From owner-freebsd-bugs@FreeBSD.ORG  Wed Dec  9 21:40:02 2009
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 038521065784
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  9 Dec 2009 21:40:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id B69BE8FC18
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  9 Dec 2009 21:40:01 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nB9Le13F048035
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 9 Dec 2009 21:40:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nB9Le1Ec048034;
	Wed, 9 Dec 2009 21:40:01 GMT (envelope-from gnats)
Resent-Date: Wed, 9 Dec 2009 21:40:01 GMT
Resent-Message-Id: <200912092140.nB9Le1Ec048034@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Thomas Hurst <tom@hur.st>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 869FC1065672
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  9 Dec 2009 21:31:36 +0000 (UTC)
	(envelope-from freaky@voi.aagh.net)
Received: from ita.aagh.net (ita.aagh.net [208.86.225.114])
	by mx1.freebsd.org (Postfix) with ESMTP id 0FEC98FC0C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Wed,  9 Dec 2009 21:31:35 +0000 (UTC)
Received: from cpc1-hart9-2-0-cust900.11-3.cable.virginmedia.com
	([86.30.3.133] helo=voi.aagh.net ident=mailnull)
	by ita.aagh.net with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.69 (FreeBSD)) (envelope-from <freaky@voi.aagh.net>)
	id 1NITdO-0002gh-Ja
	for FreeBSD-gnats-submit@freebsd.org; Wed, 09 Dec 2009 20:59:42 +0000
Received: from freaky by voi.aagh.net with local (Exim 4.71 (FreeBSD))
	(envelope-from <freaky@voi.aagh.net>) id 1NITd5-000FhL-Pa
	for FreeBSD-gnats-submit@freebsd.org; Wed, 09 Dec 2009 20:59:23 +0000
Message-Id: <E1NITd5-000FhL-Pa@voi.aagh.net>
Date: Wed, 09 Dec 2009 20:59:23 +0000
From: Thomas Hurst <tom@hur.st>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/141328: Xen: gstat exit causes kernel panic from unmanaged
	virtual address
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Thomas Hurst <tom@hur.st>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2009 21:40:02 -0000


>Number:         141328
>Category:       kern
>Synopsis:       Xen: gstat exit causes kernel panic from unmanaged virtual address
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 09 21:40:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Thomas Hurst
>Release:        FreeBSD 8.0-STABLE
>Organization:
>Environment:
System: FreeBSD mzu.aagh.net 8.0-STABLE FreeBSD 8.0-STABLE #0: Wed Dec  9 19:59:29 GMT 2009     root@mzu.aagh.net:/usr/obj/usr/src/sys/MZU_XEN  i386

Dom0 is 64bit Debian Lenny (stable) running Xen 3.2.1. VM is paravirtualized.

>Description:
	Under Xen paravirtualisation, running and then exiting gstat results in
	the following error and kernel panic:

va=0x2823f000 is unmanaged :-( pte=0x80000007062d0025


Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x21:0xc0329faa
stack pointer           = 0x29:0xe4b9bb10
frame pointer           = 0x29:0xe4b9bb24
code segment            = base 0x0, limit 0xf9800, type 0x1b
                        = DPL 1, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 726 (gstat)
[thread pid 726 tid 100051 ]
Stopped at      pmap_mapdev+0x25a:      movl    0x4(%ebx),%edx

Tracing pid 726 tid 100051 td 0xc3839d80
pmap_mapdev(c08be6cc,80,62d0025,80000007,0,...) at pmap_mapdev+0x25a
pmap_remove_all(e4b9bb90,7,0,2823d000,0,...) at pmap_remove_all+0x51e
pmap_remove(c3438288,2823f000,28242000,9,0,...) at pmap_remove+0x2a3
vm_map_delete(c34381d8,1000,bf800000,1,c34381d8,...) at vm_map_delete+0x189
vm_map_remove(c34381d8,1000,bf800000,c35b9540,0,...) at vm_map_remove+0x51
vmspace_exit(c3839d80,c381faa0,3,e4b9bc74,0,...) at vmspace_exit+0xbe
exit1(c3839d80,0,e4b9bd3c,c0334455,c3839d80,...) at exit1+0x663
sys_exit(c3839d80,e4b9bd08,4,c,c,...) at sys_exit+0x1d
syscall(e4b9bd48) at syscall+0x325
Xint0x80_syscall() at Xint0x80_syscall+0x22
--- syscall (1, FreeBSD ELF32, sys_exit), eip = 0x2818d0af, esp = 0xbf7fe9bc, ebp = 0xbf7fe9c8 ---

	I guess this is related to it mmapping /dev/devstat via geom_stats_*().
	procstat -v shows the address is indeed mapped:

  PID      START        END PRT  RES PRES REF SHD FL TP PATH
  822  0x8048000  0x804c000 r-x    4    0   1   0 CN vn /usr/sbin/gstat
  822  0x804c000  0x8100000 rw-    1    0   1   0 -- df 
  822 0x2804c000 0x2807c000 r-x   43    0  50  24 CN vn /libexec/ld-elf.so.1
  822 0x2807c000 0x2807e000 rw-    2    0   1   0 C- vn /libexec/ld-elf.so.1
  822 0x2807e000 0x28091000 rw-   13    0   1   0 -- df 
  822 0x28091000 0x28095000 r-x    4    5   2   1 CN vn /lib/libdevstat.so.7
  822 0x28095000 0x28096000 rw-    1    0   1   0 C- vn /lib/libdevstat.so.7
  822 0x28096000 0x2809e000 r-x    8    8   2   1 CN vn /lib/libkvm.so.5
  822 0x2809e000 0x2809f000 rw-    1    0   1   0 C- vn /lib/libkvm.so.5
  822 0x2809f000 0x280a3000 r-x    4    4   2   1 CN vn /lib/libgeom.so.5
  822 0x280a3000 0x280a4000 rw-    1    0   1   0 C- vn /lib/libgeom.so.5
  822 0x280a4000 0x280c1000 r-x   29   30   2   1 CN vn /lib/libbsdxml.so.4
  822 0x280c1000 0x280c3000 rw-    2    0   1   0 C- vn /lib/libbsdxml.so.4
  822 0x280c3000 0x280c5000 r-x    2    2   2   1 CN vn /lib/libsbuf.so.5
  822 0x280c5000 0x280c6000 rw-    1    0   1   0 C- vn /lib/libsbuf.so.5
  822 0x280c6000 0x280da000 r-x   20    0   6   3 CN vn /lib/libedit.so.7
  822 0x280da000 0x280db000 rw-    1    0   1   0 C- vn /lib/libedit.so.7
  822 0x280db000 0x28118000 r-x   60    0  10   5 CN vn /lib/libncurses.so.8
  822 0x28118000 0x2811b000 rw-    3    0   1   0 C- vn /lib/libncurses.so.8
  822 0x2811b000 0x28217000 r-x   98    0  50  24 CN vn /lib/libc.so.7
  822 0x28217000 0x2821d000 rw-    6    0   1   0 C- vn /lib/libc.so.7
  822 0x2821d000 0x28233000 rw-    7    0   1   0 -- df 
  822 0x28233000 0x2823c000 rw-    2    0   2   0 -- df 
  822 0x2823c000 0x2823d000 r--    0    0   3   0 -- dv 
  822 0x2823d000 0x2823f000 r--    0    0   3   0 -- dv 
==>  822 0x2823f000 0x28242000 r--    3    0   3   0 -- dv 
  822 0x28300000 0x28400000 rw-   49    0   2   0 -- df 
  822 0xbf7e0000 0xbf800000 rwx    5    0   1   0 -- df

	Adding a call to geom_stats_close() at the end of gstat.c results in
	kernel livelock; it responds to ping but nothing else.

	This problem seems to be well known, including being mentioned on
	the FreeBSD wiki, but I couldn't find an associated PR.

>How-To-Repeat:
	Run gstat under a PV Xen instance, quit.
>Fix:

	


>Release-Note:
>Audit-Trail:
>Unformatted: