From owner-freebsd-bugs  Mon Aug 14 17:20:10 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id D3D1137B720
	for <freebsd-bugs@FreeBSD.org>; Mon, 14 Aug 2000 17:20:00 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id RAA33051;
	Mon, 14 Aug 2000 17:20:00 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from midten.fast.no (midten.fast.no [213.188.8.11])
	by hub.freebsd.org (Postfix) with ESMTP id 7F53937B66D
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 14 Aug 2000 17:15:31 -0700 (PDT)
	(envelope-from tegge@not.trondheim.fast.no)
Received: from not.trondheim.fast.no (dmz-gw.trd.fast.no [213.188.8.5])
	by midten.fast.no (8.9.3/8.9.3) with ESMTP id CAA20948
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 15 Aug 2000 02:15:28 +0200 (CEST)
Received: (from tegge@localhost)
	by not.trondheim.fast.no (8.11.0/8.8.8) id e7F0FSR01013;
	Tue, 15 Aug 2000 02:15:28 +0200 (CEST)
	(envelope-from tegge@not.trondheim.fast.no)
Message-Id: <200008150015.e7F0FSR01013@not.trondheim.fast.no>
Date: Tue, 15 Aug 2000 02:15:28 +0200 (CEST)
From: tegge@not.trondheim.fast.no
Reply-To: tegge@not.trondheim.fast.no
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.2
Subject: kern/20609: panic: vm_fault: fault on nofault entry, addr: cc4b3000
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         20609
>Category:       kern
>Synopsis:       panic: vm_fault: fault on nofault entry, addr: cc4b3000
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 14 17:20:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Tor Egge
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
Fast Search & Transfer ASA
>Environment:

FreeBSD not.trondheim.fast.no 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Mon Aug 14 19:26:51 CEST 2000     root@not.trondheim.fast.no:/usr/src/sys/compile/NOT_SMP  i386

>Description:

bfreekva() is supposed to be protected by splbio(), serializing calls to
vm_map_delete().  But vm_map_delete() might block, causing the spl based
serialization to fail.

#0  boot (howto=260) at ../../kern/kern_shutdown.c:303
#1  0xc0169ee5 in panic (fmt=0xc02acaf4 "from debugger")
    at ../../kern/kern_shutdown.c:553
#2  0xc0138d79 in db_panic (addr=-1071163028, have_addr=0, count=-1,
    modif=0xdce1e9c0 "") at ../../ddb/db_command.c:433
#3  0xc0138d19 in db_command (last_cmdp=0xc02e6dd4, cmd_table=0xc02e6c34,
    aux_cmd_tablep=0xc0307110) at ../../ddb/db_command.c:333
#4  0xc0138dde in db_command_loop () at ../../ddb/db_command.c:455
#5  0xc013afaf in db_trap (type=3, code=0) at ../../ddb/db_trap.c:71
#6  0xc02756b1 in kdb_trap (type=3, code=0, regs=0xdce1ead4)
    at ../../i386/i386/db_interface.c:158
#7  0xc028a31c in trap (frame={tf_fs = -1070530536, tf_es = -867500016,
      tf_ds = 16, tf_edi = -867487744, tf_esi = 256, tf_ebp = -589173988,
      tf_isp = -589174016, tf_ebx = -1070796192, tf_edx = -1,
      tf_ecx = 16777217, tf_eax = 18, tf_trapno = 3, tf_err = 0,
      tf_eip = -1071163028, tf_cs = 8, tf_eflags = 582, tf_esp = -1070769885,
      tf_ss = -1070911022}) at ../../i386/i386/trap.c:583
#8  0xc027596c in Debugger (msg=0xc02b31d2 "panic") at machine/cpufunc.h:64
#9  0xc0169edc in panic (
    fmt=0xc02cf260 "vm_fault: fault on nofault entry, addr: %lx")
    at ../../kern/kern_shutdown.c:551
#10 0xc02577e0 in vm_fault (map=0xc031844c, vaddr=3427479552,
    fault_type=1 '\001', fault_flags=0) at ../../vm/vm_fault.c:240
#11 0xc028a686 in trap_pfault (frame=0xdce1ec60, usermode=0, eva=3427479780)
    at ../../i386/i386/trap.c:857
#12 0xc028a1ef in trap (frame={tf_fs = 24, tf_es = -882180080,
      tf_ds = -1072103408, tf_edi = -883516928, tf_esi = 62533,
      tf_ebp = -589173500, tf_isp = -589173620, tf_ebx = -57356,
      tf_edx = -867508224, tf_ecx = 0, tf_eax = 5177, tf_trapno = 12,
      tf_err = 0, tf_eip = -1071322559, tf_cs = 8, tf_eflags = 66050,
      tf_esp = -882193568, tf_ss = 2049081344}) at ../../i386/i386/trap.c:457
#13 0xc024ea41 in ufs_bmaparray (vp=0xdcb018c0, bn=62533, bnp=0xcb6acb68,
    ap=0x0, nump=0x0, runp=0x0, runb=0x0) at ../../ufs/ufs/ufs_bmap.c:224
#14 0xc024e778 in ufs_bmap (ap=0xdce1ed4c) at ../../ufs/ufs/ufs_bmap.c:83
#15 0xc025552d in ufs_vnoperate (ap=0xdce1ed4c)
    at ../../ufs/ufs/ufs_vnops.c:2301
#16 0xc0254f39 in ufs_strategy (ap=0xdce1edb0) at vnode_if.h:902
#17 0xc025552d in ufs_vnoperate (ap=0xdce1edb0)
    at ../../ufs/ufs/ufs_vnops.c:2301
#18 0xc0197790 in cluster_read (vp=0xdcb018c0, filesize=5242880000,
    lblkno=62534, size=32768, cred=0x0, totread=28160, seqcount=0,
    bpp=0xdce1ee44) at vnode_if.h:923
#19 0xc024cea6 in ffs_read (ap=0xdce1ee68) at ../../ufs/ufs/ufs_readwrite.c:266
#20 0xc01a3244 in vn_read (fp=0xc363b140, uio=0xdce1eed8, cred=0xc3699880,
    flags=1, p=0xdcda2ee0) at vnode_if.h:334
#21 0xc017b574 in dofileread (p=0xdcda2ee0, fp=0xc363b140, fd=3,
    buf=0x8163c00, nbyte=512, offset=2049108992, flags=1)
    at ../../sys/file.h:141
#22 0xc017b4b4 in pread (p=0xdcda2ee0, uap=0xdce1ef80)
    at ../../kern/sys_generic.c:136


(kgdb) proc 530
(kgdb) where
#0  mi_switch () at machine/globals.h:119
#1  0xc016cc89 in tsleep (ident=0xc033c298, priority=4,
    wmesg=0xc02d022b "vmwait", timo=0) at ../../kern/kern_synch.c:470
#2  0xc025f9ef in vm_wait () at ../../vm/vm_page.c:896
#3  0xc02601a9 in vm_page_grab (object=0xc03184e0, pindex=118847,
    allocflags=131) at ../../vm/vm_page.c:1479
#4  0xc0258e51 in kmem_alloc (map=0xc031844c, size=4096)
    at ../../vm/vm_kern.c:200
#5  0xc0262f5e in _zget (z=0xc0314ea0) at ../../vm/vm_zone.c:344
#6  0xc0262dd1 in zalloci (z=0xc0314ea0) at ../../vm/vm_zone.h:85
#7  0xc0259723 in vm_map_entry_create (map=0xc0318308)
    at ../../vm/vm_zone.h:117
#8  0xc0259e05 in _vm_map_clip_end (map=0xc0318308, entry=0xdcf30270,
    end=3468730368) at ../../vm/vm_map.c:853
#9  0xc025af0f in vm_map_delete (map=0xc0318308, start=3468713984,
    end=3468730368) at ../../vm/vm_map.c:1794
#10 0xc0192f9b in bfreekva (bp=0xcb690960) at ../../kern/vfs_bio.c:414
#11 0xc0194666 in getnewbuf (slpflag=0, slptimeo=0, size=32768, maxsize=32768)
    at ../../kern/vfs_bio.c:1630
#12 0xc01953f1 in getblk (vp=0xdcb018c0, blkno=139706, size=32768, slpflag=0,
    slptimeo=0) at ../../kern/vfs_bio.c:2220
#13 0xc0197416 in cluster_read (vp=0xdcb018c0, filesize=5242880000,
    lblkno=139706, size=32768, cred=0x0, totread=17408, seqcount=0,
    bpp=0xdcb8ee44) at ../../kern/vfs_cluster.c:120
#14 0xc024cea6 in ffs_read (ap=0xdcb8ee68) at ../../ufs/ufs/ufs_readwrite.c:266
#15 0xc01a3244 in vn_read (fp=0xc363b140, uio=0xdcb8eed8, cred=0xc3699880,
    flags=1, p=0xdcb1a260) at vnode_if.h:334
#16 0xc017b574 in dofileread (p=0xdcb1a260, fp=0xc363b140, fd=3,
    buf=0x814fe00, nbyte=512, offset=4577903104, flags=1)
    at ../../sys/file.h:141
#17 0xc017b4b4 in pread (p=0xdcb1a260, uap=0xdcb8ef80)
    at ../../kern/sys_generic.c:136

(kgdb) proc 529
(kgdb) where
#0  mi_switch () at machine/globals.h:119
#1  0xc016cc89 in tsleep (ident=0xcb5f0dc0, priority=16,
    wmesg=0xc02b65c9 "biord", timo=0) at ../../kern/kern_synch.c:470
#2  0xc0195b9b in bufwait (bp=0xcb5f0dc0) at ../../kern/vfs_bio.c:2620
#3  0xc01978c1 in cluster_read (vp=0xdcb018c0, filesize=5242880000,
    lblkno=131174, size=32768, cred=0x0, totread=13312, seqcount=0,
    bpp=0xdcb8ae44) at ../../kern/vfs_cluster.c:302
#4  0xc024cea6 in ffs_read (ap=0xdcb8ae68) at ../../ufs/ufs/ufs_readwrite.c:266
#5  0xc01a3244 in vn_read (fp=0xc363b140, uio=0xdcb8aed8, cred=0xc3699880,
    flags=1, p=0xdcb1a400) at vnode_if.h:334
#6  0xc017b574 in dofileread (p=0xdcb1a400, fp=0xc363b140, fd=3,
    buf=0x814fc00, nbyte=512, offset=4298289664, flags=1)
    at ../../sys/file.h:141
#7  0xc017b4b4 in pread (p=0xdcb1a400, uap=0xdcb8af80)
    at ../../kern/sys_generic.c:136
#8  0xc028ad95 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
      tf_edi = 512, tf_esi = 1, tf_ebp = -1115685468, tf_isp = -591876140,
      tf_ebx = 1498383852, tf_edx = 1, tf_ecx = 134520321, tf_eax = 198,
      tf_trapno = 7, tf_err = 2, tf_eip = 1498088260, tf_cs = 31,
      tf_eflags = 514, tf_esp = -1115685528, tf_ss = 47})
    at ../../i386/i386/trap.c:1174
#9  0xc027608b in Xint0x80_syscall ()

(kgdb) proc 528
(kgdb) where
#0  mi_switch () at machine/globals.h:119
#1  0xc016cc89 in tsleep (ident=0xc033c298, priority=4,
    wmesg=0xc02d022b "vmwait", timo=0) at ../../kern/kern_synch.c:470
#2  0xc025f9ef in vm_wait () at ../../vm/vm_page.c:896
#3  0xc02601a9 in vm_page_grab (object=0xc03184e0, pindex=118885,
    allocflags=131) at ../../vm/vm_page.c:1479
#4  0xc0258e51 in kmem_alloc (map=0xc031844c, size=4096)
    at ../../vm/vm_kern.c:200
#5  0xc0262f5e in _zget (z=0xc0314ea0) at ../../vm/vm_zone.c:344
#6  0xc0262dd1 in zalloci (z=0xc0314ea0) at ../../vm/vm_zone.h:85
#7  0xc0259723 in vm_map_entry_create (map=0xc0318308)
    at ../../vm/vm_zone.h:117
#8  0xc0259d69 in _vm_map_clip_start (map=0xc0318308, entry=0xdcb41c60,
    start=3425099776) at ../../vm/vm_map.c:793
#9  0xc025aec7 in vm_map_delete (map=0xc0318308, start=3425099776,
    end=3425116160) at ../../vm/vm_map.c:1767
#10 0xc0192f9b in bfreekva (bp=0xcb558a20) at ../../kern/vfs_bio.c:414
#11 0xc0194666 in getnewbuf (slpflag=0, slptimeo=0, size=32768, maxsize=32768)
    at ../../kern/vfs_bio.c:1630
#12 0xc01953f1 in getblk (vp=0xdcb018c0, blkno=50567, size=32768, slpflag=0,
    slptimeo=0) at ../../kern/vfs_bio.c:2220
#13 0xc0197416 in cluster_read (vp=0xdcb018c0, filesize=5242880000,
    lblkno=50567, size=32768, cred=0x0, totread=6144, seqcount=0,
    bpp=0xdcb86e44) at ../../kern/vfs_cluster.c:120
#14 0xc024cea6 in ffs_read (ap=0xdcb86e68) at ../../ufs/ufs/ufs_readwrite.c:266
#15 0xc01a3244 in vn_read (fp=0xc363b140, uio=0xdcb86ed8, cred=0xc3699880,
    flags=1, p=0xdcb1a5a0) at vnode_if.h:334
#16 0xc017b574 in dofileread (p=0xdcb1a5a0, fp=0xc363b140, fd=3,
    buf=0x814fa00, nbyte=512, offset=1656985088, flags=1)
    at ../../sys/file.h:141
#17 0xc017b4b4 in pread (p=0xdcb1a5a0, uap=0xdcb86f80)
    at ../../kern/sys_generic.c:136
#18 0xc028ad95 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
      tf_edi = 512, tf_esi = 0, tf_ebp = -1113588316, tf_isp = -591892524,
      tf_ebx = 1498383852, tf_edx = 0, tf_ecx = 134520321, tf_eax = 198,
      tf_trapno = 7, tf_err = 2, tf_eip = 1498088260, tf_cs = 31,
      tf_eflags = 514, tf_esp = -1113588376, tf_ss = 47})
    at ../../i386/i386/trap.c:1174
#19 0xc027608b in Xint0x80_syscall ()


>How-To-Repeat:

Start many parallell read operations for the first time on a system while
having little free memory.  Use a different file system block size on the
partition used for the testing.


>Fix:

Alternative 1:

  Obtain an exclusive lock for buffer_map in bfreekva before calling
  vm_map_delete().  Release it afterwards.

  Obtain an exclusive lock on buffer_map before calling vm_map_findspace()
  from getnewbuf().  Release it after call to vm_map_insert().

  never call bfreekva() from interrupts.

Alternative 2:

  define buffer_map as a system map.  This causes the nonblocking
  kmapent zone to be used for allocation of vm map entries for
  buffer_map.


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message