From owner-freebsd-bugs  Fri Aug 30 21:10:10 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0088D37B400
	for <freebsd-bugs@hub.freebsd.org>; Fri, 30 Aug 2002 21:10:03 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4784643E72
	for <freebsd-bugs@hub.freebsd.org>; Fri, 30 Aug 2002 21:10:02 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g7V4A2JU013343
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 30 Aug 2002 21:10:02 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g7V4A2pg013342;
	Fri, 30 Aug 2002 21:10:02 -0700 (PDT)
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E09A337B400
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
Received: from www.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 87ACB43E65
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.4/8.12.4) with ESMTP id g7V459OT098071
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.4/8.12.4/Submit) id g7V459QY098070;
	Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
Message-Id: <200208310405.g7V459QY098070@www.freebsd.org>
Date: Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
From: Kip Macy <kmacy@fsmware.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: kern/42235: system panics with "worklist_remove: item not on list" when mapping user memory into kernel
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         42235
>Category:       kern
>Synopsis:       system panics with "worklist_remove: item not on list" when mapping user memory into kernel
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 30 21:10:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Kip Macy
>Release:        4.5-RELEASE,4.6-STABLE
>Organization:
>Environment:
FreeBSD serendipity.fsmware.com 4.5-RELEASE FreeBSD 4.5-RELEASE #6: Mon Aug 26 19:52:23 PDT 2002     kmacy@serendipity.fsmware.com:/usr/src/sys/compile/MACHINE  i386
>Description:
I have a kernel module that maps two 64k chunks of user memory into the kernel
using the same set of steps that cam_periph_mapmem uses. However, I inevitably
get the following panic after running the code for a bit:

Aug 30 14:55:26 testhost /kernel: panic: worklist_remove: not on list
Aug 30 14:55:26 testhost /kernel: 
Aug 30 14:55:26 testhost /kernel: syncing disks... 8 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
Aug 30 14:55:26 testhost /kernel: giving up on 1 buffers

This is a panic in ffs_softdep.c, it implies to me that either the FFS code
isn't recognizing that not all buffers belong to it or getpbuf isn't doing all
the needed accounting. 

Also worthy of note is that my kernel module has a lot of printfs which
obviously translate to a lot of synchronous writes by syslog, presumably 
putting memory pressure on the file system.

The interesting portion of the backtrace is:

panic
worklist_remove
softdep_update_inodeblock
ffs_update
ffs_fsync
fsync

The code at the panic is:
	if ((item->wk_state & ONWORKLIST) == 0) {
		FREE_LOCK(&lk);
		panic("worklist_remove: not on list");
	}

in softdep_update_inodeblock the call to worklist_remove is:

	while ((wk = LIST_FIRST(&inodedep->id_inowait)) != NULL) {
		WORKLIST_REMOVE(wk);
		WORKLIST_INSERT(&inodedep->id_bufwait, wk);
	}

which indicates that either it was put on inowait without 
ONWORKLIST being set or ONWORKLIST was unset without it being
removed from the list
>How-To-Repeat:
Get a buffer, map it, and then generate a lot of synchronous file system
traffic via syslog. 
I can write a test program if it will help. However, I think it is pretty
clear what is going on.
>Fix:
      
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message