From owner-freebsd-bugs@FreeBSD.ORG Mon Jan 9 23:20:13 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 718EC1065676 for ; Mon, 9 Jan 2012 23:20:13 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2BC8FC15 for ; Mon, 9 Jan 2012 23:20:13 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q09NKDUF021025 for ; Mon, 9 Jan 2012 23:20:13 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q09NKDVn021024; Mon, 9 Jan 2012 23:20:13 GMT (envelope-from gnats) Resent-Date: Mon, 9 Jan 2012 23:20:13 GMT Resent-Message-Id: <201201092320.q09NKDVn021024@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alan Somers Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13C271065670 for ; Mon, 9 Jan 2012 23:16:37 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id EE04D8FC1B for ; Mon, 9 Jan 2012 23:16:36 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q09NGahp090183 for ; Mon, 9 Jan 2012 23:16:36 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q09NGaiu090182; Mon, 9 Jan 2012 23:16:36 GMT (envelope-from nobody) Message-Id: <201201092316.q09NGaiu090182@red.freebsd.org> Date: Mon, 9 Jan 2012 23:16:36 GMT From: Alan Somers To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/163978: Loading hwpmc with an unknown cpuid causes a page fault in kernel mode. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2012 23:20:13 -0000 >Number: 163978 >Category: kern >Synopsis: Loading hwpmc with an unknown cpuid causes a page fault in kernel mode. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jan 09 23:20:12 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Alan Somers >Release: 10.0-CURRENT >Organization: SpectraLogic >Environment: FreeBSD fbtst.eng 10.0-CURRENT FreeBSD 10.0-CURRENT #11: Mon Jan 9 22:51:28 MST 2012 alans@fbdev.eng:/usr/home/alans/obj/usr/home/alans/spectra/branches/redline/projects/netback/SpectraBSD_head/sys/XENHVM.pmc amd64 >Description: Attemping to use hwpmc from a Xen guest on a Core i7 running in 64 bit mode, I got the following crash on bootup: xbd0: 20480MB at device/vbd/768 on xenbusb_front0 xbd0: attaching as ad0 Timecounter "TSC" frequency 2000036316 Hz quality 800 Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x0 fault code = supervisor read instruction, page not present instruction pointer = 0x20:0x0 stack pointer = 0x28:0xffffffff81985b90 frame pointer = 0x28:0xffffffff81985c10 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 0 (swapper) [ thread pid 0 tid 100000 ] Stopped at 0: *** error reading from address 0 *** db> where Tracing pid 0 tid 100000 td 0xffffffff8154f8b0 uart_sab82532_class() at 0 load() at load+0x39 syscall_module_handler() at syscall_module_handler+0xe6 module_register_init() at module_register_init+0xb0 mi_startup() at mi_startup+0x139 btext() at btext+0x2c The problem was that Xen changes the cpuid that guests see. Specifically, the result of do_cpuid(CORE_CPUID_REQUEST, cpuid) is changed to indicate that performance counters are not supported. Hence, pmc_core_initialize() returns EPROGMISMATCH. Eventually, that causes pmc_initialize() to execute a null function pointer at line 4692. Really, the root cause of the problem is that hwpmc isn't written very defensively. I've attached a patch that makes the panic go away, but doesn't make PMC work for my processor. >How-To-Repeat: Compile an amd64 Xen domU kernel with the below lines in your configuration file and boot it: options HWPMC_HOOKS device hwpmc >Fix: ==== sys/dev/hwpmc/hwpmc_mod.c#2 (text) ==== @@ -4689,7 +4689,15 @@ if (md->pmd_pcpu_init) error = md->pmd_pcpu_init(md, cpu); for (n = 0; error == 0 && n < md->pmd_nclass; n++) - error = md->pmd_classdep[n].pcd_pcpu_init(md, cpu); + if (md->pmd_classdep[n].pcd_pcpu_init != NULL) + error = md->pmd_classdep[n].pcd_pcpu_init(md, + cpu); + else + printf("hwpmc: md->pmd_classdep[%d]." + "pcd_pcpu_init was not initialized. " + "This is a bug.\n" + "\tMost likely your CPUID is not " + "recognized by hwpmc.\n", n); } pmc_restore_cpu_binding(&pb); @@ -4882,7 +4890,15 @@ continue; pmc_select_cpu(cpu); for (c = 0; c < md->pmd_nclass; c++) - md->pmd_classdep[c].pcd_pcpu_fini(md, cpu); + if (md->pmd_classdep[c].pcd_pcpu_fini != NULL) + md->pmd_classdep[c].pcd_pcpu_fini(md, + cpu); + else + printf("hwpmc: md->pmd_classdep[%d]." + "pcd_pcpu_fini was not initialized." + " This is a bug.\n" + "\tMost likely your CPUID is not " + "recognized by hwpmc.\n", c); if (md->pmd_pcpu_fini) md->pmd_pcpu_fini(md, cpu); } >Release-Note: >Audit-Trail: >Unformatted: