| blob | a7d6434dfc4310e696209a5cc7666a4996d3e7ad |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2016 by Delphix. All rights reserved.
25 */
27 /*
28 * Page Retire - Big Theory Statement.
29 *
30 * This file handles removing sections of faulty memory from use when the
31 * user land FMA Diagnosis Engine requests that a page be removed or when
32 * a CE or UE is detected by the hardware.
33 *
34 * In the bad old days, the kernel side of Page Retire did a lot of the work
35 * on its own. Now, with the DE keeping track of errors, the kernel side is
36 * rather simple minded on most platforms.
37 *
38 * Errors are all reflected to the DE, and after digesting the error and
39 * looking at all previously reported errors, the DE decides what should
40 * be done about the current error. If the DE wants a particular page to
41 * be retired, then the kernel page retire code is invoked via an ioctl.
42 * On non-FMA platforms, the ue_drain and ce_drain paths ends up calling
43 * page retire to handle the error. Since page retire is just a simple
44 * mechanism it doesn't need to differentiate between the different callers.
45 *
46 * The p_toxic field in the page_t is used to indicate which errors have
47 * occurred and what action has been taken on a given page. Because errors are
48 * reported without regard to the locked state of a page, no locks are used
49 * to SET the error bits in p_toxic. However, in order to clear the error
50 * bits, the page_t must be held exclusively locked.
51 *
52 * When page_retire() is called, it must be able to acquire locks, sleep, etc.
53 * It must not be called from high-level interrupt context.
54 *
55 * Depending on how the requested page is being used at the time of the retire
56 * request (and on the availability of sufficient system resources), the page
57 * may be retired immediately, or just marked for retirement later. For
58 * example, locked pages are marked, while free pages are retired. Multiple
59 * requests may be made to retire the same page, although there is no need
60 * to: once the p_toxic flags are set, the page will be retired as soon as it
61 * can be exclusively locked.
62 *
63 * The retire mechanism is driven centrally out of page_unlock(). To expedite
64 * the retirement of pages, further requests for SE_SHARED locks are denied
65 * as long as a page retirement is pending. In addition, as long as pages are
66 * pending retirement a background thread runs periodically trying to retire
67 * those pages. Pages which could not be retired while the system is running
68 * are scrubbed prior to rebooting to avoid latent errors on the next boot.
69 *
70 * UE pages without persistent errors are scrubbed and returned to service.
71 * Recidivist pages, as well as FMA-directed requests for retirement, result
72 * in the page being taken out of service. Once the decision is made to take
73 * a page out of service, the page is cleared, hashed onto the retired_pages
74 * vnode, marked as retired, and it is unlocked. No other requesters (except
75 * for unretire) are allowed to lock retired pages.
76 *
77 * The public routines return (sadly) 0 if they worked and a non-zero error
78 * value if something went wrong. This is done for the ioctl side of the
79 * world to allow errors to be reflected all the way out to user land. The
80 * non-zero values are explained in comments atop each function.
81 */
83 /*
84 * Things to fix:
85 *
86 * 1. Trying to retire non-relocatable kvp pages may result in a
87 * quagmire. This is because seg_kmem() no longer keeps its pages locked,
88 * and calls page_lookup() in the free path; since kvp pages are modified
89 * and don't have a usable backing store, page_retire() can't do anything
90 * with them, and we'll keep denying the lock to seg_kmem_free() in a
91 * vicious cycle. To prevent that, we don't deny locks to kvp pages, and
92 * hence only try to retire a page from page_unlock() in the free path.
93 * Since most kernel pages are indefinitely held anyway, and don't
94 * participate in I/O, this is of little consequence.
95 *
96 * 2. Low memory situations will be interesting. If we don't have
97 * enough memory for page_relocate() to succeed, we won't be able to
98 * retire dirty pages; nobody will be able to push them out to disk
99 * either, since we aggressively deny the page lock. We could change
100 * fsflush so it can recognize this situation, grab the lock, and push
101 * the page out, where we'll catch it in the free path and retire it.
102 *
103 * 3. Beware of places that have code like this in them:
104 *
105 * if (! page_tryupgrade(pp)) {
106 * page_unlock(pp);
107 * while (! page_lock(pp, SE_EXCL, NULL, P_RECLAIM)) {
108 * / *NOTHING* /
109 * }
110 * }
111 * page_free(pp);
112 *
113 * The problem is that pp can change identity right after the
114 * page_unlock() call. In particular, page_retire() can step in
115 * there, change pp's identity, and hash pp onto the retired_vnode.
116 *
117 * Of course, other functions besides page_retire() can have the
118 * same effect. A kmem reader can waltz by, set up a mapping to the
119 * page, and then unlock the page. Page_free() will then go castors
120 * up. So if anybody is doing this, it's already a bug.
121 *
122 * 4. mdboot()'s call into page_retire_mdboot() should probably be
123 * moved lower. Where the call is made now, we can get into trouble
124 * by scrubbing a kernel page that is then accessed later.
125 */
127 #include <sys/types.h>
128 #include <sys/param.h>
129 #include <sys/systm.h>
130 #include <sys/mman.h>
131 #include <sys/vnode.h>
132 #include <sys/vfs.h>
133 #include <sys/cmn_err.h>
134 #include <sys/ksynch.h>
135 #include <sys/thread.h>
136 #include <sys/disp.h>
137 #include <sys/ontrap.h>
138 #include <sys/vmsystm.h>
139 #include <sys/mem_config.h>
140 #include <sys/atomic.h>
141 #include <sys/callb.h>
142 #include <sys/kobj.h>
143 #include <vm/page.h>
144 #include <vm/vm_dep.h>
145 #include <vm/as.h>
146 #include <vm/hat.h>
147 #include <vm/seg_kmem.h>
149 /*
150 * vnode for all pages which are retired from the VM system;
151 */
154 /*
155 * vnode ops - all defaults
156 */
159 };
163 /*
164 * Make a list of all of the pages that have been marked for retirement
165 * but are not yet retired. At system shutdown, we will scrub all of the
166 * pages in the list in case there are outstanding UEs. Then, we
167 * cross-check this list against the number of pages that are yet to be
168 * retired, and if we find inconsistencies, we scan every page_t in the
169 * whole system looking for any pages that need to be scrubbed for UEs.
170 * The background thread also uses this queue to determine which pages
171 * it should keep trying to retire.
172 */
173 #ifdef DEBUG
174 #define PR_PENDING_QMAX 32
176 #define PR_PENDING_QMAX 256
179 kmutex_t pr_q_mutex;
181 /*
182 * Page retire global kstats
183 */
185 kstat_named_t pr_retired;
186 kstat_named_t pr_requested;
187 kstat_named_t pr_requested_free;
188 kstat_named_t pr_enqueue_fail;
189 kstat_named_t pr_dequeue_fail;
190 kstat_named_t pr_pending;
191 kstat_named_t pr_pending_kas;
192 kstat_named_t pr_failed;
193 kstat_named_t pr_failed_kernel;
194 kstat_named_t pr_limit;
195 kstat_named_t pr_limit_exceeded;
196 kstat_named_t pr_fma;
197 kstat_named_t pr_mce;
198 kstat_named_t pr_ue;
199 kstat_named_t pr_ue_cleared_retire;
200 kstat_named_t pr_ue_cleared_free;
201 kstat_named_t pr_ue_persistent;
202 kstat_named_t pr_unretired;
203 };
224 };
228 #define PR_INCR_KSTAT(stat) \
229 atomic_inc_64(&(page_retire_kstat.stat.value.ui64))
230 #define PR_DECR_KSTAT(stat) \
231 atomic_dec_64(&(page_retire_kstat.stat.value.ui64))
233 #define PR_KSTAT_RETIRED_CE (page_retire_kstat.pr_mce.value.ui64)
234 #define PR_KSTAT_RETIRED_FMA (page_retire_kstat.pr_fma.value.ui64)
235 #define PR_KSTAT_RETIRED_NOTUE (PR_KSTAT_RETIRED_CE + PR_KSTAT_RETIRED_FMA)
236 #define PR_KSTAT_PENDING (page_retire_kstat.pr_pending.value.ui64)
237 #define PR_KSTAT_PENDING_KAS (page_retire_kstat.pr_pending_kas.value.ui64)
238 #define PR_KSTAT_EQFAIL (page_retire_kstat.pr_enqueue_fail.value.ui64)
239 #define PR_KSTAT_DQFAIL (page_retire_kstat.pr_dequeue_fail.value.ui64)
241 /*
242 * page retire kstats to list all retired pages
243 */
246 kmutex_t pr_list_kstat_mutex;
248 /*
249 * Limit the number of multiple CE page retires.
250 * The default is 0.1% of physmem, or 1 in 1000 pages. This is set in
251 * basis points, where 100 basis points equals one percent.
252 */
253 #define MCE_BPT 10
255 #define PAGE_RETIRE_LIMIT ((physmem * max_pages_retired_bps) / 10000)
257 /*
258 * Control over the verbosity of page retirement.
259 *
260 * When set to zero (the default), no messages will be printed.
261 * When set to one, summary messages will be printed.
262 * When set > one, all messages will be printed.
263 *
264 * A value of one will trigger detailed messages for retirement operations,
265 * and is intended as a platform tunable for processors where FMA's DE does
266 * not run (e.g., spitfire). Values > one are intended for debugging only.
267 */
270 /*
271 * Control whether or not we return scrubbed UE pages to service.
272 * By default we do not since FMA wants to run its diagnostics first
273 * and then ask us to unretire the page if it passes. Non-FMA platforms
274 * may set this to zero so we will only retire recidivist pages. It should
275 * not be changed by the user.
276 */
279 /*
280 * Master enable for page retire. This prevents a CE or UE early in boot
281 * from trying to retire a page before page_retire_init() has finished
282 * setting things up. This is internal only and is not a tunable!
283 */
288 #ifdef DEBUG
334 #define PR_DEBUG(foo) ((pr_debug.foo)++)
336 /*
337 * A type histogram. We record the incidence of the various toxic
338 * flag combinations along with the interesting page attributes. The
339 * goal is to get as many combinations as we can while driving all
340 * pr_debug values nonzero (indicating we've exercised all possible
341 * code paths across all possible page types). Not all combinations
342 * will make sense -- e.g. PRT_MOD|PRT_KERNEL.
343 *
344 * pr_type offset bit encoding (when examining with a debugger):
345 *
346 * PRT_NAMED - 0x4
347 * PRT_KERNEL - 0x8
348 * PRT_FREE - 0x10
349 * PRT_MOD - 0x20
350 * PRT_FMA - 0x0
351 * PRT_MCE - 0x40
352 * PRT_UE - 0x80
353 */
355 #define PRT_NAMED 0x01
356 #define PRT_KERNEL 0x02
357 #define PRT_FREE 0x04
358 #define PRT_MOD 0x08
360 #define PRT_MCE 0x10
361 #define PRT_UE 0x20
362 #define PRT_ALL 0x3F
366 #define PR_TYPES(pp) { \
367 int whichtype = 0; \
368 if (pp->p_vnode) \
369 whichtype |= PRT_NAMED; \
370 if (PP_ISKAS(pp)) \
371 whichtype |= PRT_KERNEL; \
372 if (PP_ISFREE(pp)) \
373 whichtype |= PRT_FREE; \
374 if (hat_ismod(pp)) \
375 whichtype |= PRT_MOD; \
376 if (pp->p_toxic & PR_UE) \
377 whichtype |= PRT_UE; \
378 if (pp->p_toxic & PR_MCE) \
379 whichtype |= PRT_MCE; \
380 pr_types[whichtype]++; \
381 }
390 #define MTBF(v, f) (((++(v)) & (f)) != (f))
396 #define MTBF(v, f) (1)
400 /*
401 * page_retire_done() - completion processing
402 *
403 * Used by the page_retire code for common completion processing.
404 * It keeps track of how many times a given result has happened,
405 * and writes out an occasional message.
406 *
407 * May be called with a NULL pp (PRD_INVALID_PA case).
408 */
409 #define PRD_INVALID_KEY -1
410 #define PRD_SUCCESS 0
411 #define PRD_PENDING 1
412 #define PRD_FAILED 2
413 #define PRD_DUPLICATE 3
414 #define PRD_INVALID_PA 4
415 #define PRD_LIMIT 5
416 #define PRD_UE_SCRUBBED 6
417 #define PRD_UNR_SUCCESS 7
418 #define PRD_UNR_CANTLOCK 8
419 #define PRD_UNR_NOT 9
430 /* key count retval msglvl message */
451 };
453 /*
454 * print a message if page_retire_messages is true.
455 */
456 #define PR_MESSAGE(debuglvl, msglvl, msg, pa) \
457 { \
458 uint64_t p = (uint64_t)pa; \
459 if (page_retire_messages >= msglvl && msg != NULL) { \
460 cmn_err(debuglvl, msg, \
461 (uint32_t)(p >> 32), (uint32_t)p); \
462 } \
463 }
465 /*
466 * Note that multiple bits may be set in a single settoxic operation.
467 * May be called without the page locked.
468 */
469 void
471 {
473 }
475 /*
476 * Note that multiple bits may cleared in a single clrtoxic operation.
477 * Must be called with the page exclusively locked to prevent races which
478 * may attempt to retire a page without any toxic bits set.
479 * Note that the PR_CAPTURE bit can be cleared without the exclusive lock
480 * being held as there is a separate mutex which protects that bit.
481 */
482 void
484 {
487 }
489 /*
490 * Prints any page retire messages to the user, and decides what
491 * error code is appropriate for the condition reported.
492 */
493 static int
495 {
502 }
509 }
510 }
512 #ifdef DEBUG
515 }
516 #endif
525 }
528 }
530 /*
531 * Act like page_destroy(), but instead of freeing the page, hash it onto
532 * the retired_pages vnode, and mark it retired.
533 *
534 * For fun, we try to scrub the page until it's squeaky clean.
535 * availrmem is adjusted here.
536 */
537 static void
539 {
555 }
566 }
569 availrmem--;
573 }
575 /*
576 * Check whether the number of pages which have been retired already exceeds
577 * the maximum allowable percentage of memory which may be retired.
578 *
579 * Returns 1 if the limit has been exceeded.
580 */
581 static int
583 {
587 }
590 }
594 "reported error; page removed from service"
598 "from service"
600 /*
601 * Attempt to clear a UE from a page.
602 * Returns 1 if the error has been successfully cleared.
603 */
604 static int
606 {
607 caddr_t kaddr;
611 on_trap_data_t otd;
620 /*
621 * Clear the page and attempt to clear the UE. If we trap
622 * on the next access to the page, we know the UE has recurred.
623 */
626 /*
627 * Map the page and write a bunch of bit patterns to compare
628 * what we wrote with what we read back. This isn't a perfect
629 * test but it should be good enough to catch most of the
630 * recurring UEs. If this fails to catch a recurrent UE, we'll
631 * retire the page the next time we see a UE on the page.
632 */
639 /*
640 * Disable preemption to prevent the off chance that
641 * we migrate while in the middle of running through
642 * the bit pattern and run on a different processor
643 * than what we started on.
644 */
647 /*
648 * Fill the page with each (0x00 - 0xFF] bit pattern, flushing
649 * the cache in between reading and writing. We do this under
650 * on_trap() protection to avoid recursion.
651 */
659 }
666 /*
667 * We had a mismatch without a trap.
668 * Uh-oh. Something is really wrong
669 * with this system.
670 */
674 }
677 }
678 }
679 }
680 }
681 out:
687 }
689 /*
690 * Try to clear a page_t with a single UE. If the UE was transient, it is
691 * returned to service, and we return 1. Otherwise we return 0 meaning
692 * that further processing is required to retire the page.
693 */
694 static int
696 {
700 /*
701 * If this page is a repeat offender, retire it under the
702 * "two strikes and you're out" rule. The caller is responsible
703 * for scrubbing the page to try to clear the error.
704 */
708 }
711 /*
712 * We set the PR_SCRUBBED_UE bit; if we ever see this
713 * page again, we will retire it, no questions asked.
714 */
727 }
728 }
732 }
734 /*
735 * Update the statistics dynamically when our kstat is read.
736 */
737 static int
739 {
758 }
759 /*NOTREACHED*/
760 }
762 static int
764 {
766 uint_t count;
773 /* Needs to be under a lock so that for loop will work right */
779 }
784 count++;
785 }
792 }
794 /*
795 * all spans will be pagesize and no coalescing will be done with the
796 * list produced.
797 */
798 static int
800 {
821 }
824 kspmem++;
831 }
835 }
837 /*
838 * page_retire_pend_count -- helper function for page_capture_thread,
839 * returns the number of pages pending retirement.
840 */
841 uint64_t
843 {
845 }
847 uint64_t
849 {
851 }
853 void
855 {
860 }
861 }
863 void
865 {
870 }
871 }
873 /*
874 * Initialize the page retire mechanism:
875 *
876 * - Establish the correctable error retire limit.
877 * - Initialize locks.
878 * - Build the retired_pages vnode.
879 * - Set up the kstats.
880 * - Fire off the background thread.
881 * - Tell page_retire() it's OK to start retiring pages.
882 */
883 void
885 {
895 }
910 }
920 }
922 memscrub_notify_func =
927 }
929 /*
930 * page_retire_hunt() callback for the retire thread.
931 */
932 static void
934 {
939 }
940 }
942 /*
943 * Callback used by page_trycapture() to finish off retiring a page.
944 * The page has already been cleaned and we've been given sole access to
945 * it.
946 * Always returns 0 to indicate that callback succeded as the callback never
947 * fails to finish retiring the given page.
948 */
949 /*ARGSUSED*/
950 static int
952 {
961 /*
962 * The problem page is locked, demoted, unmapped, not free,
963 * hashed out, and not COW or mlocked (whew!).
964 *
965 * Now we select our ammunition, take it around back, and shoot it.
966 */
968 ue_error:
976 }
988 }
990 /*
991 * When page_retire_first_ue is set to zero and a UE occurs which is
992 * transient, it's possible that we clear some flags set by a second
993 * UE error on the page which occurs while the first is currently being
994 * handled and thus we need to handle the case where none of the above
995 * are set. In this instance, PR_UE_SCRUBBED should be set and thus
996 * we should execute the UE code above.
997 */
1000 }
1002 /*
1003 * It's impossible to get here.
1004 */
1007 }
1009 /*
1010 * page_retire() - the front door in to retire a page.
1011 *
1012 * Ideally, page_retire() would instantly retire the requested page.
1013 * Unfortunately, some pages are locked or otherwise tied up and cannot be
1014 * retired right away. We use the page capture logic to deal with this
1015 * situation as it will continuously try to retire the page in the background
1016 * if the first attempt fails. Success is determined by looking to see whether
1017 * the page has been retired after the page_trycapture() attempt.
1018 *
1019 * Returns:
1020 *
1021 * - 0 on success,
1022 * - EINVAL when the PA is whacko,
1023 * - EIO if the page is already retired or already pending retirement, or
1024 * - EAGAIN if the page could not be _immediately_ retired but is pending.
1025 */
1026 int
1028 {
1039 }
1043 }
1047 }
1058 }
1060 /* Avoid setting toxic bits in the first place */
1064 }
1072 }
1075 }
1088 }
1089 }
1090 }
1092 /*
1093 * Take a retired page off the retired-pages vnode and clear the toxic flags.
1094 * If "free" is nonzero, lock it and put it back on the freelist. If "free"
1095 * is zero, the caller already holds SE_EXCL lock so we simply unretire it
1096 * and don't do anything else with it.
1097 *
1098 * Any unretire messages are printed from this routine.
1099 *
1100 * Returns 0 if page pp was unretired; else an error code.
1101 *
1102 * If flags is:
1103 * PR_UNR_FREE - lock the page, clear the toxic flags and free it
1104 * to the freelist.
1105 * PR_UNR_TEMP - lock the page, unretire it, leave the toxic
1106 * bits set as is and return it to the caller.
1107 * PR_UNR_CLEAN - page is SE_EXCL locked, unretire it, clear the
1108 * toxic flags and return it to caller as is.
1109 */
1110 int
1112 {
1113 /*
1114 * To be retired, a page has to be hashed onto the retired_pages vnode
1115 * and have PR_RETIRED set in p_toxic.
1116 */
1125 }
1135 }
1139 else
1148 }
1151 availrmem++;
1158 }
1161 }
1163 /*
1164 * Return a page to service by moving it from the retired_pages vnode
1165 * onto the freelist.
1166 *
1167 * Called from mmioctl_page_retire() on behalf of the FMA DE.
1168 *
1169 * Returns:
1170 *
1171 * - 0 if the page is unretired,
1172 * - EAGAIN if the pp can not be locked,
1173 * - EINVAL if the PA is whacko, and
1174 * - EIO if the pp is not retired.
1175 */
1176 int
1178 {
1184 }
1187 }
1189 /*
1190 * Test a page to see if it is retired. If errors is non-NULL, the toxic
1191 * bits of the page are returned. Returns 0 on success, error code on failure.
1192 */
1193 int
1195 {
1207 }
1209 /*
1210 * We have magically arranged the bit values returned to fmd(8)
1211 * to line up with the FMA, MCE, and UE bits of the page_t.
1212 */
1218 }
1220 }
1223 }
1225 /*
1226 * Test to see if the page_t for a given PA is retired, and return the
1227 * hardware errors we have seen on the page if requested.
1228 *
1229 * Called from mmioctl_page_retire on behalf of the FMA DE.
1230 *
1231 * Returns:
1232 *
1233 * - 0 if the page is retired,
1234 * - EIO if the page is not retired and has no errors,
1235 * - EAGAIN if the page is not retired but is pending; and
1236 * - EINVAL if the PA is whacko.
1237 */
1238 int
1240 {
1245 }
1250 }
1253 }
1255 /*
1256 * Page retire self-test. For now, it always returns 0.
1257 */
1258 int
1260 {
1263 /*
1264 * Tests the corner case where a large page can't be retired
1265 * because one of the constituent pages is locked. We mark
1266 * one page to be retired and try to retire it, and mark the
1267 * other page to be retired but don't try to retire it, so
1268 * that page_unlock() in the failure path will recurse and try
1269 * to retire THAT page. This is the worst possible situation
1270 * we can get ourselves into.
1271 */
1284 }
1286 /* fails */
1293 }
1298 }