On a old PowerMac G5: two 32-bit powerpc FreeBSD vmcore's from having protected most wired kernel memory from execution: what is common
Mark Millard
markmi at dsl-only.net
Fri Jun 2 20:59:28 UTC 2017
[I'm adding a comparison/contrast of the
values that ddb reported for register
values going with the vmcore.5 and
vmcore.6 contexts.]
On 2017-Jun-2, at 6:15 AM, Mark Millard <markmi at dsl-only.net> wrote:
> Based on the changed page protections. . .
> Instead of illegal instruction the periodic/random kernel panic
> reported for both example panics:
>
> fatal kernel trap:
>
> exception = 0x400 instruction storage interrupt
> virtual address = 0x90a0f0
> srr0 = 0x90a0f0
> srr1 = 0x10001032
> lr = 0x535ad0
> (sched_affinity+0x18 ???)
> curthread = 0x147d360
> pid = 11, comm = idle: cpu1
>
> [ thread pid 11 tid 100003 ]
> Stopped at etext+0xb8fc: illegal instruction 0
>
> (So it looks like I disabled execute in that
> area correctly.)
>
>
> Most levels of the backtraces are different
> between vmcore.5 and vmcore.6 . But the
> lowest level ones are the same.
>
> In particular the prior bl is to tdq_add
> from sched_add but the 0x90a0f0 it jumps
> to when getting the 0x400 exception is
> wildly different than the 0x5356ec for the
> bl to tdq_add.
>
> For reference: sched_affinity through
> sched_affinity+0x18 is:
>
> 00535ab8 <sched_affinity> stwu r1,-32(r1)
> 00535abc <sched_affinity+0x4> mflr r0
> 00535ac0 <sched_affinity+0x8> stw r29,20(r1)
> 00535ac4 <sched_affinity+0xc> stw r30,24(r1)
> 00535ac8 <sched_affinity+0x10> stw r31,28(r1)
> 00535acc <sched_affinity+0x14> stw r0,36(r1)
> 00535ad0 <sched_affinity+0x18> mr r31,r1
>
> So 00535ad0 is an odd spot for a lr value.
>
>
> backtrace summary for vmcore.5:
> (Listing the LR values, not 4 back from that.)
>
> trapexit+0x0 (after trapagain+0x4) for 0x400 trap
> 0x90a0f0 from .hash section (bad address)
> sched_add+0x1a0
> 005359c4 <sched_add+0x188> bl 004cde6c <thread_lock_unblock>
> 005359c8 <sched_add+0x18c> bl 008ea4e0 <spinlock_exit>
> 005359cc <sched_add+0x190> mr r3,r28
> 005359d0 <sched_add+0x194> mr r4,r27
> 005359d4 <sched_add+0x198> mr r5,r25
> 005359d8 <sched_add+0x19c> bl 005356ec <tdq_add>
> 005359dc <sched_add+0x1a0> mfsprg r9,0
>
> (from here until cpu_idle_60x+0x88 is not common with vmcore.6)
> intr_event_schedule_thread+0xd0
> 004a8780 <intr_event_schedule_thread+0xc4> mr r3,r28
> 004a8784 <intr_event_schedule_thread+0xc8> li r4,4
> 004a8788 <intr_event_schedule_thread+0xcc> bl 0053583c <sched_add>
> 004a878c <intr_event_schedule_thread+0xd0> lwz r9,0(r28)
> intr_event_handle+0x114
> powerpc_dispatch_intr+0xcc
> openpic_dispatch+0x94
> powerpc_interrupt+0xc4
> trapexit+0x0 (after trapagain+0x4) for 0x500 trap (vmcore.6: 0x900)
>
> cpu_idle_60x+0x88
> . . . (not shown)
>
>
> backtrace summary for vmcore.6:
> (Listing the LR values, not 4 back from that.)
>
> trapexit+0x0 (after trapagain+0x4) for 0x400 trap
> 0x90a0f0 from .hash section (bad address)
> sched_add+0x1a0
> 005359c4 <sched_add+0x188> bl 004cde6c <thread_lock_unblock>
> 005359c8 <sched_add+0x18c> bl 008ea4e0 <spinlock_exit>
> 005359cc <sched_add+0x190> mr r3,r28
> 005359d0 <sched_add+0x194> mr r4,r27
> 005359d4 <sched_add+0x198> mr r5,r25
> 005359d8 <sched_add+0x19c> bl 005356ec <tdq_add>
> 005359dc <sched_add+0x1a0> mfsprg r9,0
>
> (from here until cpu_idle_60x+0x88 is not common with vmcore.5)
> sched_wakeup+0xa8
> 00535c0c <sched_wakeup+0x9c> mr r3,r29
> 00535c10 <sched_wakeup+0xa0> li r4,0
> 00535c14 <sched_wakeup+0xa4> bl 0053583c <sched_add>
> 00535c18 <sched_wakeup+0xa8> lwz r11,0(r1)
> setrunnable+0xa0
> sleepq_resume_thread+0x180
> sleepq_timeout+0xcc
> softclock_call_cc+0x1f4
> callout_process+0x280
> handleevents+0x2ac
> timercb+0x4c4
> decr_intr+0xf4
> powerpc_dispatch_intr+0xf8
> trapexit+0x0 (after trapagain+0x4) for 0x900 trap (vmcore.5: 0x500)
>
> cpu_idle_60x+0x88
> . . . (not shown)
>
>
>
> From the vmcore.5:
> (The formatting depends on mono-spaced text)
>
> [ ]: trapexit+0x0 (after trapagain+0x4)
> 013ed680 df 5e a7 40 00 10 08 f8 00 00 00 04 df 5e a7 40 |.^. at .........^.@|
> 013ed690 01 47 d3 60 00 00 00 14 01 47 e3 60 00 00 00 04 |.G.`.....G.`....|
> 013ed6a0 00 00 00 04 00 fd 98 7f 00 00 00 00 00 d4 c0 50 |...............P|
> 013ed6b0 01 47 d3 60 df 5e a7 80 df 5d 0d 00 00 00 00 00 |.G.`.^...]......|
> 013ed6c0 00 d4 be 00 00 cb 98 98 00 c9 66 bc 00 c4 5e a8 |..........f...^.|
> 013ed6d0 00 c9 66 bc 00 d4 c5 4c df 5e a9 e0 00 eb a8 00 |..f....L.^......|
> 013ed6e0 00 c9 66 bc 01 47 d3 60 00 00 00 00 df 5e a8 78 |..f..G.`.....^.x|
> 013ed6f0 01 44 0e 00 01 47 d3 60 00 eb af 00 01 47 d3 60 |.D...G.`.....G.`|
> 013ed700 00 d1 ca ac df 5e a7 40 00 53 5a d0 20 00 90 34 |.....^. at .SZ. ..4|
> [ ]: sched_affinity+0x18
>
> [ ]: From .hash section
> 013ed710 00 00 00 00 00 8d ef b4 00 90 a0 f0 10 00 10 32 |...............2|
> [0x400 trap]
> 013ed720 00 00 04 00 41 a1 e5 68 0a 00 00 00 01 47 e3 60 |....A..h.....G.`|
> 013ed730 00 eb af 00 01 47 d3 60 00 d1 ca ac df 5e a7 40 |.....G.`.....^.@|
>
> [ ]: sched_add+0x1a0
> 013ed740 df 5e a7 80 00 53 59 dc 00 c9 66 bc 00 d4 c5 4c |.^...SY...f....L|
> 013ed750 df 5e a9 e0 00 eb a8 00 00 c9 66 bc 00 00 00 04 |.^........f.....|
> 013ed760 00 00 00 00 df 5e a8 78 01 44 0e 00 01 47 d3 60 |.....^.x.D...G.`|
> 013ed770 01 47 e3 60 01 51 ff 80 00 d1 b4 30 df 5e a7 80 |.G.`.Q.....0.^..|
>
> [ ]: intr_event_schedule_thread+0xd0
> 013ed780 df 5e a7 b0 00 4a 87 8c 6d 0c 21 5c df 5e 00 00 |.^...J..m.!\.^..|
> 013ed790 df 5e a7 b0 00 00 00 7c 00 00 00 00 01 47 d3 60 |.^.....|.....G.`|
> 013ed7a0 00 00 00 01 00 00 00 00 00 d2 6e 70 df 5e a7 b0 |..........np.^..|
>
> [ ]: intr_event_handle+0x114
> 013ed7b0 df 5e a7 e0 00 4a 95 fc 00 c9 66 bc 00 00 00 00 |.^...J....f.....|
> 013ed7c0 df 5e a9 8c df 5e a8 78 df 5e a8 78 01 44 0e 00 |.^...^.x.^.x.D..|
> 013ed7d0 00 02 10 a0 01 48 b2 80 00 d2 6e 70 df 5e a7 e0 |.....H....np.^..|
>
> [ ]: powerpc_dispatch_intr+0xcc
> 013ed7e0 df 5e a8 10 00 8e 91 8c df 5e a7 f0 00 cf 48 a8 |.^.......^....H.|
> 013ed7f0 df 5e a8 10 df 5e a8 78 01 47 d3 60 df 5e a8 78 |.^...^.x.G.`.^.x|
> 013ed800 00 02 10 a0 01 4c d4 00 00 d2 70 2c df 5e a8 10 |.....L....p,.^..|
>
> [ ]: openpic_dispatch+0x94
> 013ed810 df 5e a8 40 00 8e c9 48 ec 94 8e 64 e6 38 8f 72 |.^. at ...H...d.8.r|
> 013ed820 df 5e a8 40 00 00 00 02 00 00 00 00 00 eb af 00 |.^. at ............|
> 013ed830 41 a1 e5 68 01 48 b1 00 00 d2 6e 60 df 5e a8 40 |A..h.H....n`.^.@|
>
> [ ]: powerpc_interrupt+0xc4
> 013ed840 df 5e a8 70 00 8e 7d 28 8b 00 00 00 00 00 55 c4 |.^.p..}(......U.|
> 013ed850 00 cd f0 74 00 00 00 03 00 00 00 03 00 eb af 00 |...t............|
> 013ed860 41 a1 e5 68 0a 00 00 00 00 00 00 00 00 00 90 32 |A..h...........2|
>
> [ ]: trapexit+0x0 (after trapagain+0x4)
> 013ed870 df 5e a9 30 00 10 08 f8 00 04 90 32 df 5e a9 30 |.^.0.......2.^.0|
> 013ed880 01 47 d3 60 00 00 00 00 7f a3 8e 84 00 00 00 00 |.G.`............|
> 013ed890 7f a3 8e 84 00 fd 98 7f 00 00 00 00 00 00 00 44 |...............D|
> 013ed8a0 01 fc a0 55 00 00 90 32 df 5d 0d 00 00 00 00 00 |...U...2.]......|
> 013ed8b0 00 d4 be 00 00 cb 98 98 00 c9 66 bc 00 c4 5e a8 |..........f...^.|
> 013ed8c0 00 c9 66 bc 00 d4 c5 4c df 5e a9 e0 00 eb a8 00 |..f....L.^......|
> 013ed8d0 00 c9 66 bc 01 47 d3 60 df 5e a9 8c 00 00 00 03 |..f..G.`.^......|
> 013ed8e0 00 00 00 03 00 eb af 00 00 00 00 00 00 8e 3c b8 |..............<.|
> 013ed8f0 00 d2 6c 04 df 5e a9 30 00 8e 3c d4 40 00 00 42 |..l..^.0..<. at ..B|
>
> [ ]: cpu_idle_60x+0x88
> 013ed900 20 00 00 00 00 8e 3c b8 00 8e 3d 40 00 00 90 32 | .....<...=@...2|
> [0x500 trap]
> 013ed910 00 00 05 00 41 a1 e5 68 0a 00 00 00 00 00 00 00 |....A..h........|
> 013ed920 0b 5c 71 7c 79 c0 d7 fc 00 00 00 00 00 00 00 04 |.\q|y...........|
>
> [ignore? ] (see above trap frame)
> 013ed930 df 5e a9 50 00 00 00 03 00 00 00 03 00 eb af 00 |.^.P............|
> 013ed940 00 00 00 00 00 d4 ca 44 00 d2 6c 04 df 5e a9 50 |.......D..l..^.P|
>
> [ ]: cpu_idle+0x58
> 013ed950 df 5e a9 70 00 8e 32 5c 00 00 00 02 00 eb af 00 |.^.p..2\........|
> 013ed960 00 f2 d6 7c 00 00 00 03 00 d1 ca ac df 5e a9 70 |...|.........^.p|
>
> [ ]: sched_idletd+0x4d4
> 013ed970 df 5e aa 50 00 53 6e 7c df 5e a9 80 00 00 00 00 |.^.P.Sn|.^......|
> 013ed980 df 5e a9 b0 01 47 d3 60 df 5e a9 90 ff ff ff fd |.^...G.`.^......|
> 013ed990 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013ed9a0 ff ff ff ff ff ff ff ff ff ff ff ff df 5e a9 b0 |.............^..|
> 013ed9b0 df 5e a9 d0 00 00 00 02 ff ff ff ff 00 00 01 e5 |.^..............|
> 013ed9c0 ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013ed9d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013ed9e0 ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013ed9f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013eda00 df 5e aa 20 00 f6 4a 00 00 00 00 00 00 00 00 00 |.^. ..J.........|
> 013eda10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
> *
> 013eda30 00 00 00 00 00 53 69 a8 df 5e aa 98 00 00 00 00 |.....Si..^......|
> 013eda40 01 47 96 e0 01 47 d3 60 00 d1 b3 70 df 5e aa 50 |.G...G.`...p.^.P|
>
> [ ]: fork_exit+0xb4
> 013eda50 df 5e aa 80 00 4a 3c b4 df 5e aa 60 df 5e aa 60 |.^...J<..^.`.^.`|
> 013eda60 df 5e aa 80 00 00 00 00 00 00 00 00 00 00 00 00 |.^..............|
> 013eda70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
>
> [ ]: fork_tramoline+0x10
> 013eda80 00 00 00 00 00 8f 19 90 00 53 69 a8 00 00 00 00 |.........Si.....|
> 013eda90 df 5e aa 98 00 00 00 00 00 00 00 00 00 00 00 00 |.^..............|
> 013edaa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
>
>
>
> From the vmcore.6:
>
> [ ]: trapexit+0x0 (after trapagain+0x4)
> 013ed4d0 df 5e a5 90 00 10 08 f8 00 00 00 04 df 5e a5 90 |.^...........^..|
> 013ed4e0 01 47 d3 60 00 00 00 54 05 91 b0 00 00 00 00 00 |.G.`...T........|
> 013ed4f0 00 00 00 00 00 00 00 0f 00 00 00 00 00 d4 c0 50 |...............P|
> 013ed500 01 47 d3 60 df 5e a5 d0 00 00 00 00 00 00 00 00 |.G.`.^..........|
> 013ed510 00 d4 be 00 00 cb 98 98 00 d4 c4 6c 00 d4 c4 6c |...........l...l|
> 013ed520 00 11 11 97 00 11 12 16 00 00 11 11 05 91 b0 00 |................|
> 013ed530 00 56 64 30 00 00 01 14 00 00 00 00 00 00 00 00 |.Vd0............|
> 013ed540 00 00 00 01 00 00 00 00 00 eb af 00 01 47 d3 60 |.............G.`|
> 013ed550 00 d1 ca ac df 5e a5 90 00 53 5a d0 20 00 90 34 |.....^...SZ. ..4|
> [ ]: sched_affinity+0x18
>
> [ ]: From .hash section
> 013ed560 00 00 00 00 00 00 00 00 00 90 a0 f0 10 00 10 32 |...............2|
> [0x400 trap]
> 013ed570 00 00 04 00 01 81 a4 7c 0a 00 00 00 05 91 b0 00 |.......|........|
> 013ed580 00 eb af 00 01 47 d3 60 00 d1 ca ac df 5e a5 90 |.....G.`.....^..|
>
> [ ]: sched_add+0x1a0
> 013ed590 df 5e a5 d0 00 53 59 dc 00 00 00 01 00 d4 c5 4c |.^...SY........L|
> 013ed5a0 df 5e 00 00 00 00 00 40 df 5e a5 b0 00 00 00 04 |.^..... at .^......|
> 013ed5b0 df 5e a5 d0 00 00 00 00 00 00 00 01 00 00 00 00 |.^..............|
> 013ed5c0 05 91 b3 28 05 91 b0 00 00 d1 ca ac df 5e a5 d0 |...(.........^..|
>
> [ ]: sched_wakeup+0xa8
> 013ed5d0 df 5e a5 f0 00 53 5c 18 00 00 00 00 00 00 00 00 |.^...S\.........|
> 013ed5e0 01 42 b0 80 05 91 b0 00 00 d1 c4 c4 df 5e a5 f0 |.B...........^..|
>
> [ ]: setrunnable+0xa0
> 013ed5f0 df 5e a6 10 00 50 26 08 df 5e a6 00 00 cb 98 98 |.^...P&..^......|
> 013ed600 df 5e a6 40 00 d4 c4 6c 00 d1 d5 34 df 5e a6 10 |.^. at ...l...4.^..|
>
> [ ]: sleepq_resume_thread+0x180
> 013ed610 df 5e a6 40 00 56 43 2c 00 56 64 30 00 00 01 14 |.^. at .VC,.Vd0....|
> 013ed620 df 5e a6 40 00 00 00 00 00 00 00 01 00 00 11 11 |.^. at ............|
> 013ed630 8a d3 94 2a 05 91 b0 00 00 d1 d5 34 df 5e a6 40 |...*.......4.^.@|
>
> [ ]: sleepq_timeout+0xcc
> 013ed640 df 5e a6 80 00 56 64 fc 00 c9 66 bc 00 00 00 00 |.^...Vd...f.....|
> 013ed650 00 00 11 11 00 00 00 00 97 a0 fc 3d 80 96 c0 38 |...........=...8|
> 013ed660 df 5e a6 80 00 8e a5 04 00 d2 5b 10 05 91 b2 a0 |.^........[.....|
> 013ed670 00 e9 58 00 00 00 00 00 00 d1 c8 20 df 5e a6 80 |..X........ .^..|
>
> [ ]: softclock_call_cc+0x1f4
> 013ed680 df 5e a6 f0 00 51 63 84 00 d2 5b 10 df 5e a6 90 |.^...Qc...[..^..|
> 013ed690 df 5e a6 f0 00 8a ca a8 df 5e a6 a0 00 00 00 0f |.^.......^......|
> 013ed6a0 df 5e a7 10 00 4c e2 f4 68 fc 88 02 00 00 00 04 |.^...L..h.......|
> 013ed6b0 df 5e a6 d0 00 00 00 02 00 11 11 97 00 11 12 16 |.^..............|
> 013ed6c0 00 00 11 11 d7 a0 9d 9d 00 11 11 8a 00 00 11 11 |................|
> 013ed6d0 97 a0 9d 9d 00 00 11 12 17 00 00 00 00 00 11 12 |................|
> 013ed6e0 17 00 00 00 00 e9 58 00 00 d1 c8 20 df 5e a6 f0 |......X.... .^..|
>
> [ ]: callout_process+0x280
> 013ed6f0 df 5e a7 50 00 51 77 c0 df 5e a8 78 01 47 d3 60 |.^.P.Qw..^.x.G.`|
> 013ed700 01 47 d4 58 00 00 00 00 00 d1 ab 24 00 00 00 04 |.G.X.......$....|
> 013ed710 00 c9 66 bc 00 c4 5e a8 00 c9 66 bc 00 d4 c5 4c |..f...^...f....L|
> 013ed720 00 d0 53 00 00 eb a8 00 00 00 00 01 00 00 00 00 |..S.............|
> 013ed730 df 5e a9 8c 00 00 00 00 df 5e a8 78 00 00 11 11 |.^.......^.x....|
> 013ed740 97 a0 9d 9d df 5d 0d 00 00 d2 5b 10 df 5e a7 50 |.....]....[..^.P|
>
> [ ]: handleevents+0x2ac
> 013ed750 df 5e a7 a0 00 8a b2 70 df 5e a7 60 df 5e a7 60 |.^.....p.^.`.^.`|
> 013ed760 df 5e a7 a0 00 53 49 dc 00 d2 5b 10 00 00 00 04 |.^...SI...[.....|
> 013ed770 df 5e a7 c0 05 9b d2 00 00 c9 66 bc 01 47 d3 60 |.^........f..G.`|
> 013ed780 df 5e a9 8c 00 f6 1d 90 00 00 11 11 97 a0 9d 9d |.^..............|
> 013ed790 df 5d 0d 00 df 5d 0d 30 00 d2 5b 10 df 5e a7 a0 |.]...].0..[..^..|
>
> [ ]: timercb+0x4c4
> 013ed7a0 df 5e a8 20 00 8a d1 10 00 d2 6e 70 df 5e a7 b0 |.^. ......np.^..|
> 013ed7b0 df 5e a7 e0 00 4a 96 00 00 00 11 11 00 00 00 00 |.^...J..........|
> 013ed7c0 97 a0 9d 9d 53 27 aa d0 df 5e a8 78 05 86 37 00 |....S'...^.x..7.|
> 013ed7d0 df 5e a7 f0 05 86 37 80 00 d4 be 00 00 cb 98 98 |.^....7.........|
> 013ed7e0 00 c9 66 bc 00 c4 5e a8 00 c9 66 bc 00 d4 c5 4c |..f...^...f....L|
> 013ed7f0 df 5e a9 e0 00 eb a8 00 00 c9 66 bc 01 47 d3 60 |.^........f..G.`|
> 013ed800 df 5e a9 8c df 5e a8 78 01 47 d3 60 00 00 00 00 |.^...^.x.G.`....|
> 013ed810 00 f6 1d 90 00 00 00 01 00 d2 6b dc df 5e a8 20 |..........k..^. |
>
> [ ]: decr_intr+0xf4
> 013ed820 df 5e a8 40 00 8e 1f 08 00 00 00 00 00 00 00 04 |.^. at ............|
> 013ed830 01 47 d4 34 00 00 00 01 00 d2 6e 60 df 5e a8 40 |.G.4......n`.^.@|
>
> [ ]: powerpc_dispatch_intr+0xf8
> 013ed840 df 5e a8 70 00 8e 7d 5c 00 d1 ca ac df 5e a8 50 |.^.p..}\.....^.P|
> 013ed850 00 cd f0 74 00 00 00 03 00 00 00 03 00 eb af 00 |...t............|
> 013ed860 01 81 a4 7c 0a 00 00 00 00 00 00 00 00 00 90 32 |...|...........2|
>
> [ ]: trapexit+0x0 (after trapagain+0x4)
> 013ed870 df 5e a9 30 00 10 08 f8 00 04 90 32 df 5e a9 30 |.^.0.......2.^.0|
> 013ed880 01 47 d3 60 00 00 00 00 0d 0a d2 89 00 00 00 00 |.G.`............|
> 013ed890 0d 0a d2 89 00 19 e9 a4 00 00 00 00 00 00 00 44 |...............D|
> 013ed8a0 01 fc a0 55 00 00 90 32 df 5d 0d 00 00 00 00 00 |...U...2.]......|
> 013ed8b0 00 d4 be 00 00 cb 98 98 00 c9 66 bc 00 c4 5e a8 |..........f...^.|
> 013ed8c0 00 c9 66 bc 00 d4 c5 4c df 5e a9 e0 00 eb a8 00 |..f....L.^......|
> 013ed8d0 00 c9 66 bc 01 47 d3 60 df 5e a9 8c 00 00 00 03 |..f..G.`.^......|
> 013ed8e0 00 00 00 03 00 eb af 00 00 00 00 00 00 8e 3c b8 |..............<.|
> 013ed8f0 00 d2 6c 04 df 5e a9 30 00 8e 3c d4 40 00 00 42 |..l..^.0..<. at ..B|
>
> [ ]: cpu_idle_60x+0x88
> 013ed900 20 00 00 00 00 8e 3c b8 00 8e 3d 40 00 00 90 32 | .....<...=@...2|
> [0x900 trap]
> 013ed910 00 00 09 00 01 81 a4 7c 0a 00 00 00 00 00 00 00 |.......|........|
> 013ed920 8a 95 8e 6d 80 4a 8c 8c 00 00 00 00 00 00 00 04 |...m.J..........|
>
> [ignore? ] (see above trap frame)
> 013ed930 df 5e a9 50 00 00 00 03 00 00 00 03 00 eb af 00 |.^.P............|
> 013ed940 00 00 00 00 00 d4 ca 44 00 d2 6c 04 df 5e a9 50 |.......D..l..^.P|
>
> [ ]: cpu_idle+0x58
> 013ed950 df 5e a9 70 00 8e 32 5c 00 00 00 02 00 eb af 00 |.^.p..2\........|
> 013ed960 00 f2 d6 7c 00 00 00 03 00 d1 ca ac df 5e a9 70 |...|.........^.p|
>
> [ ]: sched_idletd+0x4d4
> 013ed970 df 5e aa 50 00 53 6e 7c df 5e a9 80 00 00 00 00 |.^.P.Sn|.^......|
> 013ed980 df 5e a9 b0 01 47 d3 60 00 d2 5b 10 ff ff ff fd |.^...G.`..[.....|
> 013ed990 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013ed9a0 ff ff ff ff ff ff ff ff ff ff ff ff df 5e a9 b0 |.............^..|
> 013ed9b0 df 5e a9 d0 00 00 00 02 ff ff ff ff 00 00 01 e5 |.^..............|
> 013ed9c0 ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013ed9d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013ed9e0 ff ff ff fd ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013ed9f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
> 013eda00 df 5e aa 50 00 f6 4a 00 00 00 00 00 00 00 00 00 |.^.P..J.........|
> 013eda10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
> *
> 013eda30 00 00 00 00 00 53 69 a8 df 5e aa 98 00 00 00 00 |.....Si..^......|
> 013eda40 01 47 96 e0 01 47 d3 60 00 d1 b3 70 df 5e aa 50 |.G...G.`...p.^.P|
>
> [ ]: fork_exit+0xb4
> 013eda50 df 5e aa 80 00 4a 3c b4 df 5e aa 60 fa 50 05 af |.^...J<..^.`.P..|
> 013eda60 df 5e aa 80 00 00 00 00 00 00 00 00 00 00 00 00 |.^..............|
> 013eda70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
>
> [ ]: fork_tramoline+0x10
> 013eda80 00 00 00 00 00 8f 19 90 00 53 69 a8 00 00 00 00 |.........Si.....|
> 013eda90 df 5e aa 98 00 00 00 00 00 00 00 00 00 00 00 00 |.^..............|
> 013edaa0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
>
>
> FYI: The memory protection debugging hack in (and some
> before):
>
> void
> moea64_kenter_attr(mmu_t mmu, vm_offset_t va, vm_paddr_t pa, vm_memattr_t ma)
>
> is currently:
>
> # svnlite diff /usr/src/sys/powerpc/aim/mmu_oea64.c Index: /usr/src/sys/powerpc/aim/mmu_oea64.c
> ===================================================================
> --- /usr/src/sys/powerpc/aim/mmu_oea64.c (revision 317820)
> +++ /usr/src/sys/powerpc/aim/mmu_oea64.c (working copy)
> @@ -1752,6 +1752,18 @@
> PV_PAGE_UNLOCK(m);
> }
>
> +#if defined(AIM) && !defined(__powerpc64__)
> +//
> +// Part of PowerMac G5 HACK FOR PROBLEM FINDING. . .
> +// (G5 used via 32-bit FreeBSD.)
> +//
> +
> +extern char _GOT_START_[]; // beginning of .got/.got.plt
> +extern char _GOT_END_[]; // ending of .got/.got.plt
> +
> +extern vm_offset_t __startkernel, __endkernel;
> +#endif
> +
> /*
> * Map a wired page into kernel virtual address space.
> */
> @@ -1762,6 +1774,52 @@
> struct pvo_entry *pvo, *oldpvo;
>
> pvo = alloc_pvo_entry(0);
> +#if defined(AIM) && !defined(__powerpc64__)
> + //
> + // PowerMac G5 HACK FOR PROBLEM FINDING. . .
> + // (G5 used via 32-bit FreeBSD.)
> + //
> + // As a problem-finding-aid try to catch some examples of
> + // jumping to non-code in the kernel before it tries to
> + // execute that that code. Hopefully this will show where
> + // the bad jump into the likes of the .hash section is
> + // happening. (dbb bt and vmcore.*'s have not lead to
> + // that information so far.)
> + //
> + if (cpu_features & PPC_FEATURE_64)
> + {
> + // First deal with pages that should have the original
> + // VM_PROT_EXECUTE status for something on the page
> + // (most pages in the kernel area). So pages with some
> + // byte(s) from .text, .got, or .got.plt, along with
> + // any requested from before where __startkernel
> + // indicates. Also any va requested from a page
> + // containing where __endkernel indicates or later
> + // gets VM_PROT_EXECUTE if such a va is requested.
> + //
> + // So: have just the rest of the kernel area not have
> + // VM_PROT_EXECUTE status in hopes that it will report
> + // where the code is that is making bad jumps to
> + // non-code, such as jumping into the .hash section
> + // instead of reporting on illegal instructions
> + // from the incorrect traget area.
> + //
> + if ( va < ((vm_offset_t)(etext+(PAGE_SIZE-1)) & ~PAGE_MASK) )
> + pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
> +
> + else if ( ((vm_offset_t)_GOT_START_ & ~PAGE_MASK) <= va
> + && va < ((vm_offset_t)(_GOT_END_+(PAGE_SIZE-1)) & ~PAGE_MASK)
> + )
> + pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
> +
> + else if ( va < (__endkernel & ~PAGE_MASK) )
> + pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE;
> +
> + else // Otherwise do as before the HACK:
> + pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
> + }
> + else
> +#endif
> pvo->pvo_pte.prot = VM_PROT_READ | VM_PROT_WRITE | VM_PROT_EXECUTE;
> pvo->pvo_pte.pa = (pa & ~ADDR_POFF) | moea64_calc_wimg(pa, ma);
> pvo->pvo_vaddr |= PVO_WIRED;
>
> Being va based for when to avoid VM_PROT_EXECUTE
> this way means that the openfirmware related
> virtual addresses that go through this code still
> get VM_PROT_EXECUTE --even if some had pa's in the
> loaded kernel's address range (if such were
> possible).
>
>
>
> Note: While 32-bit powerpc FreeBSD uses a relocatable
> kernel format it seems to not actually change the
> code addresses on the G5 from what objdump reports
> when looking at /boot/kernel/kernel .
Below I compare and contrast the
vmcore.5 and vmcore.6 register
values that were reported by ddb
at the time (via show reg).
r0, r2, r9, r10, r14, r15, r24,
r28, r29, r30, srr0, srr1, lr,
cr, xer, and dsisr have the same
values and the others do not.
The pointers into the stacks are
different in specific value when
both vmcore.*'s have a stack
address in the same register. But
both point into the same stack
area in such cases. (But vmcore.*'s
happened to get the problem on
cpu 1's idle thread so this is
expected.)
reg: vmcore.5's value,
vmcore.6's value
r0: 0x4,
0x4
r1: 0xdf5ea740,
0xdf5ea590
r2: 0x147d360,
0x147d360
r3: 0x14,
0x54
r4: 0x147de60,
0x591b000
r5: 0x4,
0
r6: 0x4,
0
r7: 0xfd987f end+0x50cf,
0xf
r8: 0,
0
r9: 0xd4c050 cold,
0xd4c050 cold
r10: 0x147d360,
0x147d360
r11: 0xdf5ea780,
0xdf5ea5d0
r12: 0xdf5d0d00,
0
r13: 0,
0
r14: 0xd4be00 sdt_probe_func,
0xd4be00 sdt_probe_func
r15: 0xcb9898 sdt_lockstat__spin__release,
0xcb9898 sdt_lockstat__spin__release
r16: 0xc966bc sched_interact,
0xd4c46c callsheelmask
r17: 0xc45ea8,
0xd4c46c callsheelmask
r18: 0xc966bc sched_interact,
0x111197 xpt_done_process+0x617
r19: 0xd4c54c smp_started,
0x111216 xpt_done_process+0x696
r20: 0xdfea9e0,
0x1111 dsmmisssize+0x1021
r21: 0xeb800 tdq_cpu,
0x591b000
r22: 0xc966bc sched_interact,
0x566430 sleepq_timeout
r23: 0x147d360,
0x114 dsmisssize+0x24
r24: 0,
0
r25: 0xdf5ea878,
0
r26: 0x1440e00,
0x1
r27: 0x147d360,
0
r28: 0xebaf00 tdq_cpu+0x700,
0xebaf00 tdq_cpu+0x700
r29: 0x147d360,
0x147d360
r30: 0xd1caac,
0xd1caac
r31: 0xdf5ea740,
0xdf5ea590
srr0: 0x90a0f0 etext+0xb8fc,
0x90a0f0 etext+0xb8fc
srr1: 0x10001032,
0x10001032
lr: 0x535ad0 sched_affinity+0x18,
0x535ad0 sched_affinity+0x18
ctr: 0x8defb4 bs_be_ws_4,
0
cr: 0x20009034,
0x20009034
xer: 0,
0
dar: 0x41a1e568,
0x181a47c
dsisr: 0xa000000,
0xa000000
===
Mark Millard
markmi at dsl-only.net
More information about the freebsd-ppc
mailing list