From owner-svn-src-all@FreeBSD.ORG Sat Apr 25 21:19:43 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3699C580 for ; Sat, 25 Apr 2015 21:19:43 +0000 (UTC) Received: from nm8-vm2.bullet.mail.gq1.yahoo.com (nm8-vm2.bullet.mail.gq1.yahoo.com [98.136.218.225]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0173E1BD9 for ; Sat, 25 Apr 2015 21:19:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1429996776; bh=xxiS1alm5Zbwqd83uAsCbftxT6t7NKH5j8wKLogLwgI=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From:Subject; b=nzSoOwNa022ni9qnlV299ZdXkKvhiNsZUxzkl6T9RPFdLmULWLQffyOW7KsydTYRd5XeHnE8P7uhmqvtDIMHgYIgd+0ei3aYxTW4AsHpJ/AO/O6OsRoFYkrvvvKcbbxem5zozvhJutPPVWG2iFZso92WHsm9+b6mcyVt5Mx9Mjzq+9xvfk2rHxUzHdaj1s6EQ2gT8kO3Y9ne/H9iyqXY1AHCbT7oP+DemV2jWLpPTejkM6GqsGQQlT2XhWtLX9Gi98hIKGOkzTspJHcf3x6MStXh5e4uboGlJ91j7BqPGBVDXXss855eISCloOJDOV389J6cyFkfto7Qd3R/z348dw== Received: from [98.137.12.188] by nm8.bullet.mail.gq1.yahoo.com with NNFMP; 25 Apr 2015 21:19:36 -0000 Received: from [98.136.164.64] by tm9.bullet.mail.gq1.yahoo.com with NNFMP; 25 Apr 2015 21:19:36 -0000 Received: from [127.0.0.1] by smtp226.mail.gq1.yahoo.com with NNFMP; 25 Apr 2015 21:19:36 -0000 X-Yahoo-Newman-Id: 667705.80295.bm@smtp226.mail.gq1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 9p3E2GgVM1ndM8nfJKxxG4zCJ.k4qw21yCcyTW4uim6kTAw sNINEydO01n5GpwVWsNTxqi9RSYSwHA1.8e3oxenHIf4LBEPOnmakuq_FvTf OUrer9UOm7Luv6huFHSPLTXD6yvRMSGJWlg08A5CyPwtBZBOKX778vuku4YC 6aJj0KnZy0j.6Atr6O6Kld1FWIJ2PZFrgfAHqC5FbwVtuO7R6WA22oMUv7du q0WeI_n.rievidMIAEfokbAfgibvM95XlEuYX_7BpFzZ9ewXubSQ6NocEyMl Awdn6blOpiNe98Pq412LsFDY9KZkNA6VyqPCe38AdFT2VRy7VPTDXzJKuWeW hf6S9ENZ3KqR6xinHVRitpz9BHq.x3IrtHRqYnxCsWxhntUFa_0Qexs.jOco wFEV5dQvwFq7PUiZtLpGZjVqhAGLxdsAXwSwfQFFZwyEdvzoQ0f7Iy2NemPY sygAH0ShX43xgfWTSX8VK9p7v3gOl5v_lwcDkePMghJhbEfjYTvvvArLzJtR DEaJShM9tq5xQrMzKd3jX3f0.1PSgGTcWZN.uoULO X-Yahoo-SMTP: clhABp.swBB7fs.LwIJpv3jkWgo2NU8- Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: svn commit: r281942 - head/sys/vm From: Scott Long In-Reply-To: <20150425083030.GA3555@dchagin.static.corbina.net> Date: Sat, 25 Apr 2015 15:19:34 -0600 Cc: Scott Long , src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <99BAA5F2-AF62-426A-A79D-A0466B7B5E74@yahoo.com> References: <201504241703.t3OH3rpr097920@svn.freebsd.org> <20150425083030.GA3555@dchagin.static.corbina.net> To: Chagin Dmitry X-Mailer: Apple Mail (2.2070.6) X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Apr 2015 21:19:43 -0000 > On Apr 25, 2015, at 2:30 AM, Chagin Dmitry = wrote: >=20 > On Fri, Apr 24, 2015 at 05:03:53PM +0000, Scott Long wrote: >> Author: scottl >> Date: Fri Apr 24 17:03:53 2015 >> New Revision: 281942 >> URL: https://svnweb.freebsd.org/changeset/base/281942 >>=20 >> Log: >> Revert r281451. It causes a panic/hang early in boot for a number = of >> users, myself included. The original code is likely papering over a >> larger bug that needs to be explored, but for now get things back to >> a working state. >>=20 >> Obtained from: Netflix, Inc. >> MFC after: immediately >>=20 > in my POV, at vm_mem_init stage vm_map_init() call > uma_zcreate() that uses uinitialized zones (which initialized > in uma_startup()). I bet zones contains garbage. >=20 I don=E2=80=99t follow. vm_mem_init() is called at SI_SUB_VM sysinit, = and vm_map_init() is called much later at SI_SUB_INTRINSIC. vm_mem_init() calls = uma_startup() almost immediately, which will then call zone_ctor() on the =E2=80=9Ckegs=E2= =80=9D and =E2=80=9Czones=E2=80=9D that were allocated from bss. I don=E2=80=99t think that they=E2=80=99re = being used prior to that. The problem that I see is that both of these zones are allocated = statically, and contain no storage for the uz_cpu member when that member is declared as = a zero-length array. All other zones are created dynamically and include = space for these members. uma_startup() is initializing these zones at the right = time, before their first use, but isn=E2=80=99t giving them enough room. According to the stack trace I posted, the problem triggers in the = second call to uma_zcreate() from uma_startup(). I think what happens is that the = first call to uma_zcreate() winds up writing to the zero-length uz_cpu member of masterzone_z from inside of uma_zalloc_args(). This overwrites the = adjacent =E2=80=9Ckegs=E2=80=9D and =E2=80=9Czones=E2=80=9D pointers in the bss. = The next call to uma_zcreate() then follows a path of trying to look in the kegs, and eventually blows up. = I=E2=80=99m not entirely certain on this chain of events though as it=E2=80=99s a bit = twisty inside of uma_zcreate() and I=E2=80=99m not sure I=E2=80=99ve found a link to = where it calls uma_zalloc_args(). Scott