From owner-freebsd-bugs@FreeBSD.ORG  Wed Aug  6 17:02:09 2003
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id BF27237B401; Wed,  6 Aug 2003 17:02:09 -0700 (PDT)
Received: from cvsup.no.freebsd.org (c2h5oh.idi.ntnu.no [129.241.103.69])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id C31B543FD7; Wed,  6 Aug 2003 17:02:08 -0700 (PDT)
	(envelope-from Tor.Egge@cvsup.no.freebsd.org)
Received: from localhost (localhost [127.0.0.1])h77024r5012778;
	Thu, 7 Aug 2003 00:02:07 GMT
	(envelope-from tegge@cvsup.no.freebsd.org)
To: heiko@terminmarktwelt.de
From: Tor.Egge@cvsup.no.freebsd.org
In-Reply-To: <200308042000.h74K0TdJ079563@freefall.freebsd.org>
References: <200308042000.h74K0TdJ079563@freefall.freebsd.org>
X-Mailer: Mew version 1.94.2 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Wed_Aug__6_23:57:42_2003_518)--"
Content-Transfer-Encoding: 7bit
Message-Id: <20030807000204S.tegge@cvsup.no.freebsd.org>
Date: Thu, 07 Aug 2003 00:02:04 GMT
Sender: Tor Egge <Tor.Egge@cvsup.no.freebsd.org>
X-Dispatcher: imput version 20000228(IM140)
Lines: 109
cc: alc@freebsd.org
cc: freebsd-bugs@freebsd.org
Subject: Re: kern/44950: SMP kernel crash in vm_page_free: freeing wired
 page
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Aug 2003 00:02:10 -0000

----Next_Part(Wed_Aug__6_23:57:42_2003_518)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

>  With an uptime of about 2 days I got today the first crash: stack trace is:
>  
>  (kgdb) where
>  #0  0xc016e052 in dumpsys ()
>  #1  0xc016de23 in boot ()
>  #2  0xc016e27c in poweroff_wait ()
>  #3  0xc02286ca in vm_page_free_toq ()
>  #4  0xc02274bc in vm_object_collapse ()
>  #5  0xc02266d0 in vm_object_deallocate ()
>  #6  0xc0223b74 in vm_map_entry_delete ()
>  #7  0xc0223d2d in vm_map_delete ()
>  #8  0xc0223dba in vm_map_remove ()
>  
>  Someone has an idea other than turn off SMP ?

This problem can also occur without SMP if you use threaded
applications (linuxthreads port or linux emulation), aio or procfs.

The enclosed patch might help.

- Tor Egge

----Next_Part(Wed_Aug__6_23:57:42_2003_518)--
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="stablefix1.diff"

Index: sys/vm/vm_page.c
===================================================================
RCS file: /home/ncvs/src/sys/vm/vm_page.c,v
retrieving revision 1.147.2.18
diff -u -r1.147.2.18 vm_page.c
--- sys/vm/vm_page.c	10 Mar 2002 05:03:19 -0000	1.147.2.18
+++ sys/vm/vm_page.c	6 Aug 2003 23:09:58 -0000
@@ -1403,7 +1408,8 @@
 {
 	int s;
 
-	if ((m->flags & (PG_BUSY|PG_UNMANAGED)) || m->busy || m->wire_count) {
+	if ((m->flags & (PG_BUSY|PG_UNMANAGED)) || m->busy ||
+	    m->hold_count || m->wire_count) {
 		printf("vm_page_cache: attempting to cache busy page\n");
 		return;
 	}
Index: sys/kern/sys_pipe.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/sys_pipe.c,v
retrieving revision 1.60.2.14
diff -u -r1.60.2.14 sys_pipe.c
--- sys/kern/sys_pipe.c	3 Aug 2003 13:04:57 -0000	1.60.2.14
+++ sys/kern/sys_pipe.c	6 Aug 2003 23:09:58 -0000
@@ -561,12 +561,12 @@
 			int j;
 
 			for (j = 0; j < i; j++)
-				vm_page_unwire(wpipe->pipe_map.ms[j], 1);
+				vm_page_unhold(wpipe->pipe_map.ms[j]);
 			return (EFAULT);
 		}
 
 		m = PHYS_TO_VM_PAGE(paddr);
-		vm_page_wire(m);
+		vm_page_hold(m);
 		wpipe->pipe_map.ms[i] = m;
 	}
 
@@ -627,7 +627,7 @@
 		}
 	}
 	for (i = 0; i < wpipe->pipe_map.npages; i++)
-		vm_page_unwire(wpipe->pipe_map.ms[i], 1);
+		vm_page_unhold(wpipe->pipe_map.ms[i]);
 	wpipe->pipe_map.npages = 0;
 }
 
Index: sys/miscfs/procfs/procfs_mem.c
===================================================================
RCS file: /home/ncvs/src/sys/miscfs/procfs/Attic/procfs_mem.c,v
retrieving revision 1.46.2.3
diff -u -r1.46.2.3 procfs_mem.c
--- sys/miscfs/procfs/procfs_mem.c	22 Jan 2002 17:22:59 -0000	1.46.2.3
+++ sys/miscfs/procfs/procfs_mem.c	6 Aug 2003 23:09:58 -0000
@@ -188,9 +188,9 @@
 		}
 
 		/*
-		 * Wire the page into memory
+		 * Hold the page in memory
 		 */
-		vm_page_wire(m);
+		vm_page_hold(m);
 
 		/*
 		 * We're done with tmap now.
@@ -212,7 +212,7 @@
 		/*
 		 * release the page and the object
 		 */
-		vm_page_unwire(m, 1);
+		vm_page_unhold(m);
 		vm_object_deallocate(object);
 
 		object = NULL;

----Next_Part(Wed_Aug__6_23:57:42_2003_518)----