Date: Sun, 18 May 2003 23:21:00 +0200 From: Alucard <lolownia@polbox.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/52412: panic lockmgr on close() in ro nullfs Message-ID: <200305182120.h4ILKrg06824@smtp.polbox.com> Resent-Message-ID: <200305182130.h4ILUArk021692@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 52412
>Category: kern
>Synopsis: panic lockmgr on close() in ro nullfs
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun May 18 14:30:10 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Lolownia
>Release: FreeBSD 5.0-RELEASE-p7 i386
>Organization:
>Environment:
System: FreeBSD mistress 5.0-RELEASE-p7 FreeBSD 5.0-RELEASE-p7 #0: Wed May 14 09:19:06 CEST 2003 creep@mistress:/usr/obj/usr/src/sys/NIGDY i386
System: FreeBSD disaster 5.0-RELEASE-p7 FreeBSD 5.0-RELEASE-p7 #0: Thu May 15 19:00:15 CEST 2003 lol@disaster:/home/lol/src/sys/i386/compile/BUG i386
Copyright (c) 1992-2003 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.0-RELEASE-p7 #0: Thu May 15 19:00:15 CEST 2003
lol@disaster:/home/lol/src/sys/i386/compile/BUG
Preloaded elf kernel "/boot/kernel/kernel" at 0xc0673000.
Timecounter "i8254" frequency 1193182 Hz
Timecounter "TSC" frequency 399320985 Hz
CPU: Pentium II/Pentium II Xeon/Celeron (399.32-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x652 Stepping = 2
Features=0x183f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR>
real memory = 67108864 (64 MB)
avail memory = 58302464 (55 MB)
Initializing GEOMetry subsystem
Pentium Pro MTRR support enabled
npx0: <math processor> on motherboard
npx0: INT 16 interface
Using $PIR table, 6 entries at 0xc00fdad0
pcib0: <Intel 82443BX (440 BX) host to PCI bridge> at pcibus 0 on motherboard
pci0: <PCI bus> on pcib0
agp0: <Intel 82443BX (440 BX) host to PCI bridge> mem 0xe0000000-0xe3ffffff at device 0.0 on pci0
pcib1: <PCIBIOS PCI-PCI bridge> at device 1.0 on pci0
pci1: <PCI bus> on pcib1
isab0: <PCI-ISA bridge> at device 7.0 on pci0
isa0: <ISA bus> on isab0
atapci0: <Intel PIIX4 ATA33 controller> port 0xf000-0xf00f at device 7.1 on pci0
ata0: at 0x1f0 irq 14 on atapci0
ata1: at 0x170 irq 15 on atapci0
uhci0: <Intel 82371AB/EB (PIIX4) USB controller> port 0xe000-0xe01f irq 11 at device 7.2 on pci0
usb0: <Intel 82371AB/EB (PIIX4) USB controller> on uhci0
usb0: USB revision 1.0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
pci0: <bridge, PCI-unknown> at device 7.3 (no driver attached)
rl0: <RealTek 8139 10/100BaseTX> port 0xe400-0xe4ff mem 0xe8000000-0xe80000ff irq 10 at device 8.0 on pci0
rl0: Realtek 8139B detected. Warning, this may be unstable in autoselect mode
rl0: Ethernet address: 00:02:44:0b:7c:8f
miibus0: <MII bus> on rl0
rlphy0: <RealTek internal media interface> on miibus0
rlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
pci0: <display, VGA> at device 11.0 (no driver attached)
orm0: <Option ROM> at iomem 0xc0000-0xc7fff on isa0
pmtimer0 on isa0
atkbdc0: <Keyboard controller (i8042)> at port 0x64,0x60 on isa0
atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0
kbd0 at atkbd0
fdc0: <Enhanced floppy controller (i82077, NE72065 or clone)> at port 0x3f7,0x3f0-0x3f5 irq 6 drq 2 on isa0
fdc0: FIFO enabled, 8 bytes threshold
fd0: <1440-KB 3.5" drive> on fdc0 drive 0
ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0
ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode
ppc0: FIFO with 16/16/8 bytes threshold
plip0: <PLIP network interface> on ppbus0
lpt0: <Printer> on ppbus0
lpt0: Interrupt-driven port
ppi0: <Parallel I/O> on ppbus0
sc0: <System console> at flags 0x100 on isa0
sc0: VGA <16 virtual consoles, flags=0x300>
sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0
sio0: type 16550A
sio1 at port 0x2f8-0x2ff irq 3 on isa0
sio1: type 16550A
vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0
unknown: <PNP0303> can't assign resources (port)
unknown: <PNP0a03> can't assign resources (port)
unknown: <PNP0501> can't assign resources (port)
unknown: <PNP0501> can't assign resources (port)
unknown: <PNP0700> can't assign resources (port)
unknown: <PNP0401> can't assign resources (port)
Timecounters tick every 10.000 msec
ad0: 16446MB <ST317242A> [33416/16/63] at ata0-master UDMA33
Mounting root from ufs:/dev/ad0s1a
lock order reversal
1st 0xc1fd3788 process lock (process lock) @ ../../../kern/kern_descrip.c:2112
2nd 0xc1f96d34 filedesc structure (filedesc structure) @ ../../../kern/kern_descrip.c:2119
------------------------------
Kernel is a GENERIC with DDB,INVARIANTS and WITNESS turned on.
kern.ipc.nmbclusters set to 16384 but since MSIZE is 256
[from /usr/include/sys/param.h] it gives 16384*256=4MB
[and machine has 64MB RAM so it shouldn't be a problem [or am i wrong?],
changed after 'mbuf exhausted' message with nmbclusters set to 3072]
>Description:
Machine has few services [smtp,pop3,named,www,ssh] but with little load.
It also has a jail set up as follows:
cd /jail
mount_nullfs -o ro /bin bin
mount_nullfs -o ro /usr usr
mount -t devfs devfs dev
missing directory structure in /jail is created, only these dirtrees are
shared.
In this jail sshd daemon is running.
I logged as a normal user to the ssh running in jail, then after a while
issued man some_man_page. Got a panic: [luckily i got DDB]
panic: lockmgr: pid 659, not exclusive lock holder 658 ulocking
Debugger("panic")
Stopped at Debugger+0x54: xchgl %ebx,in_Debugger.0
db> trace
Debugger(c04s0abb,c05743e0,c04cf267,cc439ae0,1) at Debugger+0x54
panic(c04cf267,293,c04cf251,292,293) at panic+0xab
lockmgr(c344b2ec,6,c35e6e6c,c35f6460,c35f6460) at lockmgr+0x45e
null_unlock(cc439b4c,c04f2ac0,c35e6e6c,c04f2b00,c35e6e6c) at null_unlock+0xfb
null_inactive(cc439b7c,10002,c35f6460,877,c04f2a40) at null_inactive+0x3d
vrele(c35e6e6c,c04f2540,c35e6e6c,1,c3677b00) at vrele+0xdf
vn_close(c35e6e6c,1,c3677b00,c35f6460,cc439c44) at vn_close+0x5d
vn_closefile(c3657ec4,c35f6460,c04ce33c,741,0) at vn_closefile_0x30
fdrop_locked(c3657ec4,c35f6460,c04ce33c,67b,c35f6460) at fdrop_locked+0x17c
fdrop(c3657ec4,c35f6460,c05754a0,c05773f8,246) at fdrop+0x3e
closef(c3657ec4,c35f6460,c04ce33c,340,c3657ec4) at closef+0xac
syscall(2f,2f,2f,28063040,28064100) at syscall+0x28e
Xint0x80_syscall() at Xint0x80_syscall+0x1d
--- syscall (6, FreeBSD ELF32, close), eip = 0x28051a17, esp = 0xbfbff9ec, ebp =
0xbfbffa88 ---
db>
I know nullfs is unstable and i could be prepeard for this, but
maybe this pr will increase the stability just a little bit.
I'm not sure if it's not the same as kern/37270 [it's state open anyway]
Also I'm not sure if this is nmbclusters value fault, but i don't want to
test it since i have only remote access to this mashine.
[and luckily someone to rewrite the debugger messages by hand and reset the
machine]
>How-To-Repeat:
I'm not sure. It sometimes happens, sometimes not. It's first time
i got trace [previously run non debugging kernel]
Machine has jail as described,
and named, postfix, apache, pop daemon, few irc sessions.
now:
last pid: 772; load averages: 0.02, 0.02, 0.00 up 0+01:13:02 23:09:19
35 processes: 1 running, 34 sleeping
CPU states: 0.0% user, 0.0% nice, 0.4% system, 0.0% interrupt, 99.6% idle
Mem: 13M Active, 21M Inact, 16M Wired, 5760K Cache, 14M Buf, 740K Free
Swap: 455M Total, 455M Free
then the panic occured, the situation wasn't much different.
I hope this helps, but i know it's not enough. If i can provide more info,
e-mail me please.
>Fix:
I'm not a hacker :P
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305182120.h4ILKrg06824>