Page MenuHomeFreeBSD
Differential D20842

Bug 238960: panic in vm_pageout_collect_batch() with QUEUE_MACRO_DEBUG_TRASH enabled
ClosedPublic
Actions

Authored by dgmorris_earthlink.net on Jul 3 2019, 4:08 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Apr 4, 4:00 PM
Unknown Object (File)
Jan 13 2024, 8:43 AM
Unknown Object (File)
Jan 9 2024, 6:29 PM
Unknown Object (File)
Dec 23 2023, 12:03 PM
Unknown Object (File)
Dec 20 2023, 6:43 AM
Unknown Object (File)
Dec 12 2023, 8:01 PM
Unknown Object (File)
Sep 6 2023, 7:31 AM
Unknown Object (File)
Sep 6 2023, 7:30 AM
View All 32 Files
Subscribers
imp

Details

Reviewers
cem
vangyzen
markj
Commits
rS349671: Cache the next queue element when traversing a page queue.
Summary

Investigation of a panic upon entering light memory pressure (causing inactive page scan) in an environment where QUEUE_MACRO_DEBUG_TRASH is enabled by default exposed an issue in vm_pageout_collect_batch().
The while loop iterates over the pages in the pagequeue provided, but when dequeue is enabled [as for inactive] the next pointer is technically invalid. This is hidden without the DEBUG option lit as the stale pointers are kept and the pagequeue lock should keep the next element on the list, but with the DEBUG option setting the pointers to -1, a panic ensues.

I would also argue that programatically, relying on the now-stale next pointer is effectively relying on the TAILQ implementation details (it could move to an underlying data structure which could pack elements or other methods where the original pointer could be freed) and should be avoided.

Test Plan
  1. Instrumented inactive batch walk to expose that we were attempting NEXT of -1 prior and that the page walk proceeded with the change (obviously QUEUE_MACRO_DEBUG_TRASH is on by default).
  1. Booted and looped memory pressure-inducing internal test application for 18+ continuous hours of operation. Without fix, panic happened on first invocation of the internal tests.

I believe this is sufficient given the defect is algorithmically evident.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

dgmorris_earthlink.net created this revision.Jul 3 2019, 4:08 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 3 2019, 4:08 PM
markj accepted this revision.Jul 3 2019, 4:10 PM
markj added inline comments.
sys/vm/vm_pageout.c
269

n should come after marker.

This revision is now accepted and ready to land.Jul 3 2019, 4:10 PM
cem accepted this revision.EditedJul 3 2019, 4:23 PM

LGTM. For future reference, please upload future patches with more context. That could mean using the arc command line tool, which simplifies the process somewhat once it is set up, or diff -U99999 if you prefer not to use the arc ("Arcanist") tool.

dgmorris_earthlink.net updated this revision to Diff 59349.Jul 3 2019, 4:23 PM

Moved new local variable n to appropriate spot in multiple declarations.

This revision now requires review to proceed.Jul 3 2019, 4:23 PM
vangyzen accepted this revision.Jul 3 2019, 4:28 PM
This revision is now accepted and ready to land.Jul 3 2019, 4:28 PM
Closed by commit rS349671: Cache the next queue element when traversing a page queue. (authored by markj). · Explain WhyJul 3 2019, 6:46 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rS349671: Cache the next queue element when traversing a page queue..

Revision Contents
Changeset List

PathSize
sys/
vm/
5 lines

Diff 59346

View Options

sys/vm/vm_pageout.c

Loading...