Created attachment 231549 [details] core.txt.6 # cat info.last Dump header from device: /dev/gpt/fbswap Architecture: amd64 Architecture Version: 2 Dump Length: 972505088 Blocksize: 512 Compression: none Dumptime: 2022-02-04 12:06:41 +0900 Hostname: carrot.ish.org Magic: FreeBSD Kernel Dump Version String: FreeBSD 14.0-CURRENT #21 master-n252892-e30fceb89b7-dirty: Thu Feb 3 17:45:25 JST 2022 ishizuka@okra.ish.org:/usr/obj/usr/src/amd64.amd64/sys/SG_UDF2 Panic String: vm_page_free_prep: freeing mapped page 0xfffffe0006f80170 Dump Parity: 1337301631 Bounds: 6 Dump Status: good mvcore was saved to https://www.ish.org/files/vmcore-n252892.6.xz .
I have a similar issue on 14-CURRENT(main-n253047-a35bdd4489b) The panic usually happens when the system has high CPU usage i.e. when running stress-ng or when compiling a large port. (kgdb) backtrace #0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55 #1 doadump (textdump=textdump@entry=1) at /usr/src/sys/kern/kern_shutdown.c:399 #2 0xffffffff80c14143 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:487 #3 0xffffffff80c145ae in vpanic (fmt=0xffffffff812b9325 "vm_page_free_prep: freeing mapped page %p", ap=<optimized out>) at /usr/src/sys/kern/kern_shutdown.c:920 #4 0xffffffff80c14303 in panic (fmt=<unavailable>) at /usr/src/sys/kern/kern_shutdown.c:844 #5 0xffffffff80fac7ac in vm_page_free_prep (m=m@entry=0xfffffe000c358148) at /usr/src/sys/vm/vm_page.c:3865 #6 0xffffffff80fa4262 in vm_page_free_toq (m=m@entry=0xfffffe000c358148) at /usr/src/sys/vm/vm_page.c:3918 #7 0xffffffff80fa424b in vm_page_free (m=<unavailable>, m@entry=0xfffffe000c358148) at /usr/src/sys/vm/vm_page.c:1330 #8 0xffffffff80fb0435 in vm_pageout_scan_inactive (vmd=vmd@entry=0xffffffff81fb5540 <vm_dom>, page_shortage=3344) at /usr/src/sys/vm/vm_pageout.c:1637 #9 0xffffffff80fae50e in vm_pageout_inactive_dispatch (vmd=0xffffffff81fb5540 <vm_dom>, shortage=4456) at /usr/src/sys/vm/vm_pageout.c:1698 #10 vm_pageout_inactive (vmd=0xffffffff81fb5540 <vm_dom>, shortage=<optimized out>, addl_shortage=<optimized out>) at /usr/src/sys/vm/vm_pageout.c:1747 #11 vm_pageout_worker (arg=<optimized out>, arg@entry=0x0) at /usr/src/sys/vm/vm_pageout.c:2187 #12 0xffffffff80fadf47 in vm_pageout () at /usr/src/sys/vm/vm_pageout.c:2420 #13 0xffffffff80bcbb60 in fork_exit (callout=0xffffffff80fadd80 <vm_pageout>, arg=0x0, frame=0xfffffe00837ccf40) at /usr/src/sys/kern/kern_fork.c:1102 #14 <signal handler called> #15 0x009c693f3f3f3f52 in ?? () Link to core dump: https://drive.google.com/file/d/1bxR2vFYpwh55UMebKqOontz7I9KBXGcg/view?usp=sharing
Probably caused by base 3de96d664aaa. You can try the following hack which essentially reverts that commit. In bug 261773 it is also visible as corrupted icons in Firefox. There must be non-anonymous swap objects with ref_count == 1 and active mappings. --- sys/vm/vm_pageout.c +++ sys/vm/vm_pageout.c @@ -732,8 +732,8 @@ vm_pageout_clean(vm_page_t m, int *numpagedout) static bool vm_pageout_object_act(vm_object_t object) { - return (object->ref_count > - ((object->flags & (OBJ_SWAP | OBJ_ANON)) == OBJ_SWAP ? 1 : 0)); + return (object->ref_count > 0); +// ((object->flags & (OBJ_SWAP | OBJ_ANON)) == OBJ_SWAP ? 1 : 0)); } static int
(In reply to Aleksander Slomka from comment #1) vmcore is useless without the matching kernel.full. Place it somewhere as well. Or do from kgdb: p *m p *(m->object)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=b51927b7b018d268c91b2127d82786caf68254de commit b51927b7b018d268c91b2127d82786caf68254de Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2022-02-10 14:50:42 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2022-02-10 14:55:10 +0000 Revert "vm_pageout_scans: correct detection of active object" This reverts commit 3de96d664aaaf8e3fb1ca4fc4bd864d2cf734b24. Problem is that it is possible to reach the state with ref_count == 1 for the mapped non-anonymous object. For instance, anonymous posix shmfd or linux shmfs object could be mapped, and then corresponding file descriptor closed, dropping the object reference owned by the shmfd/shmfs file. Then the check in inactive scan assumes that the object and page are not mapped and frees the page, while they are not. PR: 261707 Discussed with: markj Sponsored by: The FreeBSD Foundation MFC after: now sys/vm/vm_pageout.c | 56 +++++++++++++++++------------------------------------ 1 file changed, 18 insertions(+), 38 deletions(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3261dea72c24aa7b33eb90aeae95d82078cfc5e4 commit 3261dea72c24aa7b33eb90aeae95d82078cfc5e4 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2022-02-10 14:50:42 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2022-02-10 14:56:15 +0000 Revert "vm_pageout_scans: correct detection of active object" This reverts commit 3de96d664aaaf8e3fb1ca4fc4bd864d2cf734b24. PR: 261707 (cherry picked from commit b51927b7b018d268c91b2127d82786caf68254de) sys/vm/vm_pageout.c | 56 +++++++++++++++++------------------------------------ 1 file changed, 18 insertions(+), 38 deletions(-)
(In reply to Tijl Coosemans from comment #2) Thank you for patch. This patch seems to solve my problem. It works well on master-n253071-79f5d19890c with this patch.
(In reply to commit-hook from comment #4) Thank you for b51927b7b018d268c91b2127d82786caf68254de. I made master-n253094-4bcc7a5f6b3 and it works fine.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f0000eb41d3076673c8725e3ddb8d7b4a93b7112 commit f0000eb41d3076673c8725e3ddb8d7b4a93b7112 Author: Peter Holm <pho@FreeBSD.org> AuthorDate: 2022-02-11 08:47:25 +0000 Commit: Peter Holm <pho@FreeBSD.org> CommitDate: 2022-02-11 08:47:25 +0000 stress2: Added a regression test PR: 261707 tools/test/stress2/misc/shm3.sh (new +x) | 74 ++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+)