Date: Mon, 10 Mar 2014 17:46:06 +0200 From: Konstantin Belousov <kostikbel@gmail.com> To: Glen Barber <gjb@FreeBSD.org> Cc: freebsd-current@FreeBSD.org Subject: Re: panic: vm_fault: fault on nofault entry Message-ID: <20140310154606.GQ24664@kib.kiev.ua> In-Reply-To: <20140309181657.GI1776@glenbarber.us> References: <20140309165648.GF1776@glenbarber.us> <20140309180132.GO24664@kib.kiev.ua> <20140309181657.GI1776@glenbarber.us>
next in thread | previous in thread | raw e-mail | index | archive | help
--dxnEAhtYrSdC5MGx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Mar 09, 2014 at 02:16:57PM -0400, Glen Barber wrote:
> panic: vm_fault: fault on nofault entry, addr: fffffe03becbc000
I see, this panic is for access to the kernel map, not for the direct map.
I think that this is a race with other CPU unmapping some page in the
kernel map, which cannot be solved by access checks.
Please try the following. I booted with the patch and checked that
kgdb /boot/kernel/kernel /dev/mem works, but did not tried to reproduce
the issue.
diff --git a/sys/amd64/amd64/mem.c b/sys/amd64/amd64/mem.c
index abbbb21..5a4d8a9 100644
--- a/sys/amd64/amd64/mem.c
+++ b/sys/amd64/amd64/mem.c
@@ -76,14 +76,16 @@ MALLOC_DEFINE(M_MEMDESC, "memdesc", "memory range descr=
iptors");
int
memrw(struct cdev *dev, struct uio *uio, int flags)
{
- int o;
- u_long c =3D 0, v;
struct iovec *iov;
- int error =3D 0;
+ u_long c, v;
+ int error, o, sflags;
vm_offset_t addr, eaddr;
=20
GIANT_REQUIRED;
=20
+ error =3D 0;
+ c =3D 0;
+ sflags =3D curthread_pflags_set(TDP_DEVMEMIO);
while (uio->uio_resid > 0 && error =3D=3D 0) {
iov =3D uio->uio_iov;
if (iov->iov_len =3D=3D 0) {
@@ -98,7 +100,15 @@ memrw(struct cdev *dev, struct uio *uio, int flags)
kmemphys:
o =3D v & PAGE_MASK;
c =3D min(uio->uio_resid, (u_int)(PAGE_SIZE - o));
- error =3D uiomove((void *)PHYS_TO_DMAP(v), (int)c, uio);
+ v =3D PHYS_TO_DMAP(v);
+ if (v < DMAP_MIN_ADDRESS ||
+ (v > DMAP_MIN_ADDRESS + dmaplimit &&
+ v <=3D DMAP_MAX_ADDRESS) ||
+ pmap_kextract(v) =3D=3D 0) {
+ error =3D EFAULT;
+ goto ret;
+ }
+ error =3D uiomove((void *)v, (int)c, uio);
continue;
}
else if (dev2unit(dev) =3D=3D CDEV_MINOR_KMEM) {
@@ -119,22 +129,30 @@ kmemphys:
addr =3D trunc_page(v);
eaddr =3D round_page(v + c);
=20
- if (addr < VM_MIN_KERNEL_ADDRESS)
- return (EFAULT);
- for (; addr < eaddr; addr +=3D PAGE_SIZE)=20
- if (pmap_extract(kernel_pmap, addr) =3D=3D 0)
- return (EFAULT);
-
+ if (addr < VM_MIN_KERNEL_ADDRESS) {
+ error =3D EFAULT;
+ goto ret;
+ }
+ for (; addr < eaddr; addr +=3D PAGE_SIZE) {
+ if (pmap_extract(kernel_pmap, addr) =3D=3D 0) {
+ error =3D EFAULT;
+ goto ret;
+ }
+ }
if (!kernacc((caddr_t)(long)v, c,
uio->uio_rw =3D=3D UIO_READ ?=20
- VM_PROT_READ : VM_PROT_WRITE))
- return (EFAULT);
+ VM_PROT_READ : VM_PROT_WRITE)) {
+ error =3D EFAULT;
+ goto ret;
+ }
=20
error =3D uiomove((caddr_t)(long)v, (int)c, uio);
continue;
}
/* else panic! */
}
+ret:
+ curthread_pflags_restore(sflags);
return (error);
}
=20
diff --git a/sys/amd64/amd64/trap.c b/sys/amd64/amd64/trap.c
index f7d0afd..b1cbdbc 100644
--- a/sys/amd64/amd64/trap.c
+++ b/sys/amd64/amd64/trap.c
@@ -787,6 +787,12 @@ nogo:
frame->tf_rip =3D (long)curpcb->pcb_onfault;
return (0);
}
+ if ((td->td_pflags & TDP_DEVMEMIO) !=3D 0) {
+ KASSERT(curpcb->pcb_onfault !=3D NULL,
+ ("/dev/mem without pcb_onfault"));
+ frame->tf_rip =3D (long)curpcb->pcb_onfault;
+ return (0);
+ }
trap_fatal(frame, eva);
return (-1);
}
diff --git a/sys/sys/proc.h b/sys/sys/proc.h
index fce1f8a..e7cd022 100644
--- a/sys/sys/proc.h
+++ b/sys/sys/proc.h
@@ -424,6 +424,7 @@ do { \
#define TDP_RESETSPUR 0x04000000 /* Reset spurious page fault history. */
#define TDP_NERRNO 0x08000000 /* Last errno is already in td_errno */
#define TDP_UIOHELD 0x10000000 /* Current uio has pages held in td_ma */
+#define TDP_DEVMEMIO 0x20000000 /* Accessing memory for /dev/mem */
=20
/*
* Reasons that the current thread can not be run yet.
diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
index 4a6495f..023860c 100644
--- a/sys/vm/vm_fault.c
+++ b/sys/vm/vm_fault.c
@@ -269,6 +269,8 @@ RetryFault:;
map_generation =3D fs.map->timestamp;
=20
if (fs.entry->eflags & MAP_ENTRY_NOFAULT) {
+ if ((curthread->td_pflags & TDP_DEVMEMIO) !=3D 0)
+ return (KERN_FAILURE);
panic("vm_fault: fault on nofault entry, addr: %lx",
(u_long)vaddr);
}
--dxnEAhtYrSdC5MGx
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
iQIcBAEBAgAGBQJTHd49AAoJEJDCuSvBvK1BGNkQAIrzvECr4Ie2v1IQl8lHghD2
PInLci5Nmw15A1HiGcHuGpA5rS34W3GvQeADJ/i9z3cigXN4qox1s6DblniBOnxE
kLXCASLkId5OzhULpCSA2knlO0K3ltBdVKxtUxbOJw86lbdW7Meu7nyzdBXK8aDy
1YPBgy3UtiPWBfHtA2Y9WQom1biPltlG2e+mNr27McORnYoT8GHWIVQcsf2HcXui
dvyt/fDe+WCp0Mz2Q2/HcW7uznoy/ww+wyT7KoNtsZR/PS23IjsMrV0JDP45pbNz
bUhd7akh6/7F9VVKwmhzODlgJSFMYflJjkKiVSX/NK+DWXaCLTb863NtdKo6OMNp
a5VFKzrcYkDD7ox+O0EF9ewnuru29yrHx7TdJymRJ04SDeUsruuyucUT6kzpgKvQ
/xSP0rSWigF9oioXMewXRQj043BjXpc9rkkYKu1D2GJFmQR57FDLwBPX7nmJO+j7
aJIMWlipAuBlKqEAgcJngMzKcaHboxMN1rzSApqZySg93dZyOFmi5XrdkYP5CSAN
lpZT09xCogBjOrn5OZNJBF7slWw5Qnkkcli9DlJdJVpvMGVjg7LFC4CGiPnS/dGt
It3QNJRl1ohVgVnKx1y2SB/YX+KOVItflYFFCjzj3pGgijlXup/3OlJMyoYwxShT
r2CzwV9lar+HJOaRqnK1
=deJU
-----END PGP SIGNATURE-----
--dxnEAhtYrSdC5MGx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140310154606.GQ24664>