From owner-freebsd-stable@FreeBSD.ORG Mon Jan 28 23:09:23 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D443E16A498 for ; Mon, 28 Jan 2008 23:09:23 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from speedfactory.net (mail.speedfactory.net [66.23.216.219]) by mx1.freebsd.org (Postfix) with ESMTP id 4235B13C455 for ; Mon, 28 Jan 2008 23:09:23 +0000 (UTC) (envelope-from jhb@freebsd.org) Received: from server.baldwin.cx (unverified [66.23.211.162]) by speedfactory.net (SurgeMail 3.8s) with ESMTP id 230036719-1834499 for multiple; Mon, 28 Jan 2008 18:09:07 -0500 Received: from localhost.corp.yahoo.com (john@localhost [127.0.0.1]) (authenticated bits=0) by server.baldwin.cx (8.14.2/8.14.2) with ESMTP id m0SN8iU5087147; Mon, 28 Jan 2008 18:09:08 -0500 (EST) (envelope-from jhb@freebsd.org) From: John Baldwin To: Pete French Date: Mon, 28 Jan 2008 16:25:37 -0500 User-Agent: KMail/1.9.7 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200801281625.37804.jhb@freebsd.org> X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.0.2 (server.baldwin.cx [127.0.0.1]); Mon, 28 Jan 2008 18:09:08 -0500 (EST) X-Virus-Scanned: ClamAV 0.91.2/5588/Mon Jan 28 16:24:15 2008 on server.baldwin.cx X-Virus-Status: Clean X-Spam-Status: No, score=-4.3 required=4.2 tests=ALL_TRUSTED,AWL,BAYES_00, SUBJ_HAS_UNIQ_ID autolearn=ham version=3.1.3 X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on server.baldwin.cx Cc: freebsd-stable@freebsd.org Subject: Re: panic: vm_fault: fault on nofualt entry, addr: 81423000 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jan 2008 23:09:24 -0000 On Monday 28 January 2008 01:03:45 pm Pete French wrote: > o.k., done some investigative work, and I think i have actually tracke > dodnw what is going wrong, though i do not know how to fix it. mapping > the header calls madt_map_table, which in turn calls madt_map > to do the actual mapping: > > madt_map called with pa 0x7fec7f40, offset 1, length 60 > 'off' becomes 3904, and the rounded length 4096 > pmap_kenter_temporary called with pa 0x7fec7000, offset 1 > gives va of 0x8142300 > returns 0x81423f40 > > thus the header is ending up in page 0x8142300 if I read that correctly. this > is importnat for later on. meanwhile, back at the table scanning code... > > rsdt mapped at 0x81423f40 > table offset at 0x81423f64 > count is 6 > table offset address and their contents > 0 0x81423f64 0x7fec7fe8 > 1 0x81423f68 0x7fec805c > 2 0x81423f6c 0x7fec80c4 > 3 0x81423f70 0x7fec8127 > 4 0x81423f74 0x7fec8163 > 5 0x81423f78 0x7fec8195 > > so, it probes the first table, held at 0x7fec7fe8 as indicated by > the address in 0x81423f64. this calls madt_map to map the table > > madt_map called with pa 0x7fec7fe8, offset 0, length 36 > 'off' becomes 4072, and the rounded length 8192 > pmap_kenter_temporary called with pa 0x7fec7000, offset 0 > pmap_kenter called with va 0x8142300, pa 0x7fec8000 > gives va of 0x8142200 > returns 0x81422fe8 > > code is looking for a signature of 'APIC', but this table has 'FACP', so > a call is made to madt_unmap before returning > > madt_unmap called with data 0x81422fe8, length 36 > 'off' becomes 4072, and the rounded length 8192 > pmap_kremove called with 0x81422000 > pmap_kremove called with 0x81423000 > > the function then returns 0, and the loop goes round again to look > at table entry 1. the address of the table is stored at 0x81423f68 > as you can see from the list above, and it is when it tries to access > that address that it panics. > > now preseumably the panic is correct - 0x81423f68 is in page 0x81423000, > and didn't we just unmap that ? now I dont really understand this fully, > but why is page 0x81423000 being touched at all ? shouldnt the mapped > pages be 0x81421000 and 0x81422000 instead so they don't clash with > the already mapped 0x81423000 ? The unmap function is quite correctly doing > the reverse of the map function, but maybe theres something simply going > wrong in the algorithm working out which pages to map ? I think the problem is that the header for the FACP table crossed a page boundary so we had to map 2 pages to map the header, but the code assumes only 1 page is needed so when the second page was mapped, it overlapped with the page holding the XSDT. Here's a fix: Index: madt.c =================================================================== RCS file: /usr/cvs/src/sys/i386/acpica/madt.c,v retrieving revision 1.28 diff -u -r1.28 madt.c --- madt.c 11 Sep 2007 22:54:09 -0000 1.28 +++ madt.c 28 Jan 2008 21:25:03 -0000 @@ -109,9 +109,11 @@ /* * Code to abuse the crashdump map to map in the tables for the early * probe. We cheat and make the following assumptions about how we - * use this KVA: page 0 is used to map in the first page of each table - * found via the RSDT or XSDT and pages 1 to n are used to map in the - * RSDT or XSDT. The offset is in pages; the length is in bytes. + * use this KVA: pages 0 and 1 are used to map in the header of each + * table found via the RSDT or XSDT and pages 2 to n are used to map + * in the RSDT or XSDT. We have to use 2 pages for the table headers + * in case a header spans a page boundary. The offset is in pages; + * the length is in bytes. */ static void * madt_map(vm_paddr_t pa, int offset, vm_offset_t length) @@ -232,7 +234,7 @@ printf("MADT: RSDP failed extended checksum\n"); return (ENXIO); } - xsdt = madt_map_table(rsdp->XsdtPhysicalAddress, 1, + xsdt = madt_map_table(rsdp->XsdtPhysicalAddress, 2, ACPI_SIG_XSDT); if (xsdt == NULL) { if (bootverbose) @@ -246,7 +248,7 @@ break; madt_unmap_table(xsdt); } else { - rsdt = madt_map_table(rsdp->RsdtPhysicalAddress, 1, + rsdt = madt_map_table(rsdp->RsdtPhysicalAddress, 2, ACPI_SIG_RSDT); if (rsdt == NULL) { if (bootverbose) -- John Baldwin