tech-kern: page with wirecount 65535 on active list?

Subject: page with wirecount 65535 on active list?
To: None <tech-kern@netbsd.org>
From: Greg Troxel <gdt@ir.bbn.com>
List: tech-kern
Date: 12/30/2003 13:54:33
I had a crash and would like confirmation if my reading of the code
and conclusions are correct.

Machine is 1.6.2_RC3/i386 with 768MB memory (+ coda pulled up from
current and other local IPsec changes), single processor.  I was doing
a number of things, including heavy writing via pkgsrc/security/cfs,
with ciphertext on a regular IDE local disk.

From the backtrace, I think that a page ended up on the active queue
with wire_count set to 65535.  The loop in uvmpd_scan is over the list
of active pages, and a) those aren't allowed to be wired and b) 65535
is "obviously" the result of decrementing 0, not having 2^16-1 objects
wiring the page.

Perhaps uvm_pageunwire(pg) should add

        KASSERT(pg->wire_count != 0);

at the beginning in order to catch this corruption closer to where the
problem happened?

Does anyone else have any clues as to how this might have happened?

    Thanks,
    Greg

Most of my backtrace:

#13 0xc01e52da in panic ()
    at /n0/gdt/QUIST-current/netbsd/src/sys/arch/i386/compile/POBLANO/../../../../kern/subr_prf.c:253
#14 0xc03504eb in __assert ()
    at /usr/home/gdt/QUIST-current/netbsd/src/sys/arch/i386/compile/POBLANO/lib/kern/../../../../../../lib/libkern/__assert.c:47
#15 0xc02a0caf in uvm_pagedeactivate (pg=0xc087000c)
    at ../../../../uvm/uvm_page_i.h:201
#16 0xc02a38b3 in uvmpd_scan ()
    at /n0/gdt/QUIST-current/netbsd/src/sys/arch/i386/compile/POBLANO/../../../../uvm/uvm_pdaemon.c:872
#17 0xc02a307e in uvm_pageout (arg=0xe363039c)
    at /n0/gdt/QUIST-current/netbsd/src/sys/arch/i386/compile/POBLANO/../../../../uvm/uvm_pdaemon.c:253
(gdb) fr 16
#16 0xc02a38b3 in uvmpd_scan ()
    at /n0/gdt/QUIST-current/netbsd/src/sys/arch/i386/compile/POBLANO/../../../../uvm/uvm_pdaemon.c:872
872                             uvm_pagedeactivate(p);
(gdb) print *p
$4 = {pageq = {tqe_next = 0xc0e129c0, tqe_prev = 0xc043a78c}, hashq = {
    tqe_next = 0x0, tqe_prev = 0xca42fc90}, listq = {tqe_next = 0xc0e129c0, 
    tqe_prev = 0xc0ce9028}, uanon = 0x0, uobject = 0xe466a588, offset = 40960, 
  flags = 12, loan_count = 0, wire_count = 65535, pqflags = 0, 
  phys_addr = 337190912}

-- 
        Greg Troxel <gdt@ir.bbn.com>