panic: vm_page_astate_fcmpset: invalid head requeue request on RPI3
Idwer Vollering
vidwer at gmail.com
Thu Jan 2 13:58:30 UTC 2020
This can happen on amd64, on r356262, too.
$ kgdb /boot/kernel/kernel vmcore.0
GNU gdb (GDB) 8.3.1 [GDB v8.3.1 for FreeBSD]
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-portbld-freebsd13.0".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /boot/kernel/kernel...
Reading symbols from /usr/lib/debug//boot/kernel/kernel.debug...
Unread portion of the kernel message buffer:
panic: vm_page_astate_fcmpset: invalid head requeue request for page
0xfffffe0001c8a7b8
cpuid = 2
time = 1577970641
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00567ff710
vpanic() at vpanic+0x17e/frame 0xfffffe00567ff770
panic() at panic+0x43/frame 0xfffffe00567ff7d0
_vm_page_pqstate_commit_dequeue() at
_vm_page_pqstate_commit_dequeue+0x34f/frame 0xfffffe00567ff840
vm_page_pqstate_commit_dequeue() at
vm_page_pqstate_commit_dequeue+0x96/frame 0xfffffe00567ff880
vm_page_pqstate_commit() at vm_page_pqstate_commit+0x46/frame 0xfffffe00567ff8b0
vm_pageout_laundry_worker() at vm_pageout_laundry_worker+0x5be/frame
0xfffffe00567ffb30
fork_exit() at fork_exit+0x80/frame 0xfffffe00567ffb70
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00567ffb70
--- trap 0, rip = 0, rsp = 0, rbp = 0 ---
KDB: enter: panic
__curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
55 __asm("movq %%gs:%P1,%0" : "=r" (td) : "n" (offsetof(struct pcpu,
(kgdb) bt
#0 __curthread () at /usr/src/sys/amd64/include/pcpu_aux.h:55
#1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:392
#2 0xffffffff8049bbba in db_dump (dummy=<optimized out>,
dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at
/usr/src/sys/ddb/db_command.c:575
#3 0xffffffff8049b97c in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=1) at
/usr/src/sys/ddb/db_command.c:482
#4 0xffffffff8049b6ed in db_command_loop () at
/usr/src/sys/ddb/db_command.c:535
#5 0xffffffff8049e918 in db_trap (type=<optimized out>,
code=<optimized out>) at /usr/src/sys/ddb/db_main.c:252
#6 0xffffffff80c15ab7 in kdb_trap (type=3, code=0, tf=<optimized
out>) at /usr/src/sys/kern/subr_kdb.c:691
#7 0xffffffff8106a9d4 in trap (frame=0xfffffe00567ff640) at
/usr/src/sys/amd64/amd64/trap.c:585
#8 <signal handler called>
#9 kdb_enter (why=0xffffffff811f6c89 "panic", msg=<optimized out>) at
/usr/src/sys/kern/subr_kdb.c:478
#10 0xffffffff80bca46a in vpanic (fmt=<optimized out>, ap=<optimized
out>) at /usr/src/sys/kern/kern_shutdown.c:897
#11 0xffffffff80bca203 in panic (fmt=0xffffffff81c7b008 <cnputs_mtx>
"\260\266\033\201\377\377\377\377") at
/usr/src/sys/kern/kern_shutdown.c:835
#12 0xffffffff80f2bb8f in _vm_page_pqstate_commit_dequeue
(pq=<optimized out>, m=0xfffffe0001c8a7b8, old=0xfffffe00567ff900,
new=...) at /usr/src/sys/vm/vm_page.h:790
#13 0xffffffff80f27d76 in vm_page_pqstate_commit_dequeue
(m=0xfffffe0001c8a7b8, old=0xfffffe00567ff900, new=...) at
/usr/src/sys/vm/vm_page.c:3369
#14 0xffffffff80f27c06 in vm_page_pqstate_commit
(m=0xfffffe0001c8a7b8, old=0x80, new=...) at
/usr/src/sys/vm/vm_page.c:3446
#15 0xffffffff80f2e82e in vm_pageout_launder (vmd=<optimized out>,
launder=982, in_shortfall=<optimized out>) at
/usr/src/sys/vm/vm_pageout.c:839
#16 vm_pageout_laundry_worker (arg=<optimized out>) at
/usr/src/sys/vm/vm_pageout.c:1101
#17 0xffffffff80b87650 in fork_exit (callout=0xffffffff80f2e270
<vm_pageout_laundry_worker>, arg=0x0, frame=0xfffffe00567ffb80) at
/usr/src/sys/kern/kern_fork.c:1058
#18 <signal handler called>
(kgdb) up
#1 doadump (textdump=0) at /usr/src/sys/kern/kern_shutdown.c:392
392 dumptid = curthread->td_tid;
(kgdb)
#2 0xffffffff8049bbba in db_dump (dummy=<optimized out>,
dummy2=<unavailable>, dummy3=<unavailable>, dummy4=<unavailable>) at
/usr/src/sys/ddb/db_command.c:575
575 error = doadump(false);
(kgdb)
#3 0xffffffff8049b97c in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=1) at
/usr/src/sys/ddb/db_command.c:482
482 (*cmd->fcn)(addr, have_addr, count, modif);
(kgdb)
#4 0xffffffff8049b6ed in db_command_loop () at
/usr/src/sys/ddb/db_command.c:535
535 db_command(&db_last_command, &db_cmd_table, /* dopager */ 1);
(kgdb)
#5 0xffffffff8049e918 in db_trap (type=<optimized out>,
code=<optimized out>) at /usr/src/sys/ddb/db_main.c:252
252 db_command_loop();
(kgdb)
#6 0xffffffff80c15ab7 in kdb_trap (type=3, code=0, tf=<optimized
out>) at /usr/src/sys/kern/subr_kdb.c:691
691 handled = be->dbbe_trap(type, code);
(kgdb)
#7 0xffffffff8106a9d4 in trap (frame=0xfffffe00567ff640) at
/usr/src/sys/amd64/amd64/trap.c:585
585 if (kdb_trap(type, dr6, frame))
(kgdb)
#8 <signal handler called>
(kgdb)
#9 kdb_enter (why=0xffffffff811f6c89 "panic", msg=<optimized out>) at
/usr/src/sys/kern/subr_kdb.c:478
478 kdb_why = KDB_WHY_UNSET;
(kgdb)
#10 0xffffffff80bca46a in vpanic (fmt=<optimized out>, ap=<optimized
out>) at /usr/src/sys/kern/kern_shutdown.c:897
897 kdb_enter(KDB_WHY_PANIC, "panic");
(kgdb)
#11 0xffffffff80bca203 in panic (fmt=0xffffffff81c7b008 <cnputs_mtx>
"\260\266\033\201\377\377\377\377") at
/usr/src/sys/kern/kern_shutdown.c:835
835 vpanic(fmt, ap);
(kgdb)
#12 0xffffffff80f2bb8f in _vm_page_pqstate_commit_dequeue
(pq=<optimized out>, m=0xfffffe0001c8a7b8, old=0xfffffe00567ff900,
new=...) at /usr/src/sys/vm/vm_page.h:790
790 KASSERT((new.flags & PGA_ENQUEUED) == 0 || new.queue != PQ_NONE,
(kgdb)
#13 0xffffffff80f27d76 in vm_page_pqstate_commit_dequeue
(m=0xfffffe0001c8a7b8, old=0xfffffe00567ff900, new=...) at
/usr/src/sys/vm/vm_page.c:3369
3369 ret = _vm_page_pqstate_commit_dequeue(pq, m, old, new);
(kgdb)
#14 0xffffffff80f27c06 in vm_page_pqstate_commit
(m=0xfffffe0001c8a7b8, old=0x80, new=...) at
/usr/src/sys/vm/vm_page.c:3446
3446 if (!vm_page_pqstate_commit_dequeue(m, old, new))
(kgdb)
#15 0xffffffff80f2e82e in vm_pageout_launder (vmd=<optimized out>,
launder=982, in_shortfall=<optimized out>) at
/usr/src/sys/vm/vm_pageout.c:839
839 if (!vm_page_pqstate_commit(m, &old, new))
(kgdb)
#16 vm_pageout_laundry_worker (arg=<optimized out>) at
/usr/src/sys/vm/vm_pageout.c:1101
1101 target -= min(vm_pageout_launder(vmd, launder,
(kgdb)
#17 0xffffffff80b87650 in fork_exit (callout=0xffffffff80f2e270
<vm_pageout_laundry_worker>, arg=0x0, frame=0xfffffe00567ffb80) at
/usr/src/sys/kern/kern_fork.c:1058
1058 callout(arg, frame);
(kgdb)
#18 <signal handler called>
(kgdb)
Initial frame selected; you cannot go up.
Op do 2 jan. 2020 om 12:03 schreef Michael Tuexen <tuexen at freebsd.org>:
>
> > On 2. Jan 2020, at 01:12, bob prohaska <fbsd at www.zefox.net> wrote:
> >
> > While playing at compiling www/chromium using
> > FreeBSD 13.0-CURRENT (GENERIC) #2 r356165: Mon Dec 30 09:59:03 PST 2019
> > the machine crashed, reporting
> > panic: vm_page_astate_fcmpset: invalid head requeue request for page 0xfffffd0031880490
> This problem is NOT arm specific. I've seen it on an amd64 system running syzkaller:
> http://212.201.121.91:10000/crash?id=00704eb865e893ffda473a4859e062eef512cbde
>
> Best regards
> Michael
> >
> > cpuid = 2
> > time = 1577921727
> > KDB: stack backtrace:
> > db_trace_self() at db_trace_self_wrapper+0x28
> > pc = 0xffff000000735c5c lr = 0xffff000000106814
> > sp = 0xffff0000521ec240 fp = 0xffff0000521ec450
> >
> > db_trace_self_wrapper() at vpanic+0x18c
> > pc = 0xffff000000106814 lr = 0xffff000000408d90
> > sp = 0xffff0000521ec460 fp = 0xffff0000521ec510
> >
> > vpanic() at panic+0x44
> > pc = 0xffff000000408d90 lr = 0xffff000000408b40
> > sp = 0xffff0000521ec520 fp = 0xffff0000521ec5a0
> >
> > panic() at _vm_page_pqstate_commit_dequeue+0x340
> > pc = 0xffff000000408b40 lr = 0xffff0000006ed840
> > sp = 0xffff0000521ec5b0 fp = 0xffff0000521ec5f0
> >
> > _vm_page_pqstate_commit_dequeue() at vm_page_pqstate_commit_dequeue+0xb8
> > pc = 0xffff0000006ed840 lr = 0xffff0000006e954c
> > sp = 0xffff0000521ec600 fp = 0xffff0000521ec640
> >
> > vm_page_pqstate_commit_dequeue() at vm_page_pqstate_commit+0x50
> > pc = 0xffff0000006e954c lr = 0xffff0000006e93ac
> > sp = 0xffff0000521ec650 fp = 0xffff0000521ec670
> >
> > vm_page_pqstate_commit() at vm_pageout_laundry_worker+0x5e4
> > pc = 0xffff0000006e93ac lr = 0xffff0000006f02c0
> > sp = 0xffff0000521ec680 fp = 0xffff0000521ec940
> >
> > vm_pageout_laundry_worker() at fork_exit+0x7c
> > pc = 0xffff0000006f02c0 lr = 0xffff0000003c7fdc
> > sp = 0xffff0000521ec950 fp = 0xffff0000521ec980
> >
> > fork_exit() at fork_trampoline+0x10
> > pc = 0xffff0000003c7fdc lr = 0xffff00000075230c
> > sp = 0xffff0000521ec990 fp = 0x0000000000000000
> >
> > KDB: enter: panic
> > [ thread pid 21 tid 100071 ]
> > Stopped at 0
> > db> bt
> > Tracing pid 21 tid 100071 td 0xfffffd0001078560
> > db_trace_self() at db_stack_trace+0xf8
> > pc = 0xffff000000735c5c lr = 0xffff000000103c58
> > sp = 0xffff0000521ebe10 fp = 0xffff0000521ebe40
> >
> > db_stack_trace() at db_command+0x228
> > pc = 0xffff000000103c58 lr = 0xffff0000001038d0
> > sp = 0xffff0000521ebe50 fp = 0xffff0000521ebf30
> >
> > db_command() at db_command_loop+0x58
> > pc = 0xffff0000001038d0 lr = 0xffff000000103678
> > sp = 0xffff0000521ebf40 fp = 0xffff0000521ebf60
> >
> > db_command_loop() at db_trap+0xf4
> > pc = 0xffff000000103678 lr = 0xffff00000010697c
> > sp = 0xffff0000521ebf70 fp = 0xffff0000521ec190
> >
> > db_trap() at kdb_trap+0x1d8
> > pc = 0xffff00000010697c lr = 0xffff0000004510d0
> > sp = 0xffff0000521ec1a0 fp = 0xffff0000521ec250
> >
> > kdb_trap() at do_el1h_sync+0xf4
> > pc = 0xffff0000004510d0 lr = 0xffff000000752588
> > sp = 0xffff0000521ec260 fp = 0xffff0000521ec290
> >
> > do_el1h_sync() at handle_el1h_sync+0x78
> > pc = 0xffff000000752588 lr = 0xffff000000738078
> > sp = 0xffff0000521ec2a0 fp = 0xffff0000521ec3b0
> >
> > handle_el1h_sync() at kdb_enter+0x34
> > pc = 0xffff000000738078 lr = 0xffff00000045071c
> > sp = 0xffff0000521ec3c0 fp = 0xffff0000521ec450
> >
> > kdb_enter() at vpanic+0x1a8
> > pc = 0xffff00000045071c lr = 0xffff000000408dac
> > sp = 0xffff0000521ec460 fp = 0xffff0000521ec510
> >
> > vpanic() at panic+0x44
> > pc = 0xffff000000408dac lr = 0xffff000000408b40
> > sp = 0xffff0000521ec520 fp = 0xffff0000521ec5a0
> >
> > panic() at _vm_page_pqstate_commit_dequeue+0x340
> > pc = 0xffff000000408b40 lr = 0xffff0000006ed840
> > sp = 0xffff0000521ec5b0 fp = 0xffff0000521ec5f0
> >
> > _vm_page_pqstate_commit_dequeue() at vm_page_pqstate_commit_dequeue+0xb8
> > pc = 0xffff0000006ed840 lr = 0xffff0000006e954c
> > sp = 0xffff0000521ec600 fp = 0xffff0000521ec640
> >
> > vm_page_pqstate_commit_dequeue() at vm_page_pqstate_commit+0x50
> > pc = 0xffff0000006e954c lr = 0xffff0000006e93ac
> > sp = 0xffff0000521ec650 fp = 0xffff0000521ec670
> >
> > vm_page_pqstate_commit() at vm_pageout_laundry_worker+0x5e4
> > pc = 0xffff0000006e93ac lr = 0xffff0000006f02c0
> > sp = 0xffff0000521ec680 fp = 0xffff0000521ec940
> >
> > vm_pageout_laundry_worker() at fork_exit+0x7c
> > pc = 0xffff0000006f02c0 lr = 0xffff0000003c7fdc
> > sp = 0xffff0000521ec950 fp = 0xffff0000521ec980
> >
> > fork_exit() at fork_trampoline+0x10
> > pc = 0xffff0000003c7fdc lr = 0xffff00000075230c
> > sp = 0xffff0000521ec990 fp = 0x0000000000000000
> >
> > db>
> >
> > Thanks for reading, if there's anything to try please let me know.
> >
> > bob prohaska
> >
> > _______________________________________________
> > freebsd-arm at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-arm
> > To unsubscribe, send any mail to "freebsd-arm-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list