Hi, I've found an issue with FreeBSD VM, VirtualBox crashes 11.1-BETA1 on my laptop. This is the reproducible issue, I have a several vmcores, so, it's possible to analyze them. Here is the latest one: Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x5a fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80d6cf60 stack pointer = 0x28:0xfffffe011a576430 frame pointer = 0x28:0xfffffe011a5764a0 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1359 (VirtualBox) trap number = 12 panic: page fault cpuid = 1 KDB: stack backtrace: #0 0xffffffff80aad9c7 at kdb_backtrace+0x67 #1 0xffffffff80a6baf6 at vpanic+0x186 #2 0xffffffff80a6b963 at panic+0x43 #3 0xffffffff80ede7a2 at trap_fatal+0x322 #4 0xffffffff80ede7f9 at trap_pfault+0x49 #5 0xffffffff80ede036 at trap+0x286 #6 0xffffffff80ec2c81 at calltrap+0x8 #7 0xffffffff826bab04 at rtR0MemObjFreeBSDPhysAllocHelper+0x94 #8 0xffffffff826ba212 at rtR0MemObjFreeBSDAllocPhysPages+0x72 #9 0xffffffff826ba18b at rtR0MemObjNativeAllocPhys+0x2b #10 0xffffffff827879c7 at linprocfs_doprocstat.ratelimit+0xa87b #11 0xffffffff827a5444 at linprocfs_doprocstat.ratelimit+0x282f8 #12 0xffffffff827a8735 at linprocfs_doprocstat.ratelimit+0x2b5e9 #13 0xffffffff8269538c at supdrvIOCtlInnerUnrestricted+0x114c #14 0xffffffff826a2d63 at VBoxDrvFreeBSDIOCtl+0x1a3 #15 0xffffffff8093ad98 at devfs_ioctl_f+0x128 #16 0xffffffff80ac9315 at kern_ioctl+0x255 #17 0xffffffff80ac904f at sys_ioctl+0x16f Uptime: 42m55s ... (kgdb) list *0xffffffff80d6cf60 0xffffffff80d6cf60 is in vm_page_alloc_contig (/usr/src/sys/vm/vm 1767 boundary)) 1768 goto retry; 1769 #endif 1770 } 1771 for (m = m_ret; m < &m_ret[npages]; m++) 1772 if ((m->flags & PG_ZERO) != 0) 1773 vm_page_zero_count--; 1774 mtx_unlock(&vm_page_queue_free_mtx); 1775 if (m_ret == NULL) 1776 return (NULL); (kgdb) backtrace #0 doadump (textdump=<value optimized out>) at pcpu.h:222 #1 0xffffffff80a6b671 in kern_reboot (howto=260) at /usr/src/sys #2 0xffffffff80a6bb30 in vpanic (fmt=<value optimized out>, ap=< #3 0xffffffff80a6b963 in panic (fmt=<value optimized out>) at /u #4 0xffffffff80ede7a2 in trap_fatal (frame=0xfffffe011a576370, e #5 0xffffffff80ede7f9 in trap_pfault (frame=0xfffffe011a576370, #6 0xffffffff80ede036 in trap (frame=0xfffffe011a576370) at /usr#7 0xffffffff80ec2c81 in calltrap () at /usr/src/sys/amd64/amd64 #8 0xffffffff80d6cf60 in vm_page_alloc_contig (object=<value opt high=18446744073709551615, alignment=2097152, boundary=0, mem #9 0xffffffff826bab04 in rtR0MemObjFreeBSDPhysAllocHelper () fro #10 0xffffffff826ba212 in rtR0MemObjFreeBSDAllocPhysPages () from #11 0xffffffff826ba18b in rtR0MemObjNativeAllocPhys () from /boot #12 0xffffffff827879c7 in ?? () #13 0x0000000000000000 in ?? () There were a couple of changes in this area: o) https://svnweb.freebsd.org/base?view=revision&revision=318716 o) https://svnweb.freebsd.org/base?view=revision&revision=315474 please see https://svnweb.freebsd.org/base/stable/11/sys/vm/vm_page.c?view=log for details.
Also, that was a suggestion from Glen Barber to build emulation/virtualbox-ose from ports tree, so when I've tried to do so I've got another error during the build: ld: Compiling VBoxVNCMain - /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/VBox/ExtPacks/VNC/VBoxVNCMain.cpp kBuild: Compiling VBoxVNC - /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/VBox/ExtPacks/VNC/VBoxVNC.cpp kBuild: Compiling VBoxRemPrimary - /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/VBoxRecompiler.c kBuild: Compiling VBoxRemPrimary - /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/cpu-exec.c kBuild: Compiling VBoxRemPrimary - /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/exec.c In file included from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include/iprt/types.h:179:0, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include/iprt/log.h:30, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include/VBox/log.h:36, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/Sun/crt/stdio.h:25, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/VBoxRecompiler.c:34: /usr/local/lib/gcc5/gcc/x86_64-portbld-freebsd11.0/5.4.0/include-fixed/sys/types.h:266:9: error: unknown type name '__vm_ooffset_t' typedef __vm_ooffset_t vm_ooffset_t; ^ /usr/local/lib/gcc5/gcc/x86_64-portbld-freebsd11.0/5.4.0/include-fixed/sys/types.h:268:9: error: unknown type name '__vm_pindex_t' typedef __vm_pindex_t vm_pindex_t; ^ In file included from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include/iprt/types.h:179:0, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include/iprt/log.h:30, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include/VBox/log.h:36, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/Sun/crt/stdio.h:25, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/dyngen-exec.h:70, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/target-i386/exec.h:30, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/cpu-exec.c:30: /usr/local/lib/gcc5/gcc/x86_64-portbld-freebsd11.0/5.4.0/include-fixed/sys/types.h:266:9: error: unknown type name '__vm_ooffset_t' typedef __vm_ooffset_t vm_ooffset_t; ^ /usr/local/lib/gcc5/gcc/x86_64-portbld-freebsd11.0/5.4.0/include-fixed/sys/types.h:268:9: error: unknown type name '__vm_pindex_t' typedef __vm_pindex_t vm_pindex_t; ^ In file included from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include/iprt/types.h:179:0, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include/iprt/log.h:30, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include/VBox/log.h:36, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/Sun/crt/stdio.h:25, from /usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/exec.c:46: /usr/local/lib/gcc5/gcc/x86_64-portbld-freebsd11.0/5.4.0/include-fixed/sys/types.h:266:9: error: unknown type name '__vm_ooffset_t' typedef __vm_ooffset_t vm_ooffset_t; ^ /usr/local/lib/gcc5/gcc/x86_64-portbld-freebsd11.0/5.4.0/include-fixed/sys/types.h:268:9: error: unknown type name '__vm_pindex_t' typedef __vm_pindex_t vm_pindex_t; ^ kmk: *** [/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/out/freebsd.amd64/release/obj/VBoxRemPrimary/cpu-exec.o] Error 1 The failing command: @gcc5 -c -O2 -g -pipe -O2 -mtune=generic -fno-omit-frame-pointer -fno-strict-aliasing -fvisibility=hidden -DVBOX_HAVE_VISIBILITY_HIDDEN -DRT_USE_VISIBILITY_DEFAULT -fPIC -Wno-sign-compare -Werror-implicit-function-declaration -m64 -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/Sun/crt -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/Sun -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/target-i386 -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/tcg -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/fpu -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/out/freebsd.amd64/release/obj/VBoxRemPrimary -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/VBox/VMM/include -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/tcg/i386 -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler -I/usr/local/include -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/out/freebsd.amd64/release/obj/VBoxRemPrimary/dtrace -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/include -I/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/out/freebsd.amd64/release -DVBOX -DVBOX_OSE -DVBOX_WITH_64_BITS_GUESTS +-DVBOX_WITH_REM -DVBOX_WITH_RAW_MODE -DRT_OS_FREEBSD -D__FREEBSD__ -DRT_ARCH_AMD64 -D__AMD64__ -DVBOX_WITH_DEBUGGER +-DVBOX_WITH_HARDENING -DRTPATH_APP_PRIVATE=\"/usr/local/share/virtualbox-ose\" +-DRTPATH_APP_PRIVATE_ARCH=\"/usr/local/lib/virtualbox\" -DRTPATH_SHARED_LIBS=\"/usr/local/lib/virtualbox\" +-DRTPATH_APP_DOCS=\"/usr/local/share/doc/virtualbox-ose\" -DIN_RING3 -DHC_ARCH_BITS=64 -DGC_ARCH_BITS=64 -DPIC -DIN_REM_R3 +-DREM_INCLUDE_CPU_H -DNEED_CPU_H -DVBOX_WITH_NEW_APIC -DVBOX_WITH_RAW_MODE -DVBOX_WITH_RAW_RING1 -DLOG_USE_C99 -D_BSD -D__x86_64__ +-Wp,-MD,/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/out/freebsd.amd64/release/obj/VBoxRemPrimary/cpu-exec.o.dep +-Wp,-MT,/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/out/freebsd.amd64/release/obj/VBoxRemPrimary/cpu-exec.o -Wp,-MP -o +/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/out/freebsd.amd64/release/obj/VBoxRemPrimary/cpu-exec.o +/usr/ports/emulators/virtualbox-ose/work/VirtualBox-5.1.22/src/recompiler/cpu-exec.c kmk: *** Waiting for unfinished jobs....
(In reply to Sergey A. Osokin from comment #1) lang/gcc must be rebuilt.
Hi, gcc5 and virtualbox have been rebuilt successfully on 11-BETA1. VirtualBox process still crashes FreeBSD 11-BETA1 VM. Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0x5a fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80d6cf60 stack pointer = 0x28:0xfffffe011a580420 frame pointer = 0x28:0xfffffe011a580490 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 1635 (VirtualBox) trap number = 12 panic: page fault cpuid = 1 KDB: stack backtrace: #0 0xffffffff80aad9c7 at kdb_backtrace+0x67 #1 0xffffffff80a6baf6 at vpanic+0x186 #2 0xffffffff80a6b963 at panic+0x43 #3 0xffffffff80ede7a2 at trap_fatal+0x322 #4 0xffffffff80ede7f9 at trap_pfault+0x49 #5 0xffffffff80ede036 at trap+0x286 #6 0xffffffff80ec2c81 at calltrap+0x8 #7 0xffffffff826bab04 at rtR0MemObjFreeBSDPhysAllocHelper+0x94 #8 0xffffffff826ba212 at rtR0MemObjFreeBSDAllocPhysPages+0x72 #9 0xffffffff826ba18b at rtR0MemObjNativeAllocPhys+0x2b #10 0xffffffff82787981 at linprocfs_doprocstat.ratelimit+0xa835 #11 0xffffffff827a69d4 at linprocfs_doprocstat.ratelimit+0x29888 #12 0xffffffff827a9902 at linprocfs_doprocstat.ratelimit+0x2c7b6 #13 0xffffffff8269538c at supdrvIOCtlInnerUnrestricted+0x114c #14 0xffffffff826a2d63 at VBoxDrvFreeBSDIOCtl+0x1a3 #15 0xffffffff8093ad98 at devfs_ioctl_f+0x128 #16 0xffffffff80ac9315 at kern_ioctl+0x255 #17 0xffffffff80ac904f at sys_ioctl+0x16f Uptime: 9m15s(kgdb) list *0xffffffff80d6cf60 0xffffffff80d6cf60 is in vm_page_alloc_contig (/usr/src/sys/vm/vm_page.c:1772). 1767 boundary)) 1768 goto retry; 1769 #endif 1770 } 1771 for (m = m_ret; m < &m_ret[npages]; m++) 1772 if ((m->flags & PG_ZERO) != 0) 1773 vm_page_zero_count--; 1774 mtx_unlock(&vm_page_queue_free_mtx); 1775 if (m_ret == NULL) 1776 return (NULL); Current language: auto; currently minimal (kgdb) backtrace #0 doadump (textdump=<value optimized out>) at pcpu.h:222 #1 0xffffffff80a6b671 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:366 #2 0xffffffff80a6bb30 in vpanic (fmt=<value optimized out>, ap=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:759 #3 0xffffffff80a6b963 in panic (fmt=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:690 #4 0xffffffff80ede7a2 in trap_fatal (frame=0xfffffe011a580360, eva=90) at /usr/src/sys/amd64/amd64/trap.c:801 #5 0xffffffff80ede7f9 in trap_pfault (frame=0xfffffe011a580360, usermode=0) at pcpu.h:222 #6 0xffffffff80ede036 in trap (frame=0xfffffe011a580360) at /usr/src/sys/amd64/amd64/trap.c:421 #7 0xffffffff80ec2c81 in calltrap () at /usr/src/sys/amd64/amd64/exception.S:236 #8 0xffffffff80d6cf60 in vm_page_alloc_contig (object=<value optimized out>, pindex=<value optimized out>, req=545, npages=<value optimized out>, low=0, high=18446744073709551615, alignment=2097152, boundary=0, memattr=6 '\006') at atomic.h:460 #9 0xffffffff826bab04 in rtR0MemObjFreeBSDPhysAllocHelper () from /boot/modules/vboxdrv.ko #10 0xffffffff826ba212 in rtR0MemObjFreeBSDAllocPhysPages () from /boot/modules/vboxdrv.ko #11 0xffffffff826ba18b in rtR0MemObjNativeAllocPhys () from /boot/modules/vboxdrv.ko #12 0xffffffff82787981 in ?? () #13 0xfffffe0117dd47e0 in ?? () #14 0xfffffe0117db2000 in ?? () #15 0x0000000000000000 in ?? ()
(In reply to Sergey A. Osokin from comment #3) 1767 boundary)) 1768 goto retry; 1769 #endif 1770 } 1771 for (m = m_ret; m < &m_ret[npages]; m++) 1772 if ((m->flags & PG_ZERO) != 0) 1773 vm_page_zero_count--; 1774 mtx_unlock(&vm_page_queue_free_mtx); 1775 if (m_ret == NULL) 1776 return (NULL); This panics because `m' is NULL in #1772. It seems the for loop should be moved up a bit. FYI, the code was committed in r318716: https://svnweb.freebsd.org/changeset/base/318716
Created attachment 183488 [details] My attempt to fix the panic
Add markj to CC list for get his comment.
(In reply to Jung-uk Kim from comment #6) Your patch looks right to me. Thank you, and sorry for the mistake. :(
A commit references this bug: Author: jkim Date: Thu Jun 15 02:39:34 UTC 2017 New revision: 319963 URL: https://svnweb.freebsd.org/changeset/base/319963 Log: Null pointer must be checked before use. This fixes a regression introduced in r318716. Note it is a direct commit to stable/11 because head removed support for idle page zeroing in r305362. PR: 219994 Reviewed by: markj Approved by: re (gjb) Changes: stable/11/sys/vm/vm_page.c
It should be fixed now (r319963). Thanks!