| blob | 2bebe9a3f96ae2c4807dafb8a54eda0e7b603118 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
26 /*
27 * Page Retire - Big Theory Statement.
28 *
29 * This file handles removing sections of faulty memory from use when the
30 * user land FMA Diagnosis Engine requests that a page be removed or when
31 * a CE or UE is detected by the hardware.
32 *
33 * In the bad old days, the kernel side of Page Retire did a lot of the work
34 * on its own. Now, with the DE keeping track of errors, the kernel side is
35 * rather simple minded on most platforms.
36 *
37 * Errors are all reflected to the DE, and after digesting the error and
38 * looking at all previously reported errors, the DE decides what should
39 * be done about the current error. If the DE wants a particular page to
40 * be retired, then the kernel page retire code is invoked via an ioctl.
41 * On non-FMA platforms, the ue_drain and ce_drain paths ends up calling
42 * page retire to handle the error. Since page retire is just a simple
43 * mechanism it doesn't need to differentiate between the different callers.
44 *
45 * The p_toxic field in the page_t is used to indicate which errors have
46 * occurred and what action has been taken on a given page. Because errors are
47 * reported without regard to the locked state of a page, no locks are used
48 * to SET the error bits in p_toxic. However, in order to clear the error
49 * bits, the page_t must be held exclusively locked.
50 *
51 * When page_retire() is called, it must be able to acquire locks, sleep, etc.
52 * It must not be called from high-level interrupt context.
53 *
54 * Depending on how the requested page is being used at the time of the retire
55 * request (and on the availability of sufficient system resources), the page
56 * may be retired immediately, or just marked for retirement later. For
57 * example, locked pages are marked, while free pages are retired. Multiple
58 * requests may be made to retire the same page, although there is no need
59 * to: once the p_toxic flags are set, the page will be retired as soon as it
60 * can be exclusively locked.
61 *
62 * The retire mechanism is driven centrally out of page_unlock(). To expedite
63 * the retirement of pages, further requests for SE_SHARED locks are denied
64 * as long as a page retirement is pending. In addition, as long as pages are
65 * pending retirement a background thread runs periodically trying to retire
66 * those pages. Pages which could not be retired while the system is running
67 * are scrubbed prior to rebooting to avoid latent errors on the next boot.
68 *
69 * UE pages without persistent errors are scrubbed and returned to service.
70 * Recidivist pages, as well as FMA-directed requests for retirement, result
71 * in the page being taken out of service. Once the decision is made to take
72 * a page out of service, the page is cleared, hashed onto the retired_pages
73 * vnode, marked as retired, and it is unlocked. No other requesters (except
74 * for unretire) are allowed to lock retired pages.
75 *
76 * The public routines return (sadly) 0 if they worked and a non-zero error
77 * value if something went wrong. This is done for the ioctl side of the
78 * world to allow errors to be reflected all the way out to user land. The
79 * non-zero values are explained in comments atop each function.
80 */
82 /*
83 * Things to fix:
84 *
85 * 1. Trying to retire non-relocatable kvp pages may result in a
86 * quagmire. This is because seg_kmem() no longer keeps its pages locked,
87 * and calls page_lookup() in the free path; since kvp pages are modified
88 * and don't have a usable backing store, page_retire() can't do anything
89 * with them, and we'll keep denying the lock to seg_kmem_free() in a
90 * vicious cycle. To prevent that, we don't deny locks to kvp pages, and
91 * hence only try to retire a page from page_unlock() in the free path.
92 * Since most kernel pages are indefinitely held anyway, and don't
93 * participate in I/O, this is of little consequence.
94 *
95 * 2. Low memory situations will be interesting. If we don't have
96 * enough memory for page_relocate() to succeed, we won't be able to
97 * retire dirty pages; nobody will be able to push them out to disk
98 * either, since we aggressively deny the page lock. We could change
99 * fsflush so it can recognize this situation, grab the lock, and push
100 * the page out, where we'll catch it in the free path and retire it.
101 *
102 * 3. Beware of places that have code like this in them:
103 *
104 * if (! page_tryupgrade(pp)) {
105 * page_unlock(pp);
106 * while (! page_lock(pp, SE_EXCL, NULL, P_RECLAIM)) {
107 * / *NOTHING* /
108 * }
109 * }
110 * page_free(pp);
111 *
112 * The problem is that pp can change identity right after the
113 * page_unlock() call. In particular, page_retire() can step in
114 * there, change pp's identity, and hash pp onto the retired_vnode.
115 *
116 * Of course, other functions besides page_retire() can have the
117 * same effect. A kmem reader can waltz by, set up a mapping to the
118 * page, and then unlock the page. Page_free() will then go castors
119 * up. So if anybody is doing this, it's already a bug.
120 *
121 * 4. mdboot()'s call into page_retire_mdboot() should probably be
122 * moved lower. Where the call is made now, we can get into trouble
123 * by scrubbing a kernel page that is then accessed later.
124 */
126 #include <sys/types.h>
127 #include <sys/param.h>
128 #include <sys/systm.h>
129 #include <sys/mman.h>
130 #include <sys/vnode.h>
131 #include <sys/vfs_opreg.h>
132 #include <sys/cmn_err.h>
133 #include <sys/ksynch.h>
134 #include <sys/thread.h>
135 #include <sys/disp.h>
136 #include <sys/ontrap.h>
137 #include <sys/vmsystm.h>
138 #include <sys/mem_config.h>
139 #include <sys/atomic.h>
140 #include <sys/callb.h>
141 #include <sys/kobj.h>
142 #include <vm/page.h>
143 #include <vm/vm_dep.h>
144 #include <vm/as.h>
145 #include <vm/hat.h>
146 #include <vm/seg_kmem.h>
148 /*
149 * vnode for all pages which are retired from the VM system;
150 */
155 /*
156 * Make a list of all of the pages that have been marked for retirement
157 * but are not yet retired. At system shutdown, we will scrub all of the
158 * pages in the list in case there are outstanding UEs. Then, we
159 * cross-check this list against the number of pages that are yet to be
160 * retired, and if we find inconsistencies, we scan every page_t in the
161 * whole system looking for any pages that need to be scrubbed for UEs.
162 * The background thread also uses this queue to determine which pages
163 * it should keep trying to retire.
164 */
165 #ifdef DEBUG
166 #define PR_PENDING_QMAX 32
168 #define PR_PENDING_QMAX 256
171 kmutex_t pr_q_mutex;
173 /*
174 * Page retire global kstats
175 */
177 kstat_named_t pr_retired;
178 kstat_named_t pr_requested;
179 kstat_named_t pr_requested_free;
180 kstat_named_t pr_enqueue_fail;
181 kstat_named_t pr_dequeue_fail;
182 kstat_named_t pr_pending;
183 kstat_named_t pr_pending_kas;
184 kstat_named_t pr_failed;
185 kstat_named_t pr_failed_kernel;
186 kstat_named_t pr_limit;
187 kstat_named_t pr_limit_exceeded;
188 kstat_named_t pr_fma;
189 kstat_named_t pr_mce;
190 kstat_named_t pr_ue;
191 kstat_named_t pr_ue_cleared_retire;
192 kstat_named_t pr_ue_cleared_free;
193 kstat_named_t pr_ue_persistent;
194 kstat_named_t pr_unretired;
195 };
216 };
220 #define PR_INCR_KSTAT(stat) \
221 atomic_inc_64(&(page_retire_kstat.stat.value.ui64))
222 #define PR_DECR_KSTAT(stat) \
223 atomic_dec_64(&(page_retire_kstat.stat.value.ui64))
225 #define PR_KSTAT_RETIRED_CE (page_retire_kstat.pr_mce.value.ui64)
226 #define PR_KSTAT_RETIRED_FMA (page_retire_kstat.pr_fma.value.ui64)
227 #define PR_KSTAT_RETIRED_NOTUE (PR_KSTAT_RETIRED_CE + PR_KSTAT_RETIRED_FMA)
228 #define PR_KSTAT_PENDING (page_retire_kstat.pr_pending.value.ui64)
229 #define PR_KSTAT_PENDING_KAS (page_retire_kstat.pr_pending_kas.value.ui64)
230 #define PR_KSTAT_EQFAIL (page_retire_kstat.pr_enqueue_fail.value.ui64)
231 #define PR_KSTAT_DQFAIL (page_retire_kstat.pr_dequeue_fail.value.ui64)
233 /*
234 * page retire kstats to list all retired pages
235 */
238 kmutex_t pr_list_kstat_mutex;
240 /*
241 * Limit the number of multiple CE page retires.
242 * The default is 0.1% of physmem, or 1 in 1000 pages. This is set in
243 * basis points, where 100 basis points equals one percent.
244 */
245 #define MCE_BPT 10
247 #define PAGE_RETIRE_LIMIT ((physmem * max_pages_retired_bps) / 10000)
249 /*
250 * Control over the verbosity of page retirement.
251 *
252 * When set to zero (the default), no messages will be printed.
253 * When set to one, summary messages will be printed.
254 * When set > one, all messages will be printed.
255 *
256 * A value of one will trigger detailed messages for retirement operations,
257 * and is intended as a platform tunable for processors where FMA's DE does
258 * not run (e.g., spitfire). Values > one are intended for debugging only.
259 */
262 /*
263 * Control whether or not we return scrubbed UE pages to service.
264 * By default we do not since FMA wants to run its diagnostics first
265 * and then ask us to unretire the page if it passes. Non-FMA platforms
266 * may set this to zero so we will only retire recidivist pages. It should
267 * not be changed by the user.
268 */
271 /*
272 * Master enable for page retire. This prevents a CE or UE early in boot
273 * from trying to retire a page before page_retire_init() has finished
274 * setting things up. This is internal only and is not a tunable!
275 */
280 #ifdef DEBUG
326 #define PR_DEBUG(foo) ((pr_debug.foo)++)
328 /*
329 * A type histogram. We record the incidence of the various toxic
330 * flag combinations along with the interesting page attributes. The
331 * goal is to get as many combinations as we can while driving all
332 * pr_debug values nonzero (indicating we've exercised all possible
333 * code paths across all possible page types). Not all combinations
334 * will make sense -- e.g. PRT_MOD|PRT_KERNEL.
335 *
336 * pr_type offset bit encoding (when examining with a debugger):
337 *
338 * PRT_NAMED - 0x4
339 * PRT_KERNEL - 0x8
340 * PRT_FREE - 0x10
341 * PRT_MOD - 0x20
342 * PRT_FMA - 0x0
343 * PRT_MCE - 0x40
344 * PRT_UE - 0x80
345 */
347 #define PRT_NAMED 0x01
348 #define PRT_KERNEL 0x02
349 #define PRT_FREE 0x04
350 #define PRT_MOD 0x08
352 #define PRT_MCE 0x10
353 #define PRT_UE 0x20
354 #define PRT_ALL 0x3F
358 #define PR_TYPES(pp) { \
359 int whichtype = 0; \
360 if (pp->p_vnode) \
361 whichtype |= PRT_NAMED; \
362 if (PP_ISKAS(pp)) \
363 whichtype |= PRT_KERNEL; \
364 if (PP_ISFREE(pp)) \
365 whichtype |= PRT_FREE; \
366 if (hat_ismod(pp)) \
367 whichtype |= PRT_MOD; \
368 if (pp->p_toxic & PR_UE) \
369 whichtype |= PRT_UE; \
370 if (pp->p_toxic & PR_MCE) \
371 whichtype |= PRT_MCE; \
372 pr_types[whichtype]++; \
373 }
382 #define MTBF(v, f) (((++(v)) & (f)) != (f))
388 #define MTBF(v, f) (1)
392 /*
393 * page_retire_done() - completion processing
394 *
395 * Used by the page_retire code for common completion processing.
396 * It keeps track of how many times a given result has happened,
397 * and writes out an occasional message.
398 *
399 * May be called with a NULL pp (PRD_INVALID_PA case).
400 */
401 #define PRD_INVALID_KEY -1
402 #define PRD_SUCCESS 0
403 #define PRD_PENDING 1
404 #define PRD_FAILED 2
405 #define PRD_DUPLICATE 3
406 #define PRD_INVALID_PA 4
407 #define PRD_LIMIT 5
408 #define PRD_UE_SCRUBBED 6
409 #define PRD_UNR_SUCCESS 7
410 #define PRD_UNR_CANTLOCK 8
411 #define PRD_UNR_NOT 9
422 /* key count retval msglvl message */
443 };
445 /*
446 * print a message if page_retire_messages is true.
447 */
448 #define PR_MESSAGE(debuglvl, msglvl, msg, pa) \
449 { \
450 uint64_t p = (uint64_t)pa; \
451 if (page_retire_messages >= msglvl && msg != NULL) { \
452 cmn_err(debuglvl, msg, \
453 (uint32_t)(p >> 32), (uint32_t)p); \
454 } \
455 }
457 /*
458 * Note that multiple bits may be set in a single settoxic operation.
459 * May be called without the page locked.
460 */
461 void
463 {
465 }
467 /*
468 * Note that multiple bits may cleared in a single clrtoxic operation.
469 * Must be called with the page exclusively locked to prevent races which
470 * may attempt to retire a page without any toxic bits set.
471 * Note that the PR_CAPTURE bit can be cleared without the exclusive lock
472 * being held as there is a separate mutex which protects that bit.
473 */
474 void
476 {
479 }
481 /*
482 * Prints any page retire messages to the user, and decides what
483 * error code is appropriate for the condition reported.
484 */
485 static int
487 {
494 }
501 }
502 }
504 #ifdef DEBUG
507 }
508 #endif
517 }
520 }
522 /*
523 * Act like page_destroy(), but instead of freeing the page, hash it onto
524 * the retired_pages vnode, and mark it retired.
525 *
526 * For fun, we try to scrub the page until it's squeaky clean.
527 * availrmem is adjusted here.
528 */
529 static void
531 {
547 }
558 }
561 availrmem--;
565 }
567 /*
568 * Check whether the number of pages which have been retired already exceeds
569 * the maximum allowable percentage of memory which may be retired.
570 *
571 * Returns 1 if the limit has been exceeded.
572 */
573 static int
575 {
579 }
582 }
586 "reported error; page removed from service"
590 "from service"
592 /*
593 * Attempt to clear a UE from a page.
594 * Returns 1 if the error has been successfully cleared.
595 */
596 static int
598 {
599 caddr_t kaddr;
603 on_trap_data_t otd;
612 /*
613 * Clear the page and attempt to clear the UE. If we trap
614 * on the next access to the page, we know the UE has recurred.
615 */
618 /*
619 * Map the page and write a bunch of bit patterns to compare
620 * what we wrote with what we read back. This isn't a perfect
621 * test but it should be good enough to catch most of the
622 * recurring UEs. If this fails to catch a recurrent UE, we'll
623 * retire the page the next time we see a UE on the page.
624 */
631 /*
632 * Disable preemption to prevent the off chance that
633 * we migrate while in the middle of running through
634 * the bit pattern and run on a different processor
635 * than what we started on.
636 */
639 /*
640 * Fill the page with each (0x00 - 0xFF] bit pattern, flushing
641 * the cache in between reading and writing. We do this under
642 * on_trap() protection to avoid recursion.
643 */
651 }
658 /*
659 * We had a mismatch without a trap.
660 * Uh-oh. Something is really wrong
661 * with this system.
662 */
666 }
669 }
670 }
671 }
672 }
673 out:
679 }
681 /*
682 * Try to clear a page_t with a single UE. If the UE was transient, it is
683 * returned to service, and we return 1. Otherwise we return 0 meaning
684 * that further processing is required to retire the page.
685 */
686 static int
688 {
692 /*
693 * If this page is a repeat offender, retire him under the
694 * "two strikes and you're out" rule. The caller is responsible
695 * for scrubbing the page to try to clear the error.
696 */
700 }
703 /*
704 * We set the PR_SCRUBBED_UE bit; if we ever see this
705 * page again, we will retire it, no questions asked.
706 */
717 /* LINTED: CONSTCOND */
720 }
721 }
725 }
727 /*
728 * Update the statistics dynamically when our kstat is read.
729 */
730 static int
732 {
751 }
752 /*NOTREACHED*/
753 }
755 static int
757 {
758 uint_t count;
767 /* Needs to be under a lock so that for loop will work right */
773 }
778 count++;
779 }
786 }
788 /*
789 * all spans will be pagesize and no coalescing will be done with the
790 * list produced.
791 */
792 static int
794 {
816 }
819 kspmem++;
826 }
830 }
832 /*
833 * page_retire_pend_count -- helper function for page_capture_thread,
834 * returns the number of pages pending retirement.
835 */
836 uint64_t
838 {
840 }
842 uint64_t
844 {
846 }
848 void
850 {
855 }
856 }
858 void
860 {
865 }
866 }
868 /*
869 * Initialize the page retire mechanism:
870 *
871 * - Establish the correctable error retire limit.
872 * - Initialize locks.
873 * - Build the retired_pages vnode.
874 * - Set up the kstats.
875 * - Fire off the background thread.
876 * - Tell page_retire() it's OK to start retiring pages.
877 */
878 void
880 {
883 };
894 }
902 }
913 }
923 }
925 memscrub_notify_func =
930 }
932 /*
933 * page_retire_hunt() callback for the retire thread.
934 */
935 static void
937 {
942 }
943 }
945 /*
946 * Callback used by page_trycapture() to finish off retiring a page.
947 * The page has already been cleaned and we've been given sole access to
948 * it.
949 * Always returns 0 to indicate that callback succeded as the callback never
950 * fails to finish retiring the given page.
951 */
952 /*ARGSUSED*/
953 static int
955 {
964 /*
965 * The problem page is locked, demoted, unmapped, not free,
966 * hashed out, and not COW or mlocked (whew!).
967 *
968 * Now we select our ammunition, take it around back, and shoot it.
969 */
971 ue_error:
979 }
991 }
993 /*
994 * When page_retire_first_ue is set to zero and a UE occurs which is
995 * transient, it's possible that we clear some flags set by a second
996 * UE error on the page which occurs while the first is currently being
997 * handled and thus we need to handle the case where none of the above
998 * are set. In this instance, PR_UE_SCRUBBED should be set and thus
999 * we should execute the UE code above.
1000 */
1003 }
1005 /*
1006 * It's impossible to get here.
1007 */
1010 }
1012 /*
1013 * page_retire() - the front door in to retire a page.
1014 *
1015 * Ideally, page_retire() would instantly retire the requested page.
1016 * Unfortunately, some pages are locked or otherwise tied up and cannot be
1017 * retired right away. We use the page capture logic to deal with this
1018 * situation as it will continuously try to retire the page in the background
1019 * if the first attempt fails. Success is determined by looking to see whether
1020 * the page has been retired after the page_trycapture() attempt.
1021 *
1022 * Returns:
1023 *
1024 * - 0 on success,
1025 * - EINVAL when the PA is whacko,
1026 * - EIO if the page is already retired or already pending retirement, or
1027 * - EAGAIN if the page could not be _immediately_ retired but is pending.
1028 */
1029 int
1031 {
1042 }
1046 }
1050 }
1061 }
1063 /* Avoid setting toxic bits in the first place */
1067 }
1075 }
1078 }
1091 }
1092 }
1093 }
1095 /*
1096 * Take a retired page off the retired-pages vnode and clear the toxic flags.
1097 * If "free" is nonzero, lock it and put it back on the freelist. If "free"
1098 * is zero, the caller already holds SE_EXCL lock so we simply unretire it
1099 * and don't do anything else with it.
1100 *
1101 * Any unretire messages are printed from this routine.
1102 *
1103 * Returns 0 if page pp was unretired; else an error code.
1104 *
1105 * If flags is:
1106 * PR_UNR_FREE - lock the page, clear the toxic flags and free it
1107 * to the freelist.
1108 * PR_UNR_TEMP - lock the page, unretire it, leave the toxic
1109 * bits set as is and return it to the caller.
1110 * PR_UNR_CLEAN - page is SE_EXCL locked, unretire it, clear the
1111 * toxic flags and return it to caller as is.
1112 */
1113 int
1115 {
1116 /*
1117 * To be retired, a page has to be hashed onto the retired_pages vnode
1118 * and have PR_RETIRED set in p_toxic.
1119 */
1128 }
1138 }
1142 else
1151 }
1154 availrmem++;
1161 }
1164 }
1166 /*
1167 * Return a page to service by moving it from the retired_pages vnode
1168 * onto the freelist.
1169 *
1170 * Called from mmioctl_page_retire() on behalf of the FMA DE.
1171 *
1172 * Returns:
1173 *
1174 * - 0 if the page is unretired,
1175 * - EAGAIN if the pp can not be locked,
1176 * - EINVAL if the PA is whacko, and
1177 * - EIO if the pp is not retired.
1178 */
1179 int
1181 {
1187 }
1190 }
1192 /*
1193 * Test a page to see if it is retired. If errors is non-NULL, the toxic
1194 * bits of the page are returned. Returns 0 on success, error code on failure.
1195 */
1196 int
1198 {
1210 }
1212 /*
1213 * We have magically arranged the bit values returned to fmd(1M)
1214 * to line up with the FMA, MCE, and UE bits of the page_t.
1215 */
1221 }
1223 }
1226 }
1228 /*
1229 * Test to see if the page_t for a given PA is retired, and return the
1230 * hardware errors we have seen on the page if requested.
1231 *
1232 * Called from mmioctl_page_retire on behalf of the FMA DE.
1233 *
1234 * Returns:
1235 *
1236 * - 0 if the page is retired,
1237 * - EIO if the page is not retired and has no errors,
1238 * - EAGAIN if the page is not retired but is pending; and
1239 * - EINVAL if the PA is whacko.
1240 */
1241 int
1243 {
1248 }
1253 }
1256 }
1258 /*
1259 * Page retire self-test. For now, it always returns 0.
1260 */
1261 int
1263 {
1266 /*
1267 * Tests the corner case where a large page can't be retired
1268 * because one of the constituent pages is locked. We mark
1269 * one page to be retired and try to retire it, and mark the
1270 * other page to be retired but don't try to retire it, so
1271 * that page_unlock() in the failure path will recurse and try
1272 * to retire THAT page. This is the worst possible situation
1273 * we can get ourselves into.
1274 */
1287 }
1289 /* fails */
1296 }
1301 }