svn commit: r281942 - head/sys/vm

Scott Long scott4long at yahoo.com
Sat Apr 25 21:19:43 UTC 2015 

> On Apr 25, 2015, at 2:30 AM, Chagin Dmitry <dchagin at freebsd.org> wrote:
> 
> On Fri, Apr 24, 2015 at 05:03:53PM +0000, Scott Long wrote:
>> Author: scottl
>> Date: Fri Apr 24 17:03:53 2015
>> New Revision: 281942
>> URL: https://svnweb.freebsd.org/changeset/base/281942
>> 
>> Log:
>>  Revert r281451.  It causes a panic/hang early in boot for a number of
>>  users, myself included.  The original code is likely papering over a
>>  larger bug that needs to be explored, but for now get things back to
>>  a working state.
>> 
>>  Obtained from:	Netflix, Inc.
>>  MFC after:	immediately
>> 
> in my POV, at vm_mem_init stage vm_map_init() call
> uma_zcreate() that uses uinitialized zones (which initialized
> in uma_startup()). I bet zones contains garbage.
> 

I don’t follow.  vm_mem_init() is called at SI_SUB_VM sysinit, and vm_map_init()
is called much later at SI_SUB_INTRINSIC.  vm_mem_init() calls uma_startup()
almost immediately, which will then call zone_ctor() on the “kegs” and “zones”
that were allocated from bss.  I don’t think that they’re being used prior to that.

The problem that I see is that both of these zones are allocated statically, and
contain no storage for the uz_cpu member when that member is declared as a
zero-length array.  All other zones are created dynamically and include space for
these members.  uma_startup() is initializing these zones at the right time, before
their first use, but isn’t giving them enough room.

According to the stack trace I posted, the problem triggers in the second call
to uma_zcreate() from uma_startup().  I think what happens is that the first call
to uma_zcreate() winds up writing to the zero-length uz_cpu member of
masterzone_z from inside of uma_zalloc_args().  This overwrites the adjacent
“kegs” and “zones” pointers in the bss.  The next call to uma_zcreate() then
follows a path of trying to look in the kegs, and eventually blows up.  I’m not
entirely certain on this chain of events though as it’s a bit twisty inside of
uma_zcreate() and I’m not sure I’ve found a link to where it calls
uma_zalloc_args().

Scott

More information about the svn-src-all mailing list