Summary: | Panic (vm_page_assert_xbusied: page 0xfffffe0001beaed8 busy_lock 0xfffffffe not owned by me) | ||
---|---|---|---|
Product: | Base System | Reporter: | Graham Perrin <grahamperrin> |
Component: | kern | Assignee: | Mark Johnston <markj> |
Status: | Closed FIXED | ||
Severity: | Affects Only Me | CC: | markj |
Priority: | --- | Keywords: | crash |
Version: | 15.0-CURRENT | ||
Hardware: | Any | ||
OS: | Any | ||
URL: | https://github.com/freebsd/freebsd-src/blob/07bc20e4740d09f554c3787bb1940fc503300822/sys/vm/vm_page.c#L1173-L1183 | ||
See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272403 |
Description
Graham Perrin
2023-09-07 06:07:11 UTC
Duplicate of bug 272403? Do you still have the kernel dump available? It would be useful to see the output of (kgdb) p *(vm_page_t)0xfffffe0001beaed8 *** Bug 272403 has been marked as a duplicate of this bug. *** I suspect that this would be fixed by https://reviews.freebsd.org/D42029 (In reply to Mark Johnston from comment #2) root@mowa219-gjp4-8570p-freebsd:~ # kgdb -c /var/crash/vmcore.1 kgdb: couldn't find a suitable kernel image root@mowa219-gjp4-8570p-freebsd:~ # I guess, the command will succeed if I temporarily boot either of the two boot environments that were indicated in opening comment 0. True? (In reply to Graham Perrin from comment #5) I'd guess so. But you don't really need to boot them, you can just mount the BE somewhere and either point kgdb at the kernel, or chroot into the BE. At this point though I think it's not necessary anymore, I found a bug which can cause this panic. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=e61568aeeec7667789e6c9d4837e074edecc990e commit e61568aeeec7667789e6c9d4837e074edecc990e Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-10-02 11:49:27 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-10-02 11:49:52 +0000 swap_pager: Fix a race in swap_pager_swapoff_object() When we disable swapping to a device, we scan the full VM object list looking for objects with swap trie nodes that reference the device in question. The pages corresponding to those nodes are paged in. While paging in, we drop the VM object lock. Moreover, we do not hold a reference for the object; swap_pager_swapoff_object() merely bumps the paging-in-progress counter. vm_object_terminate() waits for this counter to drain before proceeding and freeing pages. However, swap_pager_swapoff_object() decrements the counter before re-acquiring the VM object lock, which means that vm_object_terminate() can race to acquire the lock and free the pages. Then, swap_pager_swapoff_object() ends up unbusying a freed page. Fix the problem by acquiring the lock before waking up sleepers. PR: 273610 Reported by: Graham Perrin <grahamperrin@gmail.com> Reviewed by: kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D42029 sys/vm/swap_pager.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=aa229a59adeaf49517183c8117a239e2b68012f5 commit aa229a59adeaf49517183c8117a239e2b68012f5 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-10-02 11:49:27 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-10-09 00:41:35 +0000 swap_pager: Fix a race in swap_pager_swapoff_object() When we disable swapping to a device, we scan the full VM object list looking for objects with swap trie nodes that reference the device in question. The pages corresponding to those nodes are paged in. While paging in, we drop the VM object lock. Moreover, we do not hold a reference for the object; swap_pager_swapoff_object() merely bumps the paging-in-progress counter. vm_object_terminate() waits for this counter to drain before proceeding and freeing pages. However, swap_pager_swapoff_object() decrements the counter before re-acquiring the VM object lock, which means that vm_object_terminate() can race to acquire the lock and free the pages. Then, swap_pager_swapoff_object() ends up unbusying a freed page. Fix the problem by acquiring the lock before waking up sleepers. PR: 273610 Reported by: Graham Perrin <grahamperrin@gmail.com> Reviewed by: kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D42029 (cherry picked from commit e61568aeeec7667789e6c9d4837e074edecc990e) sys/vm/swap_pager.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=d8cb6c173417f47b2337c12ab662a13c6e147789 commit d8cb6c173417f47b2337c12ab662a13c6e147789 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-10-02 11:49:27 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-10-09 00:42:30 +0000 swap_pager: Fix a race in swap_pager_swapoff_object() When we disable swapping to a device, we scan the full VM object list looking for objects with swap trie nodes that reference the device in question. The pages corresponding to those nodes are paged in. While paging in, we drop the VM object lock. Moreover, we do not hold a reference for the object; swap_pager_swapoff_object() merely bumps the paging-in-progress counter. vm_object_terminate() waits for this counter to drain before proceeding and freeing pages. However, swap_pager_swapoff_object() decrements the counter before re-acquiring the VM object lock, which means that vm_object_terminate() can race to acquire the lock and free the pages. Then, swap_pager_swapoff_object() ends up unbusying a freed page. Fix the problem by acquiring the lock before waking up sleepers. PR: 273610 Reported by: Graham Perrin <grahamperrin@gmail.com> Reviewed by: kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D42029 (cherry picked from commit e61568aeeec7667789e6c9d4837e074edecc990e) sys/vm/swap_pager.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) A commit in branch releng/14.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=6f35c2380737fbef590ed48ed0669eebd1656287 commit 6f35c2380737fbef590ed48ed0669eebd1656287 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2023-10-02 11:49:27 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2023-10-09 18:07:02 +0000 swap_pager: Fix a race in swap_pager_swapoff_object() When we disable swapping to a device, we scan the full VM object list looking for objects with swap trie nodes that reference the device in question. The pages corresponding to those nodes are paged in. While paging in, we drop the VM object lock. Moreover, we do not hold a reference for the object; swap_pager_swapoff_object() merely bumps the paging-in-progress counter. vm_object_terminate() waits for this counter to drain before proceeding and freeing pages. However, swap_pager_swapoff_object() decrements the counter before re-acquiring the VM object lock, which means that vm_object_terminate() can race to acquire the lock and free the pages. Then, swap_pager_swapoff_object() ends up unbusying a freed page. Fix the problem by acquiring the lock before waking up sleepers. Approved by: re (gjb) PR: 273610 Reported by: Graham Perrin <grahamperrin@gmail.com> Reviewed by: kib MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D42029 (cherry picked from commit e61568aeeec7667789e6c9d4837e074edecc990e) (cherry picked from commit aa229a59adeaf49517183c8117a239e2b68012f5) sys/vm/swap_pager.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) |