Date: Mon, 10 Mar 2014 21:01:12 +0200 From: Konstantin Belousov <kostikbel@gmail.com> To: Glen Barber <gjb@FreeBSD.org> Cc: freebsd-current@FreeBSD.org Subject: Re: panic: vm_fault: fault on nofault entry Message-ID: <20140310190112.GR24664@kib.kiev.ua> In-Reply-To: <20140310180508.GI1746@glenbarber.us> References: <20140309165648.GF1776@glenbarber.us> <20140309180132.GO24664@kib.kiev.ua> <20140309181657.GI1776@glenbarber.us> <20140310154606.GQ24664@kib.kiev.ua> <20140310155115.GH1746@glenbarber.us> <20140310180508.GI1746@glenbarber.us>
next in thread | previous in thread | raw e-mail | index | archive | help
--E5Kv0g4zpMKTBL4W
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Mar 10, 2014 at 02:05:08PM -0400, Glen Barber wrote:
> Unread portion of the kernel message buffer:
> Sleeping thread (tid 100702, pid 24712) owns a non-sleepable lock
Would be nice to see the full message before and panic from the console.
=46rom what I see, this is a lock leak, I forgot to unlock the map.
It is nice that it is so simple to reproduce the issue in your setup.
Try this update.
diff --git a/sys/amd64/amd64/mem.c b/sys/amd64/amd64/mem.c
index abbbb21..5a4d8a9 100644
--- a/sys/amd64/amd64/mem.c
+++ b/sys/amd64/amd64/mem.c
@@ -76,14 +76,16 @@ MALLOC_DEFINE(M_MEMDESC, "memdesc", "memory range descr=
iptors");
int
memrw(struct cdev *dev, struct uio *uio, int flags)
{
- int o;
- u_long c =3D 0, v;
struct iovec *iov;
- int error =3D 0;
+ u_long c, v;
+ int error, o, sflags;
vm_offset_t addr, eaddr;
=20
GIANT_REQUIRED;
=20
+ error =3D 0;
+ c =3D 0;
+ sflags =3D curthread_pflags_set(TDP_DEVMEMIO);
while (uio->uio_resid > 0 && error =3D=3D 0) {
iov =3D uio->uio_iov;
if (iov->iov_len =3D=3D 0) {
@@ -98,7 +100,15 @@ memrw(struct cdev *dev, struct uio *uio, int flags)
kmemphys:
o =3D v & PAGE_MASK;
c =3D min(uio->uio_resid, (u_int)(PAGE_SIZE - o));
- error =3D uiomove((void *)PHYS_TO_DMAP(v), (int)c, uio);
+ v =3D PHYS_TO_DMAP(v);
+ if (v < DMAP_MIN_ADDRESS ||
+ (v > DMAP_MIN_ADDRESS + dmaplimit &&
+ v <=3D DMAP_MAX_ADDRESS) ||
+ pmap_kextract(v) =3D=3D 0) {
+ error =3D EFAULT;
+ goto ret;
+ }
+ error =3D uiomove((void *)v, (int)c, uio);
continue;
}
else if (dev2unit(dev) =3D=3D CDEV_MINOR_KMEM) {
@@ -119,22 +129,30 @@ kmemphys:
addr =3D trunc_page(v);
eaddr =3D round_page(v + c);
=20
- if (addr < VM_MIN_KERNEL_ADDRESS)
- return (EFAULT);
- for (; addr < eaddr; addr +=3D PAGE_SIZE)=20
- if (pmap_extract(kernel_pmap, addr) =3D=3D 0)
- return (EFAULT);
-
+ if (addr < VM_MIN_KERNEL_ADDRESS) {
+ error =3D EFAULT;
+ goto ret;
+ }
+ for (; addr < eaddr; addr +=3D PAGE_SIZE) {
+ if (pmap_extract(kernel_pmap, addr) =3D=3D 0) {
+ error =3D EFAULT;
+ goto ret;
+ }
+ }
if (!kernacc((caddr_t)(long)v, c,
uio->uio_rw =3D=3D UIO_READ ?=20
- VM_PROT_READ : VM_PROT_WRITE))
- return (EFAULT);
+ VM_PROT_READ : VM_PROT_WRITE)) {
+ error =3D EFAULT;
+ goto ret;
+ }
=20
error =3D uiomove((caddr_t)(long)v, (int)c, uio);
continue;
}
/* else panic! */
}
+ret:
+ curthread_pflags_restore(sflags);
return (error);
}
=20
diff --git a/sys/amd64/amd64/trap.c b/sys/amd64/amd64/trap.c
index f7d0afd..b1cbdbc 100644
--- a/sys/amd64/amd64/trap.c
+++ b/sys/amd64/amd64/trap.c
@@ -787,6 +787,12 @@ nogo:
frame->tf_rip =3D (long)curpcb->pcb_onfault;
return (0);
}
+ if ((td->td_pflags & TDP_DEVMEMIO) !=3D 0) {
+ KASSERT(curpcb->pcb_onfault !=3D NULL,
+ ("/dev/mem without pcb_onfault"));
+ frame->tf_rip =3D (long)curpcb->pcb_onfault;
+ return (0);
+ }
trap_fatal(frame, eva);
return (-1);
}
diff --git a/sys/kern/subr_trap.c b/sys/kern/subr_trap.c
index 07d63f8..9633e34 100644
--- a/sys/kern/subr_trap.c
+++ b/sys/kern/subr_trap.c
@@ -157,6 +157,8 @@ userret(struct thread *td, struct trapframe *frame)
td->td_rw_rlocks));
KASSERT((td->td_pflags & TDP_NOFAULTING) =3D=3D 0,
("userret: Returning with pagefaults disabled"));
+ KASSERT((td->td_pflags & TDP_DEVMEMIO) =3D=3D 0,
+ ("userret: Returning with /dev/mem i/o leaked"));
KASSERT(td->td_no_sleeping =3D=3D 0,
("userret: Returning with sleep disabled"));
KASSERT(td->td_pinned =3D=3D 0 || (td->td_pflags & TDP_CALLCHAIN) !=3D 0,
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index fce1f8a..e7cd022 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -424,6 +424,7 @@ do { \
#define TDP_RESETSPUR 0x04000000 /* Reset spurious page fault history. */
#define TDP_NERRNO 0x08000000 /* Last errno is already in td_errno */
#define TDP_UIOHELD 0x10000000 /* Current uio has pages held in td_ma */
+#define TDP_DEVMEMIO 0x20000000 /* Accessing memory for /dev/mem */
=20
/*
* Reasons that the current thread can not be run yet.
diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index 4a6495f..ab48462 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -269,6 +269,10 @@ RetryFault:;
map_generation =3D fs.map->timestamp;
=20
if (fs.entry->eflags & MAP_ENTRY_NOFAULT) {
+ if ((curthread->td_pflags & TDP_DEVMEMIO) !=3D 0) {
+ vm_map_unlock_read(fs.map);
+ return (KERN_FAILURE);
+ }
panic("vm_fault: fault on nofault entry, addr: %lx",
(u_long)vaddr);
}
--E5Kv0g4zpMKTBL4W
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBAgAGBQJTHgv3AAoJEJDCuSvBvK1BJKMP/1U8oGP3TGX5ZrJNiaGbCrUc
gwFT6QtCD3xkNitKj0cwn4wWWoQwOUPCwFxZQZoOgIKKjKH1w4BM90R2ytJ9R0ju
oiMoLqoK+IZYPglQfgDVp8WFkrD8IZ5/yzFno2TTbK1tEgV0ANLbE60h2AqULM5a
WCduHwSOTFjX6IJKAyDiQPivUYR+4I/fd6Q+1hUMtHEdGbf/COPAYly+swpx/wyB
/MiSM6P4BSNoLaovzgVXioipyR6L76u8RDClAWg3xV4hRGDbY2n9uQ+y6kKo7WB+
LosC/u4kLrnZ8O+STYAaP3tXdza0BDEsIp9mPU2jhSmsdSwZob9+MWcHVjjC4bOb
3YU/YjAQvKMQyVP3cpNn5Tsq05TIq0juOds0K07phIQY9lktRxe/OjiVyyaLU0NA
uOpCJafjeHgGQFlhCpnPoT79uzDmXqcDNOQK8ZPTyAVfQ2bKRHZTAQVU9Y1JrAD6
VTMmoCIvr8fgNDggYkP9kXJfZFu+c7PiGvdxyrHZZsB0WA+rkPTEGAvCd/GtBxmG
KTGkyZ1TenxCTjG/5HctxOvjixtsd9s38iIM4PCVeJ7My2jekafNwUvSry+M67mc
MVDNy2Fd/BoxI+mFMh2RvpJzki4hMupDxNx5UE9odPkxsJMgWSlHsn+7F2GIj9fw
jUASUViOP/d0GrBJK5YU
=r7yH
-----END PGP SIGNATURE-----
--E5Kv0g4zpMKTBL4W--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140310190112.GR24664>