page_retire.c revision af4c679f647cf088543c762e33d41a3ac52cfa14
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2009 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
/*
* Page Retire - Big Theory Statement.
*
* This file handles removing sections of faulty memory from use when the
* user land FMA Diagnosis Engine requests that a page be removed or when
* a CE or UE is detected by the hardware.
*
* In the bad old days, the kernel side of Page Retire did a lot of the work
* on its own. Now, with the DE keeping track of errors, the kernel side is
* rather simple minded on most platforms.
*
* Errors are all reflected to the DE, and after digesting the error and
* looking at all previously reported errors, the DE decides what should
* be done about the current error. If the DE wants a particular page to
* be retired, then the kernel page retire code is invoked via an ioctl.
* On non-FMA platforms, the ue_drain and ce_drain paths ends up calling
* page retire to handle the error. Since page retire is just a simple
* mechanism it doesn't need to differentiate between the different callers.
*
* The p_toxic field in the page_t is used to indicate which errors have
* occurred and what action has been taken on a given page. Because errors are
* reported without regard to the locked state of a page, no locks are used
* to SET the error bits in p_toxic. However, in order to clear the error
* bits, the page_t must be held exclusively locked.
*
* When page_retire() is called, it must be able to acquire locks, sleep, etc.
* It must not be called from high-level interrupt context.
*
* Depending on how the requested page is being used at the time of the retire
* request (and on the availability of sufficient system resources), the page
* may be retired immediately, or just marked for retirement later. For
* example, locked pages are marked, while free pages are retired. Multiple
* requests may be made to retire the same page, although there is no need
* to: once the p_toxic flags are set, the page will be retired as soon as it
* can be exclusively locked.
*
* The retire mechanism is driven centrally out of page_unlock(). To expedite
* the retirement of pages, further requests for SE_SHARED locks are denied
* as long as a page retirement is pending. In addition, as long as pages are
* pending retirement a background thread runs periodically trying to retire
* those pages. Pages which could not be retired while the system is running
* are scrubbed prior to rebooting to avoid latent errors on the next boot.
*
* UE pages without persistent errors are scrubbed and returned to service.
* Recidivist pages, as well as FMA-directed requests for retirement, result
* in the page being taken out of service. Once the decision is made to take
* a page out of service, the page is cleared, hashed onto the retired_pages
* vnode, marked as retired, and it is unlocked. No other requesters (except
* for unretire) are allowed to lock retired pages.
*
* The public routines return (sadly) 0 if they worked and a non-zero error
* value if something went wrong. This is done for the ioctl side of the
* world to allow errors to be reflected all the way out to user land. The
* non-zero values are explained in comments atop each function.
*/
/*
* Things to fix:
*
* 1. Trying to retire non-relocatable kvp pages may result in a
* quagmire. This is because seg_kmem() no longer keeps its pages locked,
* and calls page_lookup() in the free path; since kvp pages are modified
* and don't have a usable backing store, page_retire() can't do anything
* with them, and we'll keep denying the lock to seg_kmem_free() in a
* vicious cycle. To prevent that, we don't deny locks to kvp pages, and
* hence only try to retire a page from page_unlock() in the free path.
* Since most kernel pages are indefinitely held anyway, and don't
* participate in I/O, this is of little consequence.
*
* 2. Low memory situations will be interesting. If we don't have
* enough memory for page_relocate() to succeed, we won't be able to
* retire dirty pages; nobody will be able to push them out to disk
* either, since we aggressively deny the page lock. We could change
* fsflush so it can recognize this situation, grab the lock, and push
* the page out, where we'll catch it in the free path and retire it.
*
* 3. Beware of places that have code like this in them:
*
* if (! page_tryupgrade(pp)) {
* page_unlock(pp);
* while (! page_lock(pp, SE_EXCL, NULL, P_RECLAIM)) {
* / *NOTHING* /
* }
* }
* page_free(pp);
*
* The problem is that pp can change identity right after the
* page_unlock() call. In particular, page_retire() can step in
* there, change pp's identity, and hash pp onto the retired_vnode.
*
* Of course, other functions besides page_retire() can have the
* same effect. A kmem reader can waltz by, set up a mapping to the
* page, and then unlock the page. Page_free() will then go castors
* up. So if anybody is doing this, it's already a bug.
*
* 4. mdboot()'s call into page_retire_mdboot() should probably be
* moved lower. Where the call is made now, we can get into trouble
* by scrubbing a kernel page that is then accessed later.
*/
#include <sys/vfs_opreg.h>
#include <sys/mem_config.h>
#include <vm/seg_kmem.h>
/*
* vnode for all pages which are retired from the VM system;
*/
/*
* Make a list of all of the pages that have been marked for retirement
* but are not yet retired. At system shutdown, we will scrub all of the
* pages in the list in case there are outstanding UEs. Then, we
* cross-check this list against the number of pages that are yet to be
* retired, and if we find inconsistencies, we scan every page_t in the
* whole system looking for any pages that need to be scrubbed for UEs.
* The background thread also uses this queue to determine which pages
* it should keep trying to retire.
*/
#ifdef DEBUG
#define PR_PENDING_QMAX 32
#else /* DEBUG */
#define PR_PENDING_QMAX 256
#endif /* DEBUG */
/*
* Page retire global kstats
*/
struct page_retire_kstat {
};
static struct page_retire_kstat page_retire_kstat = {
{ "pages_retired", KSTAT_DATA_UINT64},
{ "pages_retire_request", KSTAT_DATA_UINT64},
{ "pages_retire_request_free", KSTAT_DATA_UINT64},
{ "pages_notenqueued", KSTAT_DATA_UINT64},
{ "pages_notdequeued", KSTAT_DATA_UINT64},
{ "pages_pending", KSTAT_DATA_UINT64},
{ "pages_pending_kas", KSTAT_DATA_UINT64},
{ "pages_deferred", KSTAT_DATA_UINT64},
{ "pages_deferred_kernel", KSTAT_DATA_UINT64},
{ "pages_limit", KSTAT_DATA_UINT64},
{ "pages_limit_exceeded", KSTAT_DATA_UINT64},
{ "pages_fma", KSTAT_DATA_UINT64},
{ "pages_multiple_ce", KSTAT_DATA_UINT64},
{ "pages_ue", KSTAT_DATA_UINT64},
{ "pages_ue_cleared_retired", KSTAT_DATA_UINT64},
{ "pages_ue_cleared_freed", KSTAT_DATA_UINT64},
{ "pages_ue_persistent", KSTAT_DATA_UINT64},
{ "pages_unretired", KSTAT_DATA_UINT64},
};
#define PR_INCR_KSTAT(stat) \
#define PR_DECR_KSTAT(stat) \
/*
* page retire kstats to list all retired pages
*/
/*
* Limit the number of multiple CE page retires.
* The default is 0.1% of physmem, or 1 in 1000 pages. This is set in
* basis points, where 100 basis points equals one percent.
*/
#define MCE_BPT 10
/*
* Control over the verbosity of page retirement.
*
* When set to zero (the default), no messages will be printed.
* When set to one, summary messages will be printed.
* When set > one, all messages will be printed.
*
* A value of one will trigger detailed messages for retirement operations,
* and is intended as a platform tunable for processors where FMA's DE does
* not run (e.g., spitfire). Values > one are intended for debugging only.
*/
int page_retire_messages = 0;
/*
* Control whether or not we return scrubbed UE pages to service.
* By default we do not since FMA wants to run its diagnostics first
* and then ask us to unretire the page if it passes. Non-FMA platforms
* may set this to zero so we will only retire recidivist pages. It should
* not be changed by the user.
*/
int page_retire_first_ue = 1;
/*
* Master enable for page retire. This prevents a CE or UE early in boot
* from trying to retire a page before page_retire_init() has finished
* setting things up. This is internal only and is not a tunable!
*/
static int pr_enable = 0;
#ifdef DEBUG
struct page_retire_debug {
int prd_dup1;
int prd_dup2;
int prd_qdup;
int prd_noaction;
int prd_queued;
int prd_notqueued;
int prd_dequeue;
int prd_top;
int prd_locked;
int prd_reloc;
int prd_relocfail;
int prd_mod;
int prd_mod_late;
int prd_kern;
int prd_free;
int prd_noreclaim;
int prd_hashout;
int prd_fma;
int prd_uescrubbed;
int prd_uenotscrubbed;
int prd_mce;
int prd_prlocked;
int prd_prnotlocked;
int prd_prretired;
int prd_ulocked;
int prd_unotretired;
int prd_udestroy;
int prd_uhashout;
int prd_uunretired;
int prd_unotlocked;
int prd_checkhit;
int prd_checkmiss_pend;
int prd_checkmiss_noerr;
int prd_tctop;
int prd_tclocked;
int prd_hunt;
int prd_dohunt;
int prd_earlyhunt;
int prd_latehunt;
int prd_nofreedemote;
int prd_nodemote;
int prd_demoted;
} pr_debug;
/*
* A type histogram. We record the incidence of the various toxic
* flag combinations along with the interesting page attributes. The
* goal is to get as many combinations as we can while driving all
* pr_debug values nonzero (indicating we've exercised all possible
* code paths across all possible page types). Not all combinations
* will make sense -- e.g. PRT_MOD|PRT_KERNEL.
*
* pr_type offset bit encoding (when examining with a debugger):
*
* PRT_NAMED - 0x4
* PRT_KERNEL - 0x8
* PRT_FREE - 0x10
* PRT_MOD - 0x20
* PRT_FMA - 0x0
* PRT_MCE - 0x40
* PRT_UE - 0x80
*/
#define PRT_NAMED 0x01
#define PRT_KERNEL 0x02
#define PRT_FREE 0x04
#define PRT_MOD 0x08
#define PRT_MCE 0x10
#define PRT_UE 0x20
#define PRT_ALL 0x3F
int whichtype = 0; \
whichtype |= PRT_KERNEL; \
}
int recl_calls;
int recl_mtbf = 3;
int reloc_calls;
int reloc_mtbf = 7;
int pr_calls;
int pr_mtbf = 15;
#define MTBF(v, f) (((++(v)) & (f)) != (f))
#else /* DEBUG */
#define MTBF(v, f) (1)
#endif /* DEBUG */
/*
* page_retire_done() - completion processing
*
* Used by the page_retire code for common completion processing.
* It keeps track of how many times a given result has happened,
* and writes out an occasional message.
*
* May be called with a NULL pp (PRD_INVALID_PA case).
*/
#define PRD_INVALID_KEY -1
#define PRD_SUCCESS 0
#define PRD_PENDING 1
#define PRD_FAILED 2
#define PRD_DUPLICATE 3
#define PRD_INVALID_PA 4
#define PRD_LIMIT 5
#define PRD_UE_SCRUBBED 6
#define PRD_UNR_SUCCESS 7
#define PRD_UNR_CANTLOCK 8
#define PRD_UNR_NOT 9
typedef struct page_retire_op {
int pr_key; /* one of the PRD_* defines from above */
int pr_count; /* How many times this has happened */
int pr_retval; /* return value */
int pr_msglvl; /* message level - when to print */
char *pr_message; /* Cryptic message for field service */
static page_retire_op_t page_retire_ops[] = {
/* key count retval msglvl message */
{PRD_SUCCESS, 0, 0, 1,
"Page 0x%08x.%08x removed from service"},
"Page 0x%08x.%08x will be retired on free"},
"Page 0x%08x.%08x already retired or pending"},
"PA 0x%08x.%08x is not a relocatable page"},
{PRD_LIMIT, 0, 0, 1,
"Page 0x%08x.%08x not retired due to limit exceeded"},
{PRD_UE_SCRUBBED, 0, 0, 1,
"Previously reported error on page 0x%08x.%08x cleared"},
{PRD_UNR_SUCCESS, 0, 0, 1,
"Page 0x%08x.%08x returned to service"},
"Page 0x%08x.%08x could not be unretired"},
"Page 0x%08x.%08x is not retired"},
};
/*
* print a message if page_retire_messages is true.
*/
{ \
} \
}
/*
* Note that multiple bits may be set in a single settoxic operation.
* May be called without the page locked.
*/
void
{
}
/*
* Note that multiple bits may cleared in a single clrtoxic operation.
* Must be called with the page exclusively locked to prevent races which
* may attempt to retire a page without any toxic bits set.
* Note that the PR_CAPTURE bit can be cleared without the exclusive lock
* being held as there is a separate mutex which protects that bit.
*/
void
{
}
/*
* Prints any page retire messages to the user, and decides what
* error code is appropriate for the condition reported.
*/
static int
{
int i;
}
prop = &page_retire_ops[i];
break;
}
}
#ifdef DEBUG
}
#endif
}
}
/*
* Act like page_destroy(), but instead of freeing the page, hash it onto
* the retired_pages vnode, and mark it retired.
*
* For fun, we try to scrub the page until it's squeaky clean.
* availrmem is adjusted here.
*/
static void
{
}
} else {
}
availrmem--;
}
/*
* Check whether the number of pages which have been retired already exceeds
* the maximum allowable percentage of memory which may be retired.
*
* Returns 1 if the limit has been exceeded.
*/
static int
page_retire_limit(void)
{
return (1);
}
return (0);
}
#define MSG_DM "Data Mismatch occurred at PA 0x%08x.%08x" \
"[ 0x%x != 0x%x ] while attempting to clear previously " \
"reported error; page removed from service"
#define MSG_UE "Uncorrectable Error occurred at PA 0x%08x.%08x while " \
"attempting to clear previously reported error; page removed " \
"from service"
/*
* Attempt to clear a UE from a page.
* Returns 1 if the error has been successfully cleared.
*/
static int
{
int errors = 0;
int i;
/*
* Clear the page and attempt to clear the UE. If we trap
* on the next access to the page, we know the UE has recurred.
*/
/*
* Map the page and write a bunch of bit patterns to compare
* what we wrote with what we read back. This isn't a perfect
* test but it should be good enough to catch most of the
* recurring UEs. If this fails to catch a recurrent UE, we'll
* retire the page the next time we see a UE on the page.
*/
/*
* Disable preemption to prevent the off chance that
* we migrate while in the middle of running through
* the bit pattern and run on a different processor
* than what we started on.
*/
/*
* Fill the page with each (0x00 - 0xFF] bit pattern, flushing
* the cache in between reading and writing. We do this under
* on_trap() protection to avoid recursion.
*/
errors = 1;
} else {
for (i = 0; i < PAGESIZE; i++) {
}
for (i = 0; i < PAGESIZE; i++) {
/*
* We had a mismatch without a trap.
* Uh-oh. Something is really wrong
* with this system.
*/
if (page_retire_messages) {
}
errors = 1;
goto out; /* double break */
}
}
}
}
out:
no_trap();
return (errors ? 0 : 1);
}
/*
* Try to clear a page_t with a single UE. If the UE was transient, it is
* returned to service, and we return 1. Otherwise we return 0 meaning
* that further processing is required to retire the page.
*/
static int
{
/*
* If this page is a repeat offender, retire him under the
* "two strikes and you're out" rule. The caller is responsible
* for scrubbing the page to try to clear the error.
*/
return (0);
}
if (page_clear_transient_ue(pp)) {
/*
* We set the PR_SCRUBBED_UE bit; if we ever see this
* page again, we will retire it, no questions asked.
*/
if (page_retire_first_ue) {
return (0);
} else {
/* LINTED: CONSTCOND */
return (1);
}
}
return (0);
}
/*
* Update the statistics dynamically when our kstat is read.
*/
static int
{
struct page_retire_kstat *pr;
return (EINVAL);
switch (rw) {
case KSTAT_READ:
return (0);
case KSTAT_WRITE:
return (EACCES);
default:
return (EINVAL);
}
/*NOTREACHED*/
}
static int
{
if (rw == KSTAT_WRITE)
return (EACCES);
/* Needs to be under a lock so that for loop will work right */
ksp->ks_data_size = 0;
return (0);
}
count = 1;
count++;
}
return (0);
}
/*
* all spans will be pagesize and no coalescing will be done with the
* list produced.
*/
static int
{
struct memunit {
} *kspmem;
if (rw == KSTAT_WRITE)
return (EACCES);
return (0);
}
kspmem++;
break;
}
return (0);
}
/*
* page_retire_pend_count -- helper function for page_capture_thread,
* returns the number of pages pending retirement.
*/
page_retire_pend_count(void)
{
return (PR_KSTAT_PENDING);
}
{
return (PR_KSTAT_PENDING_KAS);
}
void
page_retire_incr_pend_count(void *datap)
{
}
}
void
page_retire_decr_pend_count(void *datap)
{
}
}
/*
* Initialize the page retire mechanism:
*
* - Establish the correctable error retire limit.
* - Initialize locks.
* - Build the retired_pages vnode.
* - Set up the kstats.
* - Fire off the background thread.
* - Tell page_retire() it's OK to start retiring pages.
*/
void
page_retire_init(void)
{
const fs_operation_def_t retired_vnodeops_template[] = {
};
const uint_t page_retire_ndata =
sizeof (page_retire_kstat) / sizeof (kstat_named_t);
if (max_pages_retired_bps <= 0) {
}
"page_retired_init: can't make retired vnodeops");
}
KSTAT_FLAG_VIRTUAL)) == NULL) {
} else {
}
}
pr_enable = 1;
}
/*
* page_retire_hunt() callback for the retire thread.
*/
static void
{
}
}
/*
* Callback used by page_trycapture() to finish off retiring a page.
* The page has already been cleaned and we've been given sole access to
* it.
* Always returns 0 to indicate that callback succeded as the callback never
* fails to finish retiring the given page.
*/
/*ARGSUSED*/
static int
{
int toxic;
/*
* The problem page is locked, demoted, unmapped, not free,
* hashed out, and not COW or mlocked (whew!).
*
* Now we select our ammunition, take it around back, and shoot it.
*/
if (page_retire_transient_ue(pp)) {
} else {
}
return (0);
return (0);
return (0);
}
/*
* When page_retire_first_ue is set to zero and a UE occurs which is
* transient, it's possible that we clear some flags set by a second
* UE error on the page which occurs while the first is currently being
* handled and thus we need to handle the case where none of the above
* are set. In this instance, PR_UE_SCRUBBED should be set and thus
* we should execute the UE code above.
*/
if (toxic & PR_UE_SCRUBBED) {
goto ue_error;
}
/*
* It's impossible to get here.
*/
return (0);
}
/*
* page_retire() - the front door in to retire a page.
*
* Ideally, page_retire() would instantly retire the requested page.
* Unfortunately, some pages are locked or otherwise tied up and cannot be
* retired right away. We use the page capture logic to deal with this
* situation as it will continuously try to retire the page in the background
* if the first attempt fails. Success is determined by looking to see whether
* the page has been retired after the page_trycapture() attempt.
*
* Returns:
*
* - 0 on success,
* - EINVAL when the PA is whacko,
* - EIO if the page is already retired or already pending retirement, or
* - EAGAIN if the page could not be _immediately_ retired but is pending.
*/
int
{
" page 0x%08x.%08x; page is not relocatable memory", pa);
}
if (PP_RETIRED(pp)) {
}
" page 0x%08x.%08x", pa);
} else {
" page 0x%08x.%08x", pa);
}
/* Avoid setting toxic bits in the first place */
page_retire_limit()) {
}
} else {
}
} else {
}
if (PP_RETIRED(pp)) {
return (0);
} else {
} else {
}
}
}
/*
* Take a retired page off the retired-pages vnode and clear the toxic flags.
* If "free" is nonzero, lock it and put it back on the freelist. If "free"
* is zero, the caller already holds SE_EXCL lock so we simply unretire it
* and don't do anything else with it.
*
* Any unretire messages are printed from this routine.
*
* Returns 0 if page pp was unretired; else an error code.
*
* If flags is:
* PR_UNR_FREE - lock the page, clear the toxic flags and free it
* to the freelist.
* PR_UNR_TEMP - lock the page, unretire it, leave the toxic
* bits set as is and return it to the caller.
* PR_UNR_CLEAN - page is SE_EXCL locked, unretire it, clear the
* toxic flags and return it to caller as is.
*/
int
{
/*
* To be retired, a page has to be hashed onto the retired_pages vnode
* and have PR_RETIRED set in p_toxic.
*/
if (flags == PR_UNR_CLEAN ||
if (!PP_RETIRED(pp)) {
}
} else {
}
if (flags == PR_UNR_TEMP)
else
if (flags == PR_UNR_FREE) {
page_destroy(pp, 0);
} else {
}
availrmem++;
}
}
/*
* Return a page to service by moving it from the retired_pages vnode
* onto the freelist.
*
* Called from mmioctl_page_retire() on behalf of the FMA DE.
*
* Returns:
*
* - 0 if the page is unretired,
* - EAGAIN if the pp can not be locked,
* - EINVAL if the PA is whacko, and
* - EIO if the pp is not retired.
*/
int
{
}
}
/*
* Test a page to see if it is retired. If errors is non-NULL, the toxic
* bits of the page are returned. Returns 0 on success, error code on failure.
*/
int
{
int rc;
if (PP_RETIRED(pp)) {
rc = 0;
} else {
}
/*
* We have magically arranged the bit values returned to fmd(1M)
* to line up with the FMA, MCE, and UE bits of the page_t.
*/
if (errors) {
if (toxic & PR_UE_SCRUBBED) {
toxic &= ~PR_UE_SCRUBBED;
}
}
return (rc);
}
/*
* Test to see if the page_t for a given PA is retired, and return the
* hardware errors we have seen on the page if requested.
*
* Called from mmioctl_page_retire on behalf of the FMA DE.
*
* Returns:
*
* - 0 if the page is retired,
* - EIO if the page is not retired and has no errors,
* - EAGAIN if the page is not retired but is pending; and
* - EINVAL if the PA is whacko.
*/
int
{
if (errors) {
*errors = 0;
}
}
}
/*
* Page retire self-test. For now, it always returns 0.
*/
int
page_retire_test(void)
{
/*
* Tests the corner case where a large page can't be retired
* because one of the constituent pages is locked. We mark
* one page to be retired and try to retire it, and mark the
* other page to be retired but don't try to retire it, so
* that page_unlock() in the failure path will recurse and try
* to retire THAT page. This is the worst possible situation
* we can get ourselves into.
*/
memsegs_lock(0);
do {
continue;
continue;
}
/* fails */
}
memsegs_unlock(0);
return (0);
}