From owner-freebsd-bugs@freebsd.org  Wed Jul  3 15:38:11 2019
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id BA9EF15D78AF
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Wed,  3 Jul 2019 15:38:10 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 43EF0808E8
 for <freebsd-bugs@freebsd.org>; Wed,  3 Jul 2019 15:38:10 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id 0187A15D78AE; Wed,  3 Jul 2019 15:38:10 +0000 (UTC)
Delivered-To: bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D323A15D78AD
 for <bugs@mailman.ysv.freebsd.org>; Wed,  3 Jul 2019 15:38:09 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 57A86808E5
 for <bugs@FreeBSD.org>; Wed,  3 Jul 2019 15:38:09 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 82D75B84E
 for <bugs@FreeBSD.org>; Wed,  3 Jul 2019 15:38:08 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id x63Fc8Y6067994
 for <bugs@FreeBSD.org>; Wed, 3 Jul 2019 15:38:08 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id x63Fc8ZY067991
 for bugs@FreeBSD.org; Wed, 3 Jul 2019 15:38:08 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 238960] panic in vm_pageout_collect_batch() when
 QUEUE_MACRO_DEBUG_TRASH is enabled
Date: Wed, 03 Jul 2019 15:38:08 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 12.0-RELEASE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: dgmorris@earthlink.net
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-238960-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 15:38:11 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238960

            Bug ID: 238960
           Summary: panic in vm_pageout_collect_batch() when
                    QUEUE_MACRO_DEBUG_TRASH is enabled
           Product: Base System
           Version: 12.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: dgmorris@earthlink.net

Found when working in an environment where QUEUE_MACRO_DEBUG_TRASH is enabl=
ed
by default and a system is brought to light memory pressure:

#14 0xffffffff81091654 in trap (frame=3D0xfffffe0031979600)
    at /usr/src/sys/amd64/amd64/trap.c:443
#15 <signal handler called>
#16 vm_pageout_collect_batch (ss=3D<optimized out>, dequeue=3D<optimized ou=
t>)
    at /usr/src/sys/vm/vm_pageout.c:283
#17 vm_pageout_next (ss=3D<optimized out>, dequeue=3D<optimized out>)
    at /usr/src/sys/vm/vm_pageout.c:315
#18 vm_pageout_scan_inactive (shortage=3D<optimized out>, vmd=3D<optimized =
out>,=20
    addl_shortage=3D<optimized out>) at /usr/src/sys/vm/vm_pageout.c:1397
#19 vm_pageout_worker (arg=3D<optimized out>)
    at /usr/src/sys/vm/vm_pageout.c:1940
#20 0xffffffff80f10e86 in vm_pageout () at /usr/src/sys/vm/vm_pageout.c:2091

(kgdb) f 16
#16 vm_pageout_collect_batch (ss=3D<optimized out>, dequeue=3D<optimized ou=
t>)
    at /usr/src/sys/vm/vm_pageout.c:283
283         if ((m->flags & PG_MARKER) =3D=3D 0) {

(kgdb) l
278=20
279     vm_pagequeue_lock(pq);
280     for (m =3D TAILQ_NEXT(marker, plinks.q); m !=3D NULL &&
281         ss->scanned < ss->maxscan && ss->bq.bq_cnt < VM_BATCHQUEUE_SIZE;
282         m =3D TAILQ_NEXT(m, plinks.q), ss->scanned++) {
283         if ((m->flags & PG_MARKER) =3D=3D 0) {
284             KASSERT((m->aflags & PGA_ENQUEUED) !=3D 0,
285                 ("page %p not enqueued", m));
286             KASSERT((m->flags & PG_FICTITIOUS) =3D=3D 0,
287                 ("Fictitious page %p cannot be in page queue", m));

(kgdb) p m
$1 =3D (vm_page_t) 0xffffffffffffffff

The root cause is the logic for dequeue combined with the iterator of the w=
hile
loop:

                (void)vm_batchqueue_insert(&ss->bq, m);
                if (dequeue) {
                        TAILQ_REMOVE(&pq->pq_pl, m, plinks.q);
                        vm_page_aflag_clear(m, PGA_ENQUEUED);
                }

With m removed from the pagequeue TAILQ, it has no valid TAILQ_NEXT and the
DEBUG mode exposes this. Dereference of the (-1) the tailq is set to result=
s in
panic shown.

One obvious fix would be to cache the TAILQ_NEXT() of m before dequeue and =
set
m to that after the dequeue [with the non-dequeue case moving the set of m =
out
of the loop statement]. This approach addresses the problem and removes the
panic, but others may have prettier/nicer methods.

--=20
You are receiving this mail because:
You are the assignee for the bug.=