Port-powerpc archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
ofppc - panic pmap_pvo_find_va returning NULL for kernel pmap
Hi list.
Recently I’ve been working on MPC5200B support, with the intention of running NetBSD on EFIKA board. Between 2008-2012, rjs@ developed a set of patches that added basic support for MPC5200B. I’ve taken these patches and (over the years) extended them, refactored, which resulted in pretty complete support for EFIKA. It’s 2026 and I guess it’s high time to get this into the CVS. MPC5200B peripherals landed in tree a few days ago, in src/sys/arch/powerpc/mpc5200 . However, I am still facing two issues that prevent me from finishing the cleanup of EFIKA-specific code.
The first issue is a panic in OEA pmap. Since I do not consider myself to be an expert in pmap internals (it’s more like "here be dragons" territory for me), I request guidance from fellow developers. I allowed myself to also cc rin@ who was the last person to rework OEA pmap and touched relevant parts.
The kernel reaches userland and panics the moment init is executed from NFS root:
[ 15.2275076] init: trying /sbin/init
[ 15.7405906] panic: pmap_pvo_find_va: returning NULL for kernel pmap, va: 0xa2000000
[ 15.7405906] cpu0: Begin traceback...
[ 15.7405906] 0x01c6b340: at vpanic+0x154
[ 15.7405906] 0x01c6b370: at panic+0x50
[ 15.7405906] 0x01c6b3b0: at pmap_pvo_find_va+0xffffbff4
[ 15.7405906] 0x01c6b3c0: at pmap32_extract+0xac
[ 15.7405906] 0x01c6b3e0: at uvm_km_pgremove_intrsafe+0x6c
[ 15.7405906] 0x01c6b450: at uvm_unmap_remove+0x2cc
[ 15.7405906] 0x01c6b490: at uvm_pagermapout+0x7c
[ 15.7405906] 0x01c6b4c0: at genfs_getpages+0x102c
[ 15.7405906] 0x01c6b5c0: at nfs_getpages+0x74
[ 15.7405906] 0x01c6b620: at VOP_GETPAGES+0x58
[ 15.7405906] 0x01c6b660: at ubc_fault+0x104
[ 15.7405906] 0x01c6b6c0: at uvm_fault_internal+0x3a0
[ 15.7405906] 0x01c6b800: at trap+0x848
[ 15.7405906] 0x01c6b8c0: kernel DSI read trap @ 0xa3860000 by memcpy+0x20: srr1=0x9032
[ 15.7405906] r1=0x1c6b990 cr=0x40422202 xer=0x20000000 ctr=0x101 dsisr=0x40000000
[ 15.7405906] 0x01c6b990: at 0x1c6ba4c
[ 15.7405906] 0x01c6ba10: at uiomove+0x9c
[ 15.7405906] 0x01c6ba40: at ubc_uiomove+0x138
[ 15.7405906] 0x01c6ba90: at nfs_bioread+0x154
[ 15.7405906] 0x01c6bb00: at VOP_READ+0x40
[ 15.7405906] 0x01c6bb30: at vn_rdwr+0x164
[ 15.7405906] 0x01c6bba0: at check_exec+0x1bc
[ 15.7405906] 0x01c6bc20: at execve_loadvm+0x1e0
[ 15.7405906] 0x01c6bca0: at execve1+0x18
[ 15.7405906] 0x01c6be20: at start_init+0x260
[ 15.7405906] 0x01c6bf20: at cpu_lwp_bootstrap+0xc
[ 15.7405906] saved LR(0x8a3cd39) is invalid.cpu0: End traceback...
Stopped in pid 1.1 (init) at netbsd:vpanic+0x158: addi r4, r0, 0x0
The panic is caused by a guard at line 1383 of OEA's pmap.c in pmap_pvo_find_va() :
if ((pm == pmap_kernel()) && (va < PMAP_DIRECT_MAPPED_LEN))
panic("%s: returning NULL for %s pmap, va: %#" _PRIxva "\n",
__func__, (pm == pmap_kernel() ? "kernel" : "user"), va);
return NULL;
According to my investigation, the whole call path up to pmap_pvo_find_va() is correct in a situation where userland process requires demand paging. One may ask if the page shouldn’t be already mapped at this point, but I think not, since UBC normally demand-faults by design here (that’s why there’s a DSI trap). Also note, the panic actually happens when tearing down the temporary KVA that genfs_getpages() used. The whole ubc_fault() worked as expected, it’s the cleanup (uvm_pagermapout()) that panics.
When this check is commented out, the port boots to multi-user and system is completely stable. Taylor suggested that commenting out the mentioned panic is 99% papering over some other problem. It sort of is (more on that below), but in my opinion the check itself is incorrect.
The check should not assume that given VA >= PMAP_DIRECT_MAPPED_LEN . Note that PMAP_DIRECT_MAPPED_LEN is calculated according to the formula in oea/pmap.h (line 128) :
SEGMENT_LENGTH (256MB) * USER_SR
Why does the panic not trigger on macppc and other PowerPC ports? By coincidence that depends on ordering of USER_SR and KERNEL_SR utilized by a given port:
macppc, evbppc etc. use USER_SR 12 and KERNEL_SR 13, 14, so segment-mappend KVA lands between 0xD0000000 - 0xF0000000, and PMAP_DIRECT_MAPPED_LEN as calculated is 0xC0000000 .
ofppc uses USER_SR 14 and KERNEL_SR 10, 11, so segment-mapped KVA lands between 0xA0000000 - 0xC0000000, and PMAP_DIRECT_MAPPED_LEN as calculated is 0xE0000000 .
You can already see the problem - on *ofppc correct kernel VA is below PMAP_DIRECT_MAPPED_LEN* and the first call that returns NULL from pmap_pvo_find_va() is destined to panic. Since panic will only trigger for NULLs, the kernel itself will boot and only when userland process requires demand-paging, the panic will occur.
The question is how to handle this correctly? ofppc does the controversial thing of overriding (and reordering!) KERNEL_SR and USER_SR, but at the same time it may not be feasible to refactor ofppc now to work just like all the other ports. I don’t like the idea of making a port wide change to a machines I can’t test. The check itself should either removed or ifdef’d for OEA64_BRIDGE where it is reliably true, as can be seen in OEA64 implementation of pmap_extract().
It is also worth nothing that 32-bit OEA generally does not practice PMAP_DIRECT in MI sense so the naming is confusing too, I assume here it just means "the range where PA=pointer".
If my understanding of the problem is incorrect, I will gladly accept other suggestions.
Regarding the other issue I am facing, I will prep a separate email, since it is unrelated to the above problem.
Complete dmesg below:
[ 1.0000000] NetBSD 11.99.6 (EFIKA) #125: Tue Jun 30 00:12:20 CEST 2026
[ 1.0000000] rkujawa%nbox.home.c0ff33.net@localhost:/home/rkujawa/repos/NetBSD-MPC5200B/src/obj/sys/arch/ofppc/compile/EFIKA
[ 1.0000000] Model: EFIKA5K2
[ 1.0000000] total memory = 128 MB
[ 1.0000000] avail memory = 100 MB
[ 1.0000000] bootpath: /builtin@F0000000/ethernet@F0003000/netbsd.ofppc
[ 1.0000000] mainbus0 (root)
[ 1.0000000] rtas0 at mainbus0: version 1, entry @pa 0x1c24000
[ 1.0000000] cpu0 at mainbus0: G2 (rev 1.4), ID 0 (primary)
[ 1.0000000] cpu0: HID0 0x90c000<DOZE,DPM,ICE,DCE>, powersave: 1
[ 1.0000000] cpu0: L1 I-cache 16 KB 32B/line, D-cache 16 KB 32B/line
[ 1.0000000] mpcobio0 at mainbus0: MPC5200B on-chip peripherals at 0xf0000000
[ 1.0000000] mpc5200pic0 at mpcobio0 addr 0xf0000500: MPC5200 SIU interrupt controller, 96 sources
[ 1.0000000] bestcomm0 at mpcobio0 addr 0xf0001200: BestComm SDMA, 16 tasks, 16 interrupt sources
[ 1.0000000] sram0 at mpcobio0 addr 0xf0008000: 16 KB on-chip SRAM
[ 1.0000000] wdc0 at mpcobio0 addr 0xf0003a00: MPC5200 ATA controller
[ 1.0000000] wdc0: interrupting at irq 71
[ 1.0000000] atabus2 at wdc0 channel 0
[ 1.0000000] ohci0 at mpcobio0 addr 0xf0001000: MPC5200 USB OHCI
[ 1.0000000] ohci0: OHCI version 1.0
[ 1.0000000] usb0 at ohci0: USB revision 1.0
[ 1.0000000] fec0 at mpcobio0 addr 0xf0003000: MPC5200 FEC, address 00:0b:2f:e1:0a:52
[ 1.0000000] rlphy0 at fec0 phy 16: RTL8201L 10/100 media interface, rev. 1
[ 1.0000000] rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
[ 1.0000000] mpcaudio0 at mpcobio0 addr 0xf0002200: MPC5200 AC97 controller
[ 1.0000000] mpcaudio0: ac97: SigmaTel STAC9766/67 codec; headphone, 20 bit DAC, 20 bit ADC, SigmaTel 3D
[ 1.0000000] mpcaudio0: ac97: ext id 0xa05<AC97_23,AMAP,SPDIF,VRA>
[ 1.0000000] audio0 at mpcaudio0: playback
[ 1.0000000] audio0: slinear_be:16 2ch 48000Hz, blk 3840 bytes (10ms) for playback
[ 1.0000000] spkr0 at audio0: PC Speaker (synthesized)
[ 1.0000000] wsbell at spkr0 not configured
[ 1.0000000] psc0 at mpcobio0 addr 0xf0002000: console, IPB 133.3 MHz, 115200 baud (divisor 36)
[ 1.0000000] pcidma at mpcobio0 addr 0xf0003800 not configured
[ 1.0000000] cdm0 at mpcobio0 addr 0xf0000200: core 399.9 MHz, XLB 133.3 MHz, IPB 133.3 MHz, PCI 66.6 MHz
[ 1.0000000] mpcpci0 at mainbus0: MPC5200B PCI host bridge
[ 1.0000000] mpcpci0: pci_configure_bus() failed
[ 1.0000000] pci0 at mpcpci0 bus 0: indirect configuration space access
[ 1.0000000] Motorola MPC5200B Host Bridge (miscellaneous bridge) at pci0 dev 28 function 0 not configured
[ 1.0000000] vmmask 7c000000 schedmask 7c000000 highmask 7e000000
[ 1.0000000] WARNING: system needs entropy for security; see entropy(7)
[ 1.0000356] bestcomm0: loaded 16-task SDMA image (5376 bytes) at SRAM 0xf0008000
[ 1.0299675] uhub0 at usb0: NetBSD (0x0000) OHCI root hub (0x0000), class 9/0, rev 1.00/1.00, addr 1
[ 2.6299862] uhidev0 at uhub0 port 2 configuration 1 interface 0
[ 2.6299862] uhidev0: Logitech (0x046d) USB Receiver (0xc548), rev 2.00/5.01, addr 2, iclass 3/1
[ 2.6299862] ukbd0 at uhidev0: 128 Variable keys, 0 Array codes
[ 2.6299862] wskbd0 at ukbd0 mux 1
[ 2.6299862] uhidev1 at uhub0 port 2 configuration 1 interface 1
[ 2.6299862] uhidev1: Logitech (0x046d) USB Receiver (0xc548), rev 2.00/5.01, addr 2, iclass 3/1
[ 2.6700012] uhidev1: 4 report ids
[ 2.6700012] ums0 at uhidev1 reportid 2: 16 buttons, W and Z dirs
[ 2.6700012] wsmouse0 at ums0 mux 0
[ 2.6700012] uhid0 at uhidev1 reportid 3: input=4, output=0, feature=0
[ 2.6700012] uhid1 at uhidev1 reportid 4: input=1, output=0, feature=0
[ 2.6700012] uhidev2 at uhub0 port 2 configuration 1 interface 2
[ 2.6700012] uhidev2: Logitech (0x046d) USB Receiver (0xc548), rev 2.00/5.01, addr 2, iclass 3/0
[ 2.7100077] uhidev2: 17 report ids
[ 2.7100077] uhid2 at uhidev2 reportid 16: input=6, output=6, feature=0
[ 2.7100077] uhid3 at uhidev2 reportid 17: input=19, output=19, feature=0
[ 4.2000005] wd1 at atabus2 drive 0
[ 4.2199970] wd1: <FUJITSU MHR2020AT>
[ 4.2199970] wd1: 19077 MB, 38760 cyl, 16 head, 63 sec, 512 bytes/sect x 39070080 sectors
[ 4.4500118] swwdog0: software watchdog initialized
[ 4.4800046] WARNING: 1 error while detecting hardware; check system log.
[ 4.4800046] boot device: <unknown>
[ 4.4800046] root device:
[ 4.4800046] use one of: fec0 wd1[a-p] ddb halt reboot
[ 4.4800046] root device: fec0
[ 4.4800046] dump device:
[ 4.4800046] file system (default generic):
[ 4.4800046] root on fec0
[ 4.6281046] nfs_boot: trying DHCP/BOOTP
[ 9.2000015] nfs_boot: DHCP next-server: 10.115.0.19
[ 9.2000015] nfs_boot: my_domain=home.c0ff33.net
[ 9.2000015] nfs_boot: my_addr=10.115.0.162
[ 9.2000015] nfs_boot: my_mask=255.255.255.0
[ 9.2000015] nfs_boot: gateway=10.115.0.1
[ 15.2100131] root on 10.115.0.19:/export/efika/
[ 15.2100131] root file system type: nfs
[ 15.2100131] kern.module.path=/stand/ofppc/11.99.6/modules
[ 15.2275076] init path (default /sbin/init):
[ 15.2275076] init: trying /sbin/init
[ 15.7405906] panic: pmap_pvo_find_va: returning NULL for kernel pmap, va: 0xa2000000
[ 15.7405906] cpu0: Begin traceback...
[ 15.7405906] 0x01c6b340: at vpanic+0x154
[ 15.7405906] 0x01c6b370: at panic+0x50
[ 15.7405906] 0x01c6b3b0: at pmap_pvo_find_va+0xffffbff4
[ 15.7405906] 0x01c6b3c0: at pmap32_extract+0xac
[ 15.7405906] 0x01c6b3e0: at uvm_km_pgremove_intrsafe+0x6c
[ 15.7405906] 0x01c6b450: at uvm_unmap_remove+0x2cc
[ 15.7405906] 0x01c6b490: at uvm_pagermapout+0x7c
[ 15.7405906] 0x01c6b4c0: at genfs_getpages+0x102c
[ 15.7405906] 0x01c6b5c0: at nfs_getpages+0x74
[ 15.7405906] 0x01c6b620: at VOP_GETPAGES+0x58
[ 15.7405906] 0x01c6b660: at ubc_fault+0x104
[ 15.7405906] 0x01c6b6c0: at uvm_fault_internal+0x3a0
[ 15.7405906] 0x01c6b800: at trap+0x848
[ 15.7405906] 0x01c6b8c0: kernel DSI read trap @ 0xa3860000 by memcpy+0x20: srr1=0x9032
[ 15.7405906] r1=0x1c6b990 cr=0x40422202 xer=0x20000000 ctr=0x101 dsisr=0x40000000
[ 15.7405906] 0x01c6b990: at 0x1c6ba4c
[ 15.7405906] 0x01c6ba10: at uiomove+0x9c
[ 15.7405906] 0x01c6ba40: at ubc_uiomove+0x138
[ 15.7405906] 0x01c6ba90: at nfs_bioread+0x154
[ 15.7405906] 0x01c6bb00: at VOP_READ+0x40
[ 15.7405906] 0x01c6bb30: at vn_rdwr+0x164
[ 15.7405906] 0x01c6bba0: at check_exec+0x1bc
[ 15.7405906] 0x01c6bc20: at execve_loadvm+0x1e0
[ 15.7405906] 0x01c6bca0: at execve1+0x18
[ 15.7405906] 0x01c6be20: at start_init+0x260
[ 15.7405906] 0x01c6bf20: at cpu_lwp_bootstrap+0xc
[ 15.7405906] saved LR(0x8a3cd39) is invalid.cpu0: End traceback...
Stopped in pid 1.1 (init) at netbsd:vpanic+0x158: addi r4, r0, 0x0
db>
Best regards,
Radoslaw
Home |
Main Index |
Thread Index |
Old Index