From owner-freebsd-stable@FreeBSD.ORG Mon Jan 28 18:03:46 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 638A416A418; Mon, 28 Jan 2008 18:03:46 +0000 (UTC) (envelope-from petefrench@ticketswitch.com) Received: from angel.ticketswitch.com (angel.ticketswitch.com [IPv6:2002:57e0:1d4e::1]) by mx1.freebsd.org (Postfix) with ESMTP id 2107713C46E; Mon, 28 Jan 2008 18:03:46 +0000 (UTC) (envelope-from petefrench@ticketswitch.com) Received: from [10.50.50.2] (helo=smaug.rattatosk) by angel.ticketswitch.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.68 (FreeBSD)) (envelope-from ) id 1JJYKf-000PWf-GA; Mon, 28 Jan 2008 18:03:45 +0000 Received: from dilbert.rattatosk ([10.50.50.6] helo=dilbert.ticketswitch.com) by smaug.rattatosk with esmtp (Exim 4.68 (FreeBSD)) (envelope-from ) id 1JJYKf-00086g-E4; Mon, 28 Jan 2008 18:03:45 +0000 Received: from petefrench by dilbert.ticketswitch.com with local (Exim 4.68 (FreeBSD)) (envelope-from ) id 1JJYKf-0000Uy-DA; Mon, 28 Jan 2008 18:03:45 +0000 To: jhb@freebsd.org In-Reply-To: <200801250837.49793.jhb@freebsd.org> Message-Id: From: Pete French Date: Mon, 28 Jan 2008 18:03:45 +0000 Cc: freebsd-stable@freebsd.org Subject: Re: panic: vm_fault: fault on nofualt entry, addr: 81423000 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 18:03:46 -0000 o.k., done some investigative work, and I think i have actually tracke dodnw what is going wrong, though i do not know how to fix it. mapping the header calls madt_map_table, which in turn calls madt_map to do the actual mapping: madt_map called with pa 0x7fec7f40, offset 1, length 60 'off' becomes 3904, and the rounded length 4096 pmap_kenter_temporary called with pa 0x7fec7000, offset 1 gives va of 0x8142300 returns 0x81423f40 thus the header is ending up in page 0x8142300 if I read that correctly. this is importnat for later on. meanwhile, back at the table scanning code... rsdt mapped at 0x81423f40 table offset at 0x81423f64 count is 6 table offset address and their contents 0 0x81423f64 0x7fec7fe8 1 0x81423f68 0x7fec805c 2 0x81423f6c 0x7fec80c4 3 0x81423f70 0x7fec8127 4 0x81423f74 0x7fec8163 5 0x81423f78 0x7fec8195 so, it probes the first table, held at 0x7fec7fe8 as indicated by the address in 0x81423f64. this calls madt_map to map the table madt_map called with pa 0x7fec7fe8, offset 0, length 36 'off' becomes 4072, and the rounded length 8192 pmap_kenter_temporary called with pa 0x7fec7000, offset 0 pmap_kenter called with va 0x8142300, pa 0x7fec8000 gives va of 0x8142200 returns 0x81422fe8 code is looking for a signature of 'APIC', but this table has 'FACP', so a call is made to madt_unmap before returning madt_unmap called with data 0x81422fe8, length 36 'off' becomes 4072, and the rounded length 8192 pmap_kremove called with 0x81422000 pmap_kremove called with 0x81423000 the function then returns 0, and the loop goes round again to look at table entry 1. the address of the table is stored at 0x81423f68 as you can see from the list above, and it is when it tries to access that address that it panics. now preseumably the panic is correct - 0x81423f68 is in page 0x81423000, and didn't we just unmap that ? now I dont really understand this fully, but why is page 0x81423000 being touched at all ? shouldnt the mapped pages be 0x81421000 and 0x81422000 instead so they don't clash with the already mapped 0x81423000 ? The unmap function is quite correctly doing the reverse of the map function, but maybe theres something simply going wrong in the algorithm working out which pages to map ? cheers, -pete.