FreeBSD Mail Archives

Date:      Fri, 30 Nov 2018 18:38:32 +0000
From:      bugzilla-noreply@freebsd.org
To:        ppc@FreeBSD.org
Subject:   [Bug 233414] [PowerPC64] OPTIONS DEBUG_MEMGUARD results in unbootable kernel
Message-ID:  <bug-233414-21-UEY4wFHCDI@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-233414-21@https.bugs.freebsd.org/bugzilla/>

index | next in thread | previous in thread | raw e-mail


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233414

--- Comment #3 from Leandro Lupori <leandro.lupori@gmail.com> ---
I started taking a look at this, also to be able to debug a user-after-free
problem. In my case, however, the system boots and crashes only after I enable
memguard of an UMA region via sysctl, as following:
sysctl vm.memguard.desc='128 Bucket'.

Then, if I run make -C /usr/src, for instance, I get a stack like this:

#0  vpanic (fmt=0xc0000000010a6980 "%s: recursing but non-recursive rw %s @
%s:%d\n", ap=0xe0000000ce0f12f8 "\300") at
/usr/home/luporl/base/head/sys/kern/kern_shutdown.c:813
#1  0xc0000000006abf18 in panic (fmt=<optimized out>) at
/usr/home/luporl/base/head/sys/kern/kern_shutdown.c:804
#2  0xc0000000006a6148 in __rw_wlock_hard (c=<optimized out>,
v=13835058055423348736, file=0xc0000000010e73f8
"/usr/home/luporl/base/head/sys/vm/vm_kern.c", line=471)
    at /usr/home/luporl/base/head/sys/kern/kern_rwlock.c:954
#3  0xc0000000006a6a8c in _rw_wlock_cookie (c=<optimized out>,
file=0xc0000000010e73f8 "/usr/home/luporl/base/head/sys/vm/vm_kern.c",
line=471)
    at /usr/home/luporl/base/head/sys/kern/kern_rwlock.c:286
#4  0xc000000000a33664 in kmem_back_domain (domain=0, object=<optimized out>,
addr=16140901064502083584, size=4096, flags=<optimized out>) at
/usr/home/luporl/base/head/sys/vm/vm_kern.c:471
#5  0xc000000000a33924 in kmem_back (object=0xc0000000019194a8
<kernel_object_store>, addr=16140901064502083584, size=<optimized out>,
flags=513)
    at /usr/home/luporl/base/head/sys/vm/vm_kern.c:540
#6  0xc000000000a2d5b4 in memguard_alloc (req_size=1024, flags=513) at
/usr/home/luporl/base/head/sys/vm/memguard.c:351
#7  0xc000000000a2abd8 in uma_zalloc_arg (zone=0xc0000001ffffdb00,
udata=0x80000020, flags=513) at
/usr/home/luporl/base/head/sys/vm/uma_core.c:2436
#8  0xc000000000a2b528 in bucket_alloc (zone=0xc000000002000b00,
udata=0x80000020, flags=513) at
/usr/home/luporl/base/head/sys/vm/uma_core.c:428
#9  0xc000000000a2b0a0 in zone_alloc_bucket (flags=<optimized out>,
domain=<optimized out>, udata=<optimized out>, zone=<optimized out>) at
/usr/home/luporl/base/head/sys/vm/uma_core.c:2982
#10 uma_zalloc_arg (zone=0xc000000002000b00, udata=0x0, flags=1) at
/usr/home/luporl/base/head/sys/vm/uma_core.c:2590
#11 0xc000000000a76194 in uma_zalloc (flags=<optimized out>, zone=<optimized
out>) at /usr/home/luporl/base/head/sys/vm/uma.h:362
#12 alloc_pvo_entry (bootstrap=<optimized out>) at
/usr/home/luporl/base/head/sys/powerpc/aim/mmu_oea64.c:374
#13 0xc000000000a7a354 in moea64_enter (mmu=0xc000000001a8e268
<mmu_kernel_obj>, pmap=0xc000000001a8eba8 <kernel_pmap_store>,
va=16140901064502071296, m=0xc0000001f469d400, prot=3 '\003',
    flags=515, psind=<optimized out>) at
/usr/home/luporl/base/head/sys/powerpc/aim/mmu_oea64.c:1365
#14 0xc000000000ab2658 in MMU_ENTER (_psind=<optimized out>, _flags=<optimized
out>, _prot=<optimized out>, _p=<optimized out>, _va=<optimized out>,
_pmap=<optimized out>,
    _mmu=0xc000000001a8e268 <mmu_kernel_obj>) at ./mmu_if.h:169
#15 pmap_enter (pmap=0xc000000001a8eba8 <kernel_pmap_store>,
va=16140901064502071296, p=0xc0000001f469d400, prot=3 '\003', flags=515,
psind=0 '\000')
    at /usr/home/luporl/base/head/sys/powerpc/powerpc/pmap_dispatch.c:150
#16 0xc000000000a33784 in kmem_back_domain (domain=0, object=<optimized out>,
addr=16140901064502071296, size=4096, flags=<optimized out>) at
/usr/home/luporl/base/head/sys/vm/vm_kern.c:498
#17 0xc000000000a33924 in kmem_back (object=0xc0000000019194a8
<kernel_object_store>, addr=16140901064502071296, size=<optimized out>,
flags=513)
    at /usr/home/luporl/base/head/sys/vm/vm_kern.c:540
#18 0xc000000000a2d5b4 in memguard_alloc (req_size=1024, flags=513) at
/usr/home/luporl/base/head/sys/vm/memguard.c:351
#19 0xc000000000a2abd8 in uma_zalloc_arg (zone=0xc0000001ffffdb00,
udata=0x80000020, flags=513) at
/usr/home/luporl/base/head/sys/vm/uma_core.c:2436
#20 0xc000000000a2b528 in bucket_alloc (zone=0xc000000002000b00,
udata=0x80000020, flags=513) at
/usr/home/luporl/base/head/sys/vm/uma_core.c:428
#21 0xc000000000a2b0a0 in zone_alloc_bucket (flags=<optimized out>,
domain=<optimized out>, udata=<optimized out>, zone=<optimized out>) at
/usr/home/luporl/base/head/sys/vm/uma_core.c:2982
#22 uma_zalloc_arg (zone=0xc000000002000b00, udata=0x0, flags=1) at
/usr/home/luporl/base/head/sys/vm/uma_core.c:2590
#23 0xc000000000a76194 in uma_zalloc (flags=<optimized out>, zone=<optimized
out>) at /usr/home/luporl/base/head/sys/vm/uma.h:362
#24 alloc_pvo_entry (bootstrap=<optimized out>) at
/usr/home/luporl/base/head/sys/powerpc/aim/mmu_oea64.c:374
#25 0xc000000000a7a354 in vm.memguard.des (mmu=0xc000000001a8e268
<mmu_kernel_obj>, pmap=0xc000000002221130, va=34635493376,
m=0xc0000001f469d460, prot=3 '\003', flags=1, psind=<optimized out>)
    at /usr/home/luporl/base/head/sys/powerpc/aim/mmu_oea64.c:1365
#26 0xc000000000ab2658 in MMU_ENTER (_psind=<optimized out>, _flags=<optimized
out>, _prot=<optimized out>, _p=<optimized out>, _va=<optimized out>,
_pmap=<optimized out>,
    _mmu=0xc000000001a8e268 <mmu_kernel_obj>) at ./mmu_if.h:169
#27 pmap_enter (pmap=0xc000000002221130, va=34635493376, p=0xc0000001f469d460,
prot=3 '\003', flags=1, psind=0 '\000') at
/usr/home/luporl/base/head/sys/powerpc/powerpc/pmap_dispatch.c:150
#28 0xc000000000a30d4c in vm_fault_hold (map=0xc000000002221000,
vaddr=34635493376, fault_type=1 '\001', fault_flags=0, m_hold=0x0) at
/usr/home/luporl/base/head/sys/vm/vm_fault.c:1296
#29 0xc000000000a31414 in vm_fault (map=0xc000000002221000, vaddr=34635493376,
fault_type=1 '\001', fault_flags=0) at
/usr/home/luporl/base/head/sys/vm/vm_fault.c:536
#30 0xc000000000ab493c in trap_pfault (frame=0xe0000000ce0f2840, user=1) at
/usr/home/luporl/base/head/sys/powerpc/powerpc/trap.c:809
#31 0xc000000000ab5014 in trap (frame=0xe0000000ce0f2840) at
/usr/home/luporl/base/head/sys/powerpc/powerpc/trap.c:272
#32 0xc000000000aa9fb4 in powerpc_interrupt (framep=0xe0000000ce0f2840) at
/usr/home/luporl/base/head/sys/powerpc/powerpc/interrupt.c:127
#33 0xc000000000102ee0 in trapagain () at
/usr/home/luporl/base/head/sys/powerpc/aim/trap_subr64.S:831

This is from a VM. I also happens on a physical host, but DDB stack trace
doesn't have as much information.

What seems to me here is that moea64_enter() ends up using uma_zalloc() to
allocate a pvo entry, that uses memguard_alloc(), that uses kmem_back(), that
calls moea64_enter(). This loop is interrupted by the panic on the
non-recursive kmem_back_domain() lock.

-- 
You are receiving this mail because:
You are the assignee for the bug.

home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-233414-21-UEY4wFHCDI>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation