From owner-freebsd-current@freebsd.org  Mon Dec  7 09:46:24 2015
Return-Path: <owner-freebsd-current@freebsd.org>
Delivered-To: freebsd-current@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AD9F69A0CA1
 for <freebsd-current@mailman.ysv.freebsd.org>;
 Mon,  7 Dec 2015 09:46:24 +0000 (UTC)
 (envelope-from freebsd-listen@fabiankeil.de)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de
 [80.67.18.28])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4498B13B5
 for <freebsd-current@freebsd.org>; Mon,  7 Dec 2015 09:46:24 +0000 (UTC)
 (envelope-from freebsd-listen@fabiankeil.de)
Received: from [78.35.182.168] (helo=fabiankeil.de)
 by smtprelay05.ispgateway.de with esmtpsa (TLSv1.2:AES128-GCM-SHA256:128)
 (Exim 4.84) (envelope-from <freebsd-listen@fabiankeil.de>)
 id 1a5sN6-0001YD-Oo; Mon, 07 Dec 2015 10:46:16 +0100
Date: Mon, 7 Dec 2015 10:44:36 +0100
From: Fabian Keil <freebsd-listen@fabiankeil.de>
To: Konstantin Belousov <kostikbel@gmail.com>
Cc: FreeBSD Current <freebsd-current@freebsd.org>
Subject: Re: panic: vm_fault: fault on nofault entry, addr: fffffe00873d8000
Message-ID: <20151207104436.44b3ec26@fabiankeil.de>
In-Reply-To: <20151206185736.GG2202@kib.kiev.ua>
References: <20151206114532.73b1dac9@fabiankeil.de>
 <20151206165912.GF2202@kib.kiev.ua>
 <20151206185136.2ff4f519@fabiankeil.de>
 <20151206185736.GG2202@kib.kiev.ua>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 boundary="Sig_/DX2cufYBAYSOEq99V_mNkFc"; protocol="application/pgp-signature"
X-Df-Sender: Nzc1MDY3
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
 <freebsd-current.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
 <mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2015 09:46:24 -0000

--Sig_/DX2cufYBAYSOEq99V_mNkFc
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Konstantin Belousov <kostikbel@gmail.com> wrote:

> On Sun, Dec 06, 2015 at 06:51:36PM +0100, Fabian Keil wrote:
> > > > #16 0xffffffff80877d5a in bcopy () at /usr/src/sys/amd64/amd64/supp=
ort.S:118
> > > > #17 0xffffffff805f64e8 in uiomove_faultflag (cp=3D<value optimized =
out>, n=3D<value optimized out>, uio=3D0xfffffe009444aae0, nofault=3D<value=
 optimized out>) at /usr/src/sys/kern/subr_uio.c:208
> > > > #18 0xffffffff8046236f in msdosfs_read (ap=3D<value optimized out>)=
 at /usr/src/sys/fs/msdosfs/msdosfs_vnops.c:596
> > > > #19 0xffffffff808feb20 in VOP_READ_APV (vop=3D<value optimized out>=
, a=3D<value optimized out>) at vnode_if.c:930
> > > > #20 0xffffffff8039bf3a in mdstart_vnode (sc=3D0xfffff8004c7ce000, b=
p=3D0xfffff80028fc81f0) at vnode_if.h:384   =20
> > > From the frame 20, do 'p *bp' in kgdb and mail the result.  Do you ha=
ve
> > > any non-standard values for buffer cache knobs, esp. for MAXPHYS ? =20
> >=20
> > (kgdb) p *bp
> > $1 =3D {bio_cmd =3D 1 '\001', bio_flags =3D 16 '\020', bio_cflags =3D 0=
 '\0', bio_pflags =3D 0 '\0', bio_dev =3D 0x0, bio_disk =3D 0x0, bio_offset=
 =3D 0, bio_bcount =3D 0,=20
> >   bio_data =3D 0xfffffe0077d94000 <Address 0xfffffe0077d94000 out of bo=
unds>, bio_ma =3D 0xfffff8000275bc00, bio_ma_offset =3D 960, =20
>=20
> bio_ma_n =3D 33,
> This is the issue.  The upper layer (ZFS ?) passed down the request
> which is max-sized (see bio_length =3D=3D 32 pages) but not aligned.
> The physical buffer used for transient mapping cannot handle this.
>=20
> bio_error =3D 0, bio_resid =3D 0,=20
> >   bio_done =3D 0xffffffff804e51d0 <g_std_done>, bio_driver1 =3D 0x0, bi=
o_driver2 =3D 0x0, bio_caller1 =3D 0x0, bio_caller2 =3D 0x0, bio_queue =3D =
{tqe_next =3D 0x0, tqe_prev =3D 0xfffff8004c7ce018}, bio_attribute =3D 0x0,=
=20
> >   bio_from =3D 0xfffff80010131d80, bio_to =3D 0xfffff800694f2a00, bio_l=
ength =3D 131072, bio_completed =3D 0, bio_children =3D 0, bio_inbed =3D 0,=
 bio_parent =3D 0xfffff8000628bd90, bio_t0 =3D {sec =3D 33029,=20
> >     frac =3D 13163670047247984455}, bio_task =3D 0, bio_task_arg =3D 0x=
0, bio_classifier1 =3D 0x0, bio_classifier2 =3D 0x0, bio_pblkno =3D 0}
> > =20
> > I don't use non-standard values for MAXPHYS or other buffer cache setti=
ngs.
> >  =20
>=20
> Try the following patch.

With this patch I got:

[400] Fatal trap 9: general protection fault while in kernel mode
[400] cpuid =3D 0; apic id =3D 00
[400] instruction pointer	=3D 0x20:0xffffffff8086c603
[400] stack pointer	        =3D 0x28:0xfffffe0094422a60
[400] frame pointer	        =3D 0x28:0xfffffe0094422a80
[400] code segment		=3D base 0x0, limit 0xfffff, type 0x1b
[400] 			=3D DPL 0, pres 1, long 1, def32 0, gran 1
[400] processor eflags	=3D interrupt enabled, resume, IOPL =3D 0
[400] current process		=3D 34142 (md0)
[...]
(kgdb) where
#0  doadump (textdump=3D0) at pcpu.h:221
#1  0xffffffff80316e5b in db_dump (dummy=3D<value optimized out>, dummy2=3D=
false, dummy3=3D0, dummy4=3D0x0) at /usr/src/sys/ddb/db_command.c:533
#2  0xffffffff80316c4e in db_command (cmd_table=3D0x0) at /usr/src/sys/ddb/=
db_command.c:440
#3  0xffffffff803169e4 in db_command_loop () at /usr/src/sys/ddb/db_command=
.c:493
#4  0xffffffff803194eb in db_trap (type=3D<value optimized out>, code=3D0) =
at /usr/src/sys/ddb/db_main.c:251
#5  0xffffffff805e2933 in kdb_trap (type=3D9, code=3D0, tf=3D<value optimiz=
ed out>) at /usr/src/sys/kern/subr_kdb.c:654
#6  0xffffffff8087d161 in trap_fatal (frame=3D0xfffffe00944229b0, eva=3D<va=
lue optimized out>) at /usr/src/sys/amd64/amd64/trap.c:829
#7  0xffffffff8087ce3c in trap (frame=3D<value optimized out>) at /usr/src/=
sys/amd64/amd64/trap.c:203
#8  0xffffffff80861ae7 in calltrap () at /usr/src/sys/amd64/amd64/exception=
.S:234
#9  0xffffffff8086c603 in pmap_qenter (sva=3D18446741876956168192, ma=3D<va=
lue optimized out>, count=3D32) at /usr/src/sys/amd64/amd64/pmap.c:1991
#10 0xffffffff8039e673 in mdstart_vnode (sc=3D0xfffff80029ac7800, bp=3D0xff=
fff800270c15d0) at /usr/src/sys/dev/md/md.c:928
#11 0xffffffff8039c73c in md_kthread (arg=3D0xfffff80029ac7800) at /usr/src=
/sys/dev/md/md.c:1158
#12 0xffffffff8055c16c in fork_exit (callout=3D0xffffffff8039c510 <md_kthre=
ad>, arg=3D0xfffff80029ac7800, frame=3D0xfffffe0094422c00) at /usr/src/sys/=
kern/kern_fork.c:1011
#13 0xffffffff8086201e in fork_trampoline () at /usr/src/sys/amd64/amd64/ex=
ception.S:609
#14 0x0000000000000000 in ?? ()
Current language:  auto; currently minimal
(kgdb) f 9
#9  0xffffffff8086c603 in pmap_qenter (sva=3D18446741876956168192, ma=3D<va=
lue optimized out>, count=3D32) at /usr/src/sys/amd64/amd64/pmap.c:1991
1991			m =3D *ma++;
(kgdb) f 10
#10 0xffffffff8039e673 in mdstart_vnode (sc=3D0xfffff80029ac7800, bp=3D0xff=
fff800270c15d0) at /usr/src/sys/dev/md/md.c:928
928			pmap_qenter((vm_offset_t)pb->b_data,
(kgdb) l
923	unmapped_step:
924			npages =3D min(MAXPHYS, roundup2(len + ma_offs, PAGE_SIZE)) /
925			    PAGE_SIZE;
926			iolen =3D min(npages * PAGE_SIZE - ma_offs, len);
927			KASSERT(iolen > 0, ("zero iolen"));
928			pmap_qenter((vm_offset_t)pb->b_data,
929			    &bp->bio_ma[ma_offs / PAGE_SIZE], npages);
930			aiov.iov_base =3D (void *)((vm_offset_t)pb->b_data +
931			    ma_offs % PAGE_SIZE);
932			aiov.iov_len =3D iolen;
[...]
(kgdb) p *pb
$8 =3D {b_bufobj =3D 0x1001, b_bcount =3D 0, b_caller1 =3D 0x0, b_data =3D =
0x0, b_error =3D 0, b_iocmd =3D 0 '\0', b_ioflags =3D 0 '\0', b_iooffset =
=3D -2197012545536, b_resid =3D -8795990460928, b_iodone =3D 0x2100000400,=
=20
  b_blkno =3D 0, b_offset =3D 1024, b_bobufs =3D {tqe_next =3D 0xffffffff80=
4e7bb0, tqe_prev =3D 0x0}, b_vflags =3D 0, b_qindex =3D 0, b_flags =3D 0, b=
_xflags =3D 0 '\0', b_lock =3D {lock_object =3D {lo_name =3D 0x0, lo_flags =
=3D 0,=20
      lo_data =3D 0, lo_witness =3D 0xfffff80029ac7818}, lk_lock =3D 0, lk_=
exslpfail =3D 103222784, lk_timo =3D -2048, lk_pri =3D 655147520}, b_bufsiz=
e =3D 131072, b_runningbufspace =3D 0, b_kvasize =3D 0, b_dirtyoff =3D 0,=20
  b_dirtyend =3D 0, b_kvabase =3D 0xfffff800062853e0 "\001\020", b_lblkno =
=3D 398, b_vp =3D 0xca3691a05b0bac47, b_rcred =3D 0x0, b_wcred =3D 0x0, b_u=
nion =3D {bu_freelist =3D {tqe_next =3D 0x0, tqe_prev =3D 0x0}, bu_pager =
=3D {
      pg_iodone =3D 0, pg_reqpage =3D 0}}, b_cluster =3D {cluster_head =3D =
{tqh_first =3D 0x0, tqh_last =3D 0x401}, cluster_entry =3D {tqe_next =3D 0x=
0, tqe_prev =3D 0x401}}, b_pages =3D 0xfffff800270c16d0, b_npages =3D 0,=20
  b_dep =3D {lh_first =3D 0xc22730000}, b_fsprivate1 =3D 0x4000, b_fsprivat=
e2 =3D 0xfffffe00874b8000, b_fsprivate3 =3D 0x0, b_pin_count =3D 0}

Fabian

--Sig_/DX2cufYBAYSOEq99V_mNkFc
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlZlVQgACgkQBYqIVf93VJ2vWQCfWbOgJCdXLUylihBlDW2A10iz
QaAAoJsENCZkBBQyXldMbZ1rnEoNdjcn
=2lom
-----END PGP SIGNATURE-----

--Sig_/DX2cufYBAYSOEq99V_mNkFc--