From owner-freebsd-bugs@FreeBSD.ORG  Fri May 18 10:20:09 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6F6E616A408
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 18 May 2007 10:20:09 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id ACBD213C448
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 18 May 2007 10:20:08 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l4IAK8o6034976
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 18 May 2007 10:20:08 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l4IAK8Vc034975;
	Fri, 18 May 2007 10:20:08 GMT (envelope-from gnats)
Date: Fri, 18 May 2007 10:20:08 GMT
Message-Id: <200705181020.l4IAK8Vc034975@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Eugene Grosbein <eugen@kuzbass.ru>
Cc: 
Subject: Re: kern/112707: 6.2-STABLE panic: spoiling cp->ace = 3
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Eugene Grosbein <eugen@kuzbass.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 May 2007 10:20:09 -0000

The following reply was made to PR kern/112707; it has been noted by GNATS.

From: Eugene Grosbein <eugen@kuzbass.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/112707: 6.2-STABLE panic: spoiling cp->ace = 3
Date: Fri, 18 May 2007 17:48:58 +0800

 Hi!
 
 I managed to obtain crashdump and got backtrace that follows.
 I also put online kernel.debug and crashdump, both compressed (5Mb and 8.5Mb)
 here: http://www.grosbein.pp.ru/panic-spoiling/
 
 cript started on Fri May 18 17:34:50 2007
 kgdb: kvm_nlist(_stopped_cpus): 
 kgdb: kvm_nlist(_stoppcbs): 
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:
 Undefined
 symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 panic: spoiling cp->ace = 3
 KDB: stack backtrace:
 kdb_backtrace(c068b1c3,c06e20c0,c0685e63,c5c69934,100,...) at 0xc0527773 =
 kdb_backtrace+0x2f
 panic(c0685e63,3,c06858b9,370,c1239b00,...) at 0xc050b74d = panic+0xb8
 g_spoil(c1239b00,c122eb00,1,3,0,...) at 0xc04d1e4f = g_spoil+0x57
 g_access(c122eb00,0,1,0,2000,...) at 0xc04d1abc = g_access+0x27e
 g_dev_open(c1268c00,2,2000,c1296300,c1268c00,...) at 0xc04cbe2e =
 g_dev_open+0x106
 devfs_open(c5c69a54,c5c69d04,c5c69bc4,0,c5c69b10,...) at 0xc04c90cc =
 devfs_open+0x197
 VOP_OPEN_APV(c06b6300,c5c69a54,0,c5c69a54,0,...) at 0xc066212a =
 VOP_OPEN_APV+0x9d
 vn_open_cred(c5c69bc4,c5c69cc4,1a4,c1818a80,4,...) at 0xc05760b0 =
 vn_open_cred+0x457
 vn_open(c5c69bc4,c5c69cc4,1a4,4,c5c69b68,...) at 0xc0575c57 = vn_open+0x33
 kern_open(c1296300,804c030,0,2,1b6,...) at 0xc056e029 = kern_open+0xca
 open(c1296300,c5c69d04,c,804d000,3,...) at 0xc056df27 = open+0x36
 syscall(3b,3b,3b,804c030,0,...) at 0xc06586d2 = syscall+0x295
 Xint0x80_syscall() at 0xc0648d0f = Xint0x80_syscall+0x1f
 --- syscall (5, FreeBSD ELF32, open), eip = 0x28137437, esp = 0xbfbfe83c, ebp
 =
 0xbfbfe868 ---
 KDB: enter: panic
 Uptime: 1m7s
 Dumping 47 MB (2 chunks)
   chunk 0: 1MB (159 pages) ... ok
   chunk 1: 47MB (12032 pages) 32 16
 
 #0  doadump () at pcpu.h:165
 165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) bt full
 #0  doadump () at pcpu.h:165
 No locals.
 #1  0xc050b4ad in boot (howto=260) at /home/src/sys/kern/kern_shutdown.c:409
         first_buf_printf = 1
 #2  0xc050b7cb in panic (fmt=0xc0685e63 "spoiling cp->ace = %d")
     at /home/src/sys/kern/kern_shutdown.c:565
         td = (struct thread *) 0xc1296300
         bootopt = 256
         newpanic = 1
         ap = 0xc5c69934 "\003"
         buf = "spoiling cp->ace = 3", '\0' <repeats 235 times>
 #3  0xc04d1e4f in g_spoil (pp=0xc1239b00, cp=0xc122eb00)
     at /home/src/sys/geom/geom_subr.c:891
         cp2 = (struct g_consumer *) 0x0
 #4  0xc04d1abc in g_access (cp=0xc122eb00, dcr=0, dcw=1, dce=0)
     at /home/src/sys/geom/geom_subr.c:741
         pp = (struct g_provider *) 0xc1239b00
         pw = 0
         pe = 3
         error = 0
 #5  0xc04cbe2e in g_dev_open (dev=0xc1268c00, flags=6, fmt=0, td=0xc1296300)
     at /home/src/sys/geom/geom_dev.c:196
         gp = (struct g_geom *) 0x0
         cp = (struct g_consumer *) 0xc122eb00
 ---Type <return> to continue, or q <return> to quit---
         error = 6
         r = 0
         w = 1
 #6  0xc04c90cc in devfs_open (ap=0xc5c69a54)
     at /home/src/sys/fs/devfs/devfs_vnops.c:766
         _giantcnt = 0
         td = (struct thread *) 0xc1296300
         vp = (struct vnode *) 0xc184a660
         dev = (struct cdev *) 0xc1268c00
         fp = (struct file *) 0x0
         error = -1066703424
         dsw = (struct cdevsw *) 0xc06b65c0
 #7  0xc066212a in VOP_OPEN_APV (vop=0x0, a=0xc5c69a54) at vnode_if.c:372
         rc = 0
 #8  0xc05760b0 in vn_open_cred (ndp=0xc5c69bc4, flagp=0xc5c69cc4, cmode=420, 
     cred=0xc1818a80, fdidx=4) at vnode_if.h:198
         vp = (struct vnode *) 0xc184a660
         mp = (struct mount *) 0x139
         td = (struct thread *) 0xc1296300
         vat = {va_type = 3226510025, va_mode = 14000, va_nlink = -16087, 
   va_uid = 1, va_gid = 3228085506, va_fsid = 3318127288, 
   va_fileid = -1068627818, va_size = 4294967264, va_blocksize = 4, 
   va_atime = {tv_sec = -976839976, tv_nsec = -1068627430}, va_mtime = {
     tv_sec = -1049548544, tv_nsec = 4}, va_ctime = {tv_sec = 20, 
 ---Type <return> to continue, or q <return> to quit---
     tv_nsec = 4}, va_birthtime = {tv_sec = -1049548500, tv_nsec = 1380}, 
   va_gen = 3228071115, va_flags = 3318127360, va_rdev = 3226471867, 
   va_bytes = 7540386092, va_filerev = 1369027681980, va_vaflags = 0, 
   va_spare = -1054263736}
         mode = 128
         fmode = 2
         error = 0
         vfslocked = 0
 #9  0xc0575c57 in vn_open (ndp=0x0, flagp=0x0, cmode=0, fdidx=0)
     at /home/src/sys/kern/vfs_vnops.c:91
         td = (struct thread *) 0x0
 #10 0xc056e029 in kern_open (td=0xc1296300, path=0x0, pathseg=UIO_USERSPACE, 
     flags=2, mode=438) at /home/src/sys/kern/vfs_syscalls.c:1007
         p = (struct proc *) 0x0
         fdp = (struct filedesc *) 0xc1712900
         fp = (struct file *) 0xc1814000
         vp = (struct vnode *) 0x1
         vat = {va_type = 3228436892, va_mode = 1, va_nlink = 0, 
   va_uid = 3228081852, va_gid = 318, va_fsid = 118134284, va_fileid = 0, 
   va_size = 13944276585772947192, va_blocksize = 3, va_atime = {tv_sec = 0, 
     tv_nsec = 0}, va_mtime = {tv_sec = -1048312404, tv_nsec = 3}, va_ctime = {
     tv_sec = 0, tv_nsec = -1056270904}, va_birthtime = {tv_sec = -1048393940, 
     tv_nsec = 0}, va_gen = 0, va_flags = 149, va_rdev = 0, 
   va_bytes = 13862612747705294036, va_filerev = 13864923702024115656, 
 ---Type <return> to continue, or q <return> to quit---
   va_vaflags = 149, va_spare = -1054263632}
         mp = (struct mount *) 0x13e
         cmode = 0
         nfp = (struct file *) 0xc1814000
         type = 0
         indx = 4
         error = -976839420
         lf = {l_start = 1369027681980, l_len = 279172874240, l_pid = 1, 
   l_type = -18920, l_whence = -16280}
         nd = {ni_dirp = 0x804c030 <Address 0x804c030 out of bounds>, 
   ni_segflg = UIO_USERSPACE, ni_startdir = 0x0, ni_rootdir = 0xc1230aa0, 
   ni_topdir = 0x0, ni_vp = 0xc184a660, ni_dvp = 0xc1230dd0, ni_pathlen = 1, 
   ni_next = 0xc127a008 "", ni_loopcnt = 0, ni_cnd = {cn_nameiop = 0, 
     cn_flags = 69255236, cn_thread = 0xc1296300, cn_cred = 0xc1818a80, 
     cn_lkflags = 2, cn_pnbuf = 0xc127a000 "/dev/ad0", 
     cn_nameptr = 0xc127a005 "ad0", cn_namelen = 3, cn_consume = 0}}
         vfslocked = -1066530404
 #11 0xc056df27 in open (td=0x0, uap=0xc5c69d04)
     at /home/src/sys/kern/vfs_syscalls.c:971
         error = -1054252288
 #12 0xc06586d2 in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134529072, tf_esi = 0,
 tf_ebp =
 -1077942168, tf_isp = -976839324, tf_ebx = 512, tf_edx = 0, tf_ecx =
 134533120, tf_eax =
 5, tf_trapno = 12, tf_err = 2, tf_eip = 672363575, tf_cs = 51, t---Type
 <return> to
 continue, or q <return> to quit---
 f_eflags = 642, tf_esp = -1077942212, tf_ss = 59})
     at /home/src/sys/i386/i386/trap.c:983
         params = 0xbfbfe840 <Address 0xbfbfe840 out of bounds>
         callp = (struct sysent *) 0xc06b7b1c
         td = (struct thread *) 0xc1296300
         p = (struct proc *) 0xc1293648
         orig_tf_eflags = 642
         sticks = 0
         error = 0
         narg = 3
         args = {134529072, 1, 438, 134533120, 12, 0, 0, -1054263736}
         code = 5
 #13 0xc0648d0f in Xint0x80_syscall ()
     at /home/src/sys/i386/i386/exception.s:200
 No locals.
 #14 0x00000033 in ?? ()
 No symbol table info available.
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) quit