (pass=0) at /usr/src/sys/vm/vm_pageout.c:1001
1001                    if (m->object->ref_count != 0) {
(kgdb) list
996
997                     /*
998                      * Check to see "how much" the page has been used.
999                      */
1000                    actcount = 0;
1001                    if (m->object->ref_count != 0) {
1002                            if (m->flags & PG_REFERENCED) {
1003                                    actcount += 1;
1004                            }
1005                            actcount += pmap_ts_referenced(m);
      
      
The problem is: at the frame #6, some page m has m -> object == 0 in the scanned
 page queue (dissasemble shows that variable m lives in %ebx):
(kgdb) p/x *(struct vm_page *)-1063086944
$5 = {pageq = {tqe_next = 0xc0a28d5c, tqe_prev = 0xc03012c0}, hnext = 0x0,
  listq = {tqe_next = 0xc0a28d5c, tqe_prev = 0xd3c64184}, object = 0x0, <----
  pindex = 0x2c8, phys_addr = 0x15859000, md = {pv_list_count = 0x0,
    pv_list = {tqh_first = 0x0, tqh_last = 0xc0a294c4}}, queue = 0x22,
  flags = 0x0, pc = 0x19, wire_count = 0x0, hold_count = 0x0, act_count = 0xd,
  busy = 0x0, valid = 0xff, dirty = 0xff}

>How-To-Repeat:
      Run vmware with relatively large memory allocated for guest OS (I have 512Mb RAM
 and allocated 256 Mb for guest).

I have set sysctl kern.ipc.shm_allow_removed=1.

Modules loaded:
linux.ko
linprocfs.ko
vmmon_up.ko
vmnet.ko

Kernel was compiled with option VFS_AIO.

I have the crash dump and debug build of the crashed kernel, if needed.
>Fix:
      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: remko 
State-Changed-When: Mon Dec 25 11:10:57 UTC 2006 
State-Changed-Why:  
Hello, can you tell me whether this problem is still current on more recent 
releases of FreeBSD? 


Responsible-Changed-From-To: freebsd-bugs->remko 
Responsible-Changed-By: remko 
Responsible-Changed-When: Mon Dec 25 11:10:57 UTC 2006 
Responsible-Changed-Why:  
Grab the PR for feedback tracing. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66025 
State-Changed-From-To: feedback->closed 
State-Changed-By: remko 
State-Changed-When: Mon Dec 25 11:21:30 UTC 2006 
State-Changed-Why:  
The submitters mail address is no longer here. No feedback 
options, if someone has feedback for this, please stand up 
and contact me so that we can try to resolve this PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=66025 
>Unformatted:
