From owner-freebsd-current@freebsd.org  Sat Jun  4 17:47:51 2016
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BCC2DB6A804
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Sat,  4 Jun 2016 17:47:51 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BE381BE7;
 Sat,  4 Jun 2016 17:47:51 +0000 (UTC)
 (envelope-from kostikbel@gmail.com)
Received: from tom.home (kib@localhost [127.0.0.1])
 by kib.kiev.ua (8.15.2/8.15.2) with ESMTPS id u54HljaH074165
 (version=TLSv1 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
 Sat, 4 Jun 2016 20:47:46 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua u54HljaH074165
Received: (from kostik@localhost)
 by tom.home (8.15.2/8.15.2/Submit) id u54Hlj6W074164;
 Sat, 4 Jun 2016 20:47:45 +0300 (EEST)
 (envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com
 using -f
Date: Sat, 4 Jun 2016 20:47:45 +0300
From: Konstantin Belousov <kostikbel@gmail.com>
To: Matthew Macy <mmacy@nextbsd.org>
Cc: Michael Butler <imb@protected-networks.net>,
 "freebsd-current@freebsd.org" <freebsd-current@freebsd.org>,
 alc@freebsd.org
Subject: Re: repeatable panic on pageout with 945GM
Message-ID: <20160604174745.GB38613@kib.kiev.ua>
References: <2490f1c7-8153-ece3-49ed-4b3886564fd7@protected-networks.net>
 <da19738b-6bf1-10a3-4428-43b6095ec35a@protected-networks.net>
 <205d4423-b834-9a21-785f-fa15d44c78ec@protected-networks.net>
 <CAHM0Q_PR5Aoak6A7f=tsRy0DJFCmLDVfRGpceZ0mXU3P+xO8DA@mail.gmail.com>
 <1551419a1db.12929035f45012.326107747932338888@nextbsd.org>
 <939f9d2b-e925-e8e0-0ff3-8d90623728c6@protected-networks.net>
 <1551c5dbd86.c68532b5123717.566503881838650848@nextbsd.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1551c5dbd86.c68532b5123717.566503881838650848@nextbsd.org>
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no
 autolearn_force=no version=3.4.1
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on tom.home
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2016 17:47:51 -0000

On Sat, Jun 04, 2016 at 10:02:33AM -0700, Matthew Macy wrote:
> 
> 
> 
>  
>  >  
>  > This "band-aid" seems to have worked. I haven't had a single panic since 
>  > - Thanks! :-) 
>  >  
>  > I tried to compile with -O0 but, for some reason, it panics in the sound 
>  > driver with a double-fault. When I get time, I'll recompile only the 
>  > files involved and see if I can't get a decent trace (and dump) to 
>  > identify the cause, 
>  
> No need. Based on the line that it crashed at, the problem is that with no mappings no pv_entry has been allocated. Somehow on your laptop you're able to get in to a situation where fictitious pages have been added to the object that don't get mapped. This isn't a strange situation in and of itself, but you seem to be the only hitting this. 
> 
> In any event, the DRM 4.6 port will support AGP in about a week. It will probably have bugs, but this one isn't in any of its code paths.
> 
> 
> I'm glad your system works a bit better now.
> 

I believe that this is a bug in amd64 pmap. Fictitious pages are not
promoted, in particular, the pv_table array does not span over the
dynamically registered fictitious ranges. As result, pa_to_pvh() returns
garbage and pvh must not be accessed in the case of 'small_mappings' in
several pmap functions.  It is typically not accessed, except in case
when we have to drop and reacquire pv lock, to avoid LOR with pmap.

i386 does not have the issue, due to pvh_global_lock.

Below is the supposed fix (not tested).

diff --git a/sys/amd64/amd64/pmap.c b/sys/amd64/amd64/pmap.c
index 7a93e76..e514b07 100644
--- a/sys/amd64/amd64/pmap.c
+++ b/sys/amd64/amd64/pmap.c
@@ -3947,12 +3947,14 @@ small_mappings:
 	while ((pv = TAILQ_FIRST(&m->md.pv_list)) != NULL) {
 		pmap = PV_PMAP(pv);
 		if (!PMAP_TRYLOCK(pmap)) {
-			pvh_gen = pvh->pv_gen;
+			if ((m->flags & PG_FICTITIOUS) == 0)
+				pvh_gen = pvh->pv_gen;
 			md_gen = m->md.pv_gen;
 			rw_wunlock(lock);
 			PMAP_LOCK(pmap);
 			rw_wlock(lock);
-			if (pvh_gen != pvh->pv_gen || md_gen != m->md.pv_gen) {
+			if (((m->flags & PG_FICTITIOUS) == 0 &&
+			    pvh_gen != pvh->pv_gen) || md_gen != m->md.pv_gen) {
 				rw_wunlock(lock);
 				PMAP_UNLOCK(pmap);
 				goto retry;
@@ -5775,13 +5777,14 @@ small_mappings:
 	TAILQ_FOREACH(pv, &m->md.pv_list, pv_next) {
 		pmap = PV_PMAP(pv);
 		if (!PMAP_TRYLOCK(pmap)) {
-			pvh_gen = pvh->pv_gen;
+			if ((m->flags & PG_FICTITIOUS) == 0)
+				pvh_gen = pvh->pv_gen;
 			md_gen = m->md.pv_gen;
 			rw_wunlock(lock);
 			PMAP_LOCK(pmap);
 			rw_wlock(lock);
-			if (pvh_gen != pvh->pv_gen ||
-			    md_gen != m->md.pv_gen) {
+			if (((m->flags & PG_FICTITIOUS) == 0 &&
+			    pvh_gen != pvh->pv_gen) || md_gen != m->md.pv_gen) {
 				PMAP_UNLOCK(pmap);
 				rw_wunlock(lock);
 				goto retry_pv_loop;
@@ -5985,12 +5988,14 @@ small_mappings:
 			pvf = pv;
 		pmap = PV_PMAP(pv);
 		if (!PMAP_TRYLOCK(pmap)) {
-			pvh_gen = pvh->pv_gen;
+			if ((m->flags & PG_FICTITIOUS) == 0)
+				pvh_gen = pvh->pv_gen;
 			md_gen = m->md.pv_gen;
 			rw_wunlock(lock);
 			PMAP_LOCK(pmap);
 			rw_wlock(lock);
-			if (pvh_gen != pvh->pv_gen || md_gen != m->md.pv_gen) {
+			if (((m->flags & PG_FICTITIOUS) == 0 &&
+			    pvh_gen != pvh->pv_gen) || md_gen != m->md.pv_gen) {
 				PMAP_UNLOCK(pmap);
 				goto retry;
 			}
@@ -6248,11 +6253,13 @@ small_mappings:
 		pmap = PV_PMAP(pv);
 		if (!PMAP_TRYLOCK(pmap)) {
 			md_gen = m->md.pv_gen;
-			pvh_gen = pvh->pv_gen;
+			if ((m->flags & PG_FICTITIOUS) == 0)
+				pvh_gen = pvh->pv_gen;
 			rw_wunlock(lock);
 			PMAP_LOCK(pmap);
 			rw_wlock(lock);
-			if (pvh_gen != pvh->pv_gen || md_gen != m->md.pv_gen) {
+			if (((m->flags & PG_FICTITIOUS) == 0 &&
+			    pvh_gen != pvh->pv_gen) || md_gen != m->md.pv_gen) {
 				PMAP_UNLOCK(pmap);
 				goto restart;
 			}