Bug 154227

Summary: [geli] using GELI leads to panic on ARM
Product: Base System Reporter: Michael Moll <mmoll>
Component: armAssignee: freebsd-arm (Nobody) <freebsd-arm>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Michael Moll freebsd_committer freebsd_triage 2011-01-22 21:10:08 UTC
When using a a drive encrypted with GELI, the following panic is very quickly 	 reproducible:
panic: vm_page_insert: offset already allocated
KDB: enter: panic
[ thread pid 953 tid 100056 ]
Stopped at      kdb_enter+0x48: ldrb    r15, [r15, r15, ror r15]!
db> bt
Tracing pid 953 tid 100056 td 0xc1a988a0
kdb_enter() at kdb_enter+0x14
scp=0xc0a06610 rlv=0xc09dc130 (panic+0xa0)
        rsp=0xc83baca0 rfp=0xc83bacb4
        r5=0xc0bce0b4 r4=0x00000100
panic() at panic+0x1c
scp=0xc09dc0ac rlv=0xc0b56498 (vm_page_insert+0x16c)
        rsp=0xc83bacc8 rfp=0xc83bace8
vm_page_insert() at vm_page_insert+0x10
scp=0xc0b5633c rlv=0xc0b566e8 (vm_page_alloc+0x240)
        rsp=0xc83bacec rfp=0xc83bad14
        r8=0x00001c18 r7=0x00000022
        r6=0x00000002 r5=0xc0d90e2c r4=0x00000000
vm_page_alloc() at vm_page_alloc+0x10
scp=0xc0b564b8 rlv=0xc0b49f5c (kmem_back+0x140)
        rsp=0xc83bad18 rfp=0xc83bad70
        r10=0x00000002 r9=0xc0d8408c
        r8=0x00007000 r7=0x00000022 r6=0x00000000 r5=0x00001c18
        r4=0xc0d90de0
kmem_back() at kmem_back+0x10
scp=0xc0b49e2c rlv=0xc0b4a52c (kmem_malloc+0x1c8)
        rsp=0xc83bad74 rfp=0xc83bada8
        r10=0xc83bad7c r9=0x00000002
        r8=0x0002a000 r7=0xc0d8408c r6=0x0002a000 r5=0xc1b5811c
        r4=0x00000002
kmem_malloc() at kmem_malloc+0x14
scp=0xc0b4a378 rlv=0xc0b433dc (uma_large_malloc+0x4c)
        rsp=0xc83badac rfp=0xc83badd4
        r10=0xc0c400f0 r9=0xc186ac00
        r8=0x00000200 r7=0xc0c59a90 r6=0x0002a000 r5=0xc1b5811c
        r4=0x00000002
uma_large_malloc() at uma_large_malloc+0x10
scp=0xc0b433a0 rlv=0xc09cc4a8 (malloc+0xcc)
        rsp=0xc83badd8 rfp=0xc83badf4
        r7=0x00000002 r6=0xc0c1cf98
        r5=0x00000100 r4=0x0002a000
malloc() at malloc+0x14
scp=0xc09cc3f0 rlv=0xc0987a50 (g_eli_crypto_run+0xbc)
        rsp=0xc83badf8 rfp=0xc83bae50
        r7=0xc1865da0 r6=0xc186ae28
        r5=0x00000100 r4=0xc194bbd0
g_eli_crypto_run() at g_eli_crypto_run+0x10
scp=0xc09879a4 rlv=0xc0980bcc (g_eli_create+0xf98)
        rsp=0xc83bae54 rfp=0xc83bae80
        r10=0xc0c400f0 r9=0xc186ae3c
        r8=0xc186ae14 r7=0xc1865da0 r6=0xc186ae28 r5=0xc186ac00
        r4=0xc194bbd0
g_eli_create() at g_eli_create+0xc18
scp=0xc098084c rlv=0xc09b7e00 (fork_exit+0x64)
        rsp=0xc83bae84 rfp=0xc83baea8
        r10=0xc098083c r9=0xc0c657c0
        r8=0xc1865da0 r7=0xc1a93000 r6=0xc83baeac r5=0xc0c657c0
        r4=0xc1a988a0
fork_exit() at fork_exit+0x10
scp=0xc09b7dac rlv=0xc0b74c90 (fork_trampoline+0x14)
        rsp=0xc83baeac rfp=0x00000000
        r10=0xffffffff r8=0x00000104
        r7=0xc0b67aac r6=0xc83baeac r5=0xc1865da0 r4=0xc098083c

How-To-Repeat: dd if=/dev/zero of=/GELImountpoint/whatever leads always to this panic on my machine (Seagate Dockstar).
Comment 1 dfilter service freebsd_committer freebsd_triage 2012-02-29 12:44:47 UTC
Author: cognet
Date: Wed Feb 29 12:44:34 2012
New Revision: 232295
URL: http://svn.freebsd.org/changeset/base/232295

Log:
  Make sure we do not provide the page 0 to the VM. It can't handle it properly,
  because pmap_extract() returns 0 when there's no mapping.
  
  PR:		arm/154227
  MFC after:	1 week

Modified:
  head/sys/arm/mv/mv_machdep.c
  head/sys/arm/xscale/i8134x/crb_machdep.c

Modified: head/sys/arm/mv/mv_machdep.c
==============================================================================
--- head/sys/arm/mv/mv_machdep.c	Wed Feb 29 12:13:05 2012	(r232294)
+++ head/sys/arm/mv/mv_machdep.c	Wed Feb 29 12:44:34 2012	(r232295)
@@ -287,9 +287,19 @@ physmap_init(void)
 		    availmem_regions[i].mr_start + availmem_regions[i].mr_size,
 		    availmem_regions[i].mr_size);
 
-		phys_avail[j] = availmem_regions[i].mr_start;
-		phys_avail[j + 1] = availmem_regions[i].mr_start +
-		    availmem_regions[i].mr_size;
+		/* 
+		 * We should not map the page at PA 0x0000000, the VM can't
+		 * handle it, as pmap_extract() == 0 means failure.
+		 */
+		if (availmem_regions[i].mr_start > 0 ||
+		    availmem_regions[i].mr_size > PAGE_SIZE) {
+			phys_avail[j] = availmem_regions[i].mr_start;
+			if (phys_avail[j] == 0)
+				phys_avail[j] += PAGE_SIZE;
+			phys_avail[j + 1] = availmem_regions[i].mr_start +
+			    availmem_regions[i].mr_size;
+		} else
+			j -= 2;
 	}
 	phys_avail[j] = 0;
 	phys_avail[j + 1] = 0;

Modified: head/sys/arm/xscale/i8134x/crb_machdep.c
==============================================================================
--- head/sys/arm/xscale/i8134x/crb_machdep.c	Wed Feb 29 12:13:05 2012	(r232294)
+++ head/sys/arm/xscale/i8134x/crb_machdep.c	Wed Feb 29 12:44:34 2012	(r232295)
@@ -381,8 +381,8 @@ initarm(void *arg, void *arg2)
 	
 	i = 0;
 #ifdef ARM_USE_SMALL_ALLOC
-	phys_avail[i++] = 0x00000000;
-	phys_avail[i++] = 0x00001000; 	/*
+	phys_avail[i++] = 0x00001000;
+	phys_avail[i++] = 0x00002000; 	/*
 					 *XXX: Gross hack to get our
 					 * pages in the vm_page_array
 					 . */
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 2 Michael Moll freebsd_committer freebsd_triage 2014-10-27 13:47:41 UTC
I suppose that's fixed. closing.