Date: Thu, 2 Jan 2020 14:58:16 +0100 From: Idwer Vollering <vidwer@gmail.com> To: Michael Tuexen <tuexen@freebsd.org> Cc: bob prohaska <fbsd@www.zefox.net>, freebsd-arm@freebsd.org, freebsd-current <freebsd-current@freebsd.org> Subject: Re: panic: vm_page_astate_fcmpset: invalid head requeue request on RPI3 Message-ID: <CAPp9OrkZ5UeaY32b%2BzzOXuf91UBEpRt-dMbVAH7_JWXG6gZ-7A@mail.gmail.com> In-Reply-To: <AE617FD7-3215-43FC-8D11-F1C4D1FC7B39@freebsd.org> References: <20200102001231.GA84583@www.zefox.net> <AE617FD7-3215-43FC-8D11-F1C4D1FC7B39@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This can happen on amd64, on r356262, too. $ kgdb /boot/kernel/kernel vmcore.0 GNU gdb (GDB) 8.3.1 [GDB v8.3.1 for FreeBSD] Copyright (C) 2019 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>; This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-portbld-freebsd13.0". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /boot/kernel/kernel... Reading symbols from /usr/lib/debug//boot/kernel/kernel.debug... Unread portion of the kernel message buffer: panic: vm_page_astate_fcmpset: invalid head requeue request for page 0xfffffe0001c8a7b8 cpuid = 2 time = 1577970641 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00567ff710 vpanic() at vpanic+0x17e/frame 0xfffffe00567ff770 panic() at panic+0x43/frame 0xfffffe00567ff7d0 _vm_page_pqstate_commit_dequeue() at _vm_page_pqstate_commit_dequeue+0x34f/frame 0xfffffe00567ff840 vm_page_pqstate_commit_dequeue() at vm_page_pqstate_commit_dequeue+0x96/frame 0xfffffe00567ff880 vm_page_pqstate_commit() at vm_page_pqstate_commit+0x46/frame 0xfffffe00567ff8b0 vm_pageout_laundry_worker() at vm_pageout_laundry_worker+0x5be/frame 0xfffffe00567ffb30 fork_exit() at fork_exit+0x80/frame 0xfffffe00567ffb70 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00567ffb70 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- KDB: enter: panic __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55 55 __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct pcpu, (kgdb) bt #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55 #1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:392 #2 0xffffffff8049bbba in db_dump (dummy=<optimized out>, dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at /usr/src/sys/ddb/db_command.c:575 #3 0xffffffff8049b97c in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=1) at /usr/src/sys/ddb/db_command.c:482 #4 0xffffffff8049b6ed in db_command_loop () at /usr/src/sys/ddb/db_command.c:535 #5 0xffffffff8049e918 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/src/sys/ddb/db_main.c:252 #6 0xffffffff80c15ab7 in kdb_trap (type=3, code=0, tf=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:691 #7 0xffffffff8106a9d4 in trap (frame=0xfffffe00567ff640) at /usr/src/sys/amd64/amd64/trap.c:585 #8 <signal handler called> #9 kdb_enter (why=0xffffffff811f6c89 "panic", msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:478 #10 0xffffffff80bca46a in vpanic (fmt=<optimized out>, ap=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:897 #11 0xffffffff80bca203 in panic (fmt=0xffffffff81c7b008 <cnputs_mtx> "\260\266\033\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:835 #12 0xffffffff80f2bb8f in _vm_page_pqstate_commit_dequeue (pq=<optimized out>, m=0xfffffe0001c8a7b8, old=0xfffffe00567ff900, new=...) at /usr/src/sys/vm/vm_page.h:790 #13 0xffffffff80f27d76 in vm_page_pqstate_commit_dequeue (m=0xfffffe0001c8a7b8, old=0xfffffe00567ff900, new=...) at /usr/src/sys/vm/vm_page.c:3369 #14 0xffffffff80f27c06 in vm_page_pqstate_commit (m=0xfffffe0001c8a7b8, old=0x80, new=...) at /usr/src/sys/vm/vm_page.c:3446 #15 0xffffffff80f2e82e in vm_pageout_launder (vmd=<optimized out>, launder=982, in_shortfall=<optimized out>) at /usr/src/sys/vm/vm_pageout.c:839 #16 vm_pageout_laundry_worker (arg=<optimized out>) at /usr/src/sys/vm/vm_pageout.c:1101 #17 0xffffffff80b87650 in fork_exit (callout=0xffffffff80f2e270 <vm_pageout_laundry_worker>, arg=0x0, frame=0xfffffe00567ffb80) at /usr/src/sys/kern/kern_fork.c:1058 #18 <signal handler called> (kgdb) up #1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:392 392 dumptid = curthread->td_tid; (kgdb) #2 0xffffffff8049bbba in db_dump (dummy=<optimized out>, dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at /usr/src/sys/ddb/db_command.c:575 575 error = doadump(false); (kgdb) #3 0xffffffff8049b97c in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=1) at /usr/src/sys/ddb/db_command.c:482 482 (*cmd->fcn)(addr, have_addr, count, modif); (kgdb) #4 0xffffffff8049b6ed in db_command_loop () at /usr/src/sys/ddb/db_command.c:535 535 db_command(&db_last_command, &db_cmd_table, /* dopager */ 1); (kgdb) #5 0xffffffff8049e918 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/src/sys/ddb/db_main.c:252 252 db_command_loop(); (kgdb) #6 0xffffffff80c15ab7 in kdb_trap (type=3, code=0, tf=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:691 691 handled = be->dbbe_trap(type, code); (kgdb) #7 0xffffffff8106a9d4 in trap (frame=0xfffffe00567ff640) at /usr/src/sys/amd64/amd64/trap.c:585 585 if (kdb_trap(type, dr6, frame)) (kgdb) #8 <signal handler called> (kgdb) #9 kdb_enter (why=0xffffffff811f6c89 "panic", msg=<optimized out>) at /usr/src/sys/kern/subr_kdb.c:478 478 kdb_why = KDB_WHY_UNSET; (kgdb) #10 0xffffffff80bca46a in vpanic (fmt=<optimized out>, ap=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:897 897 kdb_enter(KDB_WHY_PANIC, "panic"); (kgdb) #11 0xffffffff80bca203 in panic (fmt=0xffffffff81c7b008 <cnputs_mtx> "\260\266\033\201\377\377\377\377") at /usr/src/sys/kern/kern_shutdown.c:835 835 vpanic(fmt, ap); (kgdb) #12 0xffffffff80f2bb8f in _vm_page_pqstate_commit_dequeue (pq=<optimized out>, m=0xfffffe0001c8a7b8, old=0xfffffe00567ff900, new=...) at /usr/src/sys/vm/vm_page.h:790 790 KASSERT((new.flags & PGA_ENQUEUED) == 0 || new.queue != PQ_NONE, (kgdb) #13 0xffffffff80f27d76 in vm_page_pqstate_commit_dequeue (m=0xfffffe0001c8a7b8, old=0xfffffe00567ff900, new=...) at /usr/src/sys/vm/vm_page.c:3369 3369 ret = _vm_page_pqstate_commit_dequeue(pq, m, old, new); (kgdb) #14 0xffffffff80f27c06 in vm_page_pqstate_commit (m=0xfffffe0001c8a7b8, old=0x80, new=...) at /usr/src/sys/vm/vm_page.c:3446 3446 if (!vm_page_pqstate_commit_dequeue(m, old, new)) (kgdb) #15 0xffffffff80f2e82e in vm_pageout_launder (vmd=<optimized out>, launder=982, in_shortfall=<optimized out>) at /usr/src/sys/vm/vm_pageout.c:839 839 if (!vm_page_pqstate_commit(m, &old, new)) (kgdb) #16 vm_pageout_laundry_worker (arg=<optimized out>) at /usr/src/sys/vm/vm_pageout.c:1101 1101 target -= min(vm_pageout_launder(vmd, launder, (kgdb) #17 0xffffffff80b87650 in fork_exit (callout=0xffffffff80f2e270 <vm_pageout_laundry_worker>, arg=0x0, frame=0xfffffe00567ffb80) at /usr/src/sys/kern/kern_fork.c:1058 1058 callout(arg, frame); (kgdb) #18 <signal handler called> (kgdb) Initial frame selected; you cannot go up. Op do 2 jan. 2020 om 12:03 schreef Michael Tuexen <tuexen@freebsd.org>: > > > On 2. Jan 2020, at 01:12, bob prohaska <fbsd@www.zefox.net> wrote: > > > > While playing at compiling www/chromium using > > FreeBSD 13.0-CURRENT (GENERIC) #2 r356165: Mon Dec 30 09:59:03 PST 2019 > > the machine crashed, reporting > > panic: vm_page_astate_fcmpset: invalid head requeue request for page 0xfffffd0031880490 > This problem is NOT arm specific. I've seen it on an amd64 system running syzkaller: > http://212.201.121.91:10000/crash?id=00704eb865e893ffda473a4859e062eef512cbde > > Best regards > Michael > > > > cpuid = 2 > > time = 1577921727 > > KDB: stack backtrace: > > db_trace_self() at db_trace_self_wrapper+0x28 > > pc = 0xffff000000735c5c lr = 0xffff000000106814 > > sp = 0xffff0000521ec240 fp = 0xffff0000521ec450 > > > > db_trace_self_wrapper() at vpanic+0x18c > > pc = 0xffff000000106814 lr = 0xffff000000408d90 > > sp = 0xffff0000521ec460 fp = 0xffff0000521ec510 > > > > vpanic() at panic+0x44 > > pc = 0xffff000000408d90 lr = 0xffff000000408b40 > > sp = 0xffff0000521ec520 fp = 0xffff0000521ec5a0 > > > > panic() at _vm_page_pqstate_commit_dequeue+0x340 > > pc = 0xffff000000408b40 lr = 0xffff0000006ed840 > > sp = 0xffff0000521ec5b0 fp = 0xffff0000521ec5f0 > > > > _vm_page_pqstate_commit_dequeue() at vm_page_pqstate_commit_dequeue+0xb8 > > pc = 0xffff0000006ed840 lr = 0xffff0000006e954c > > sp = 0xffff0000521ec600 fp = 0xffff0000521ec640 > > > > vm_page_pqstate_commit_dequeue() at vm_page_pqstate_commit+0x50 > > pc = 0xffff0000006e954c lr = 0xffff0000006e93ac > > sp = 0xffff0000521ec650 fp = 0xffff0000521ec670 > > > > vm_page_pqstate_commit() at vm_pageout_laundry_worker+0x5e4 > > pc = 0xffff0000006e93ac lr = 0xffff0000006f02c0 > > sp = 0xffff0000521ec680 fp = 0xffff0000521ec940 > > > > vm_pageout_laundry_worker() at fork_exit+0x7c > > pc = 0xffff0000006f02c0 lr = 0xffff0000003c7fdc > > sp = 0xffff0000521ec950 fp = 0xffff0000521ec980 > > > > fork_exit() at fork_trampoline+0x10 > > pc = 0xffff0000003c7fdc lr = 0xffff00000075230c > > sp = 0xffff0000521ec990 fp = 0x0000000000000000 > > > > KDB: enter: panic > > [ thread pid 21 tid 100071 ] > > Stopped at 0 > > db> bt > > Tracing pid 21 tid 100071 td 0xfffffd0001078560 > > db_trace_self() at db_stack_trace+0xf8 > > pc = 0xffff000000735c5c lr = 0xffff000000103c58 > > sp = 0xffff0000521ebe10 fp = 0xffff0000521ebe40 > > > > db_stack_trace() at db_command+0x228 > > pc = 0xffff000000103c58 lr = 0xffff0000001038d0 > > sp = 0xffff0000521ebe50 fp = 0xffff0000521ebf30 > > > > db_command() at db_command_loop+0x58 > > pc = 0xffff0000001038d0 lr = 0xffff000000103678 > > sp = 0xffff0000521ebf40 fp = 0xffff0000521ebf60 > > > > db_command_loop() at db_trap+0xf4 > > pc = 0xffff000000103678 lr = 0xffff00000010697c > > sp = 0xffff0000521ebf70 fp = 0xffff0000521ec190 > > > > db_trap() at kdb_trap+0x1d8 > > pc = 0xffff00000010697c lr = 0xffff0000004510d0 > > sp = 0xffff0000521ec1a0 fp = 0xffff0000521ec250 > > > > kdb_trap() at do_el1h_sync+0xf4 > > pc = 0xffff0000004510d0 lr = 0xffff000000752588 > > sp = 0xffff0000521ec260 fp = 0xffff0000521ec290 > > > > do_el1h_sync() at handle_el1h_sync+0x78 > > pc = 0xffff000000752588 lr = 0xffff000000738078 > > sp = 0xffff0000521ec2a0 fp = 0xffff0000521ec3b0 > > > > handle_el1h_sync() at kdb_enter+0x34 > > pc = 0xffff000000738078 lr = 0xffff00000045071c > > sp = 0xffff0000521ec3c0 fp = 0xffff0000521ec450 > > > > kdb_enter() at vpanic+0x1a8 > > pc = 0xffff00000045071c lr = 0xffff000000408dac > > sp = 0xffff0000521ec460 fp = 0xffff0000521ec510 > > > > vpanic() at panic+0x44 > > pc = 0xffff000000408dac lr = 0xffff000000408b40 > > sp = 0xffff0000521ec520 fp = 0xffff0000521ec5a0 > > > > panic() at _vm_page_pqstate_commit_dequeue+0x340 > > pc = 0xffff000000408b40 lr = 0xffff0000006ed840 > > sp = 0xffff0000521ec5b0 fp = 0xffff0000521ec5f0 > > > > _vm_page_pqstate_commit_dequeue() at vm_page_pqstate_commit_dequeue+0xb8 > > pc = 0xffff0000006ed840 lr = 0xffff0000006e954c > > sp = 0xffff0000521ec600 fp = 0xffff0000521ec640 > > > > vm_page_pqstate_commit_dequeue() at vm_page_pqstate_commit+0x50 > > pc = 0xffff0000006e954c lr = 0xffff0000006e93ac > > sp = 0xffff0000521ec650 fp = 0xffff0000521ec670 > > > > vm_page_pqstate_commit() at vm_pageout_laundry_worker+0x5e4 > > pc = 0xffff0000006e93ac lr = 0xffff0000006f02c0 > > sp = 0xffff0000521ec680 fp = 0xffff0000521ec940 > > > > vm_pageout_laundry_worker() at fork_exit+0x7c > > pc = 0xffff0000006f02c0 lr = 0xffff0000003c7fdc > > sp = 0xffff0000521ec950 fp = 0xffff0000521ec980 > > > > fork_exit() at fork_trampoline+0x10 > > pc = 0xffff0000003c7fdc lr = 0xffff00000075230c > > sp = 0xffff0000521ec990 fp = 0x0000000000000000 > > > > db> > > > > Thanks for reading, if there's anything to try please let me know. > > > > bob prohaska > > > > _______________________________________________ > > freebsd-arm@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-arm > > To unsubscribe, send any mail to "freebsd-arm-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPp9OrkZ5UeaY32b%2BzzOXuf91UBEpRt-dMbVAH7_JWXG6gZ-7A>