Date: Sat, 25 Apr 2015 15:19:34 -0600 From: Scott Long <scott4long@yahoo.com> To: Chagin Dmitry <dchagin@freebsd.org> Cc: Scott Long <scottl@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r281942 - head/sys/vm Message-ID: <99BAA5F2-AF62-426A-A79D-A0466B7B5E74@yahoo.com> In-Reply-To: <20150425083030.GA3555@dchagin.static.corbina.net> References: <201504241703.t3OH3rpr097920@svn.freebsd.org> <20150425083030.GA3555@dchagin.static.corbina.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Apr 25, 2015, at 2:30 AM, Chagin Dmitry <dchagin@freebsd.org> = wrote: >=20 > On Fri, Apr 24, 2015 at 05:03:53PM +0000, Scott Long wrote: >> Author: scottl >> Date: Fri Apr 24 17:03:53 2015 >> New Revision: 281942 >> URL: https://svnweb.freebsd.org/changeset/base/281942 >>=20 >> Log: >> Revert r281451. It causes a panic/hang early in boot for a number = of >> users, myself included. The original code is likely papering over a >> larger bug that needs to be explored, but for now get things back to >> a working state. >>=20 >> Obtained from: Netflix, Inc. >> MFC after: immediately >>=20 > in my POV, at vm_mem_init stage vm_map_init() call > uma_zcreate() that uses uinitialized zones (which initialized > in uma_startup()). I bet zones contains garbage. >=20 I don=E2=80=99t follow. vm_mem_init() is called at SI_SUB_VM sysinit, = and vm_map_init() is called much later at SI_SUB_INTRINSIC. vm_mem_init() calls = uma_startup() almost immediately, which will then call zone_ctor() on the =E2=80=9Ckegs=E2= =80=9D and =E2=80=9Czones=E2=80=9D that were allocated from bss. I don=E2=80=99t think that they=E2=80=99re = being used prior to that. The problem that I see is that both of these zones are allocated = statically, and contain no storage for the uz_cpu member when that member is declared as = a zero-length array. All other zones are created dynamically and include = space for these members. uma_startup() is initializing these zones at the right = time, before their first use, but isn=E2=80=99t giving them enough room. According to the stack trace I posted, the problem triggers in the = second call to uma_zcreate() from uma_startup(). I think what happens is that the = first call to uma_zcreate() winds up writing to the zero-length uz_cpu member of masterzone_z from inside of uma_zalloc_args(). This overwrites the = adjacent =E2=80=9Ckegs=E2=80=9D and =E2=80=9Czones=E2=80=9D pointers in the bss. = The next call to uma_zcreate() then follows a path of trying to look in the kegs, and eventually blows up. = I=E2=80=99m not entirely certain on this chain of events though as it=E2=80=99s a bit = twisty inside of uma_zcreate() and I=E2=80=99m not sure I=E2=80=99ve found a link to = where it calls uma_zalloc_args(). Scott
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99BAA5F2-AF62-426A-A79D-A0466B7B5E74>