From owner-freebsd-bugs Thu Jun 18 07:21:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA10314 for freebsd-bugs-outgoing; Thu, 18 Jun 1998 07:21:15 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA10299 for ; Thu, 18 Jun 1998 07:21:11 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id HAA09828; Thu, 18 Jun 1998 07:20:01 -0700 (PDT) Received: from tim.xenologics.com (tim.xenologics.com [194.77.5.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA10276 for ; Thu, 18 Jun 1998 07:21:02 -0700 (PDT) (envelope-from seggers@semyam.dinoco.de) Received: (from uucp@localhost) by tim.xenologics.com (8.8.5/8.8.8) with UUCP id QAA14954 for FreeBSD-gnats-submit@freebsd.org; Thu, 18 Jun 1998 16:18:33 +0200 (MET DST) Received: (from seggers@localhost) by semyam.dinoco.de (8.8.8/8.8.8) id LAA02713; Thu, 18 Jun 1998 11:54:08 +0200 (CEST) (envelope-from seggers) Message-Id: <199806180954.LAA02713@semyam.dinoco.de> Date: Thu, 18 Jun 1998 11:54:08 +0200 (CEST) From: Stefan Eggers Reply-To: seggers@semyam.dinoco.de To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: seggers@semyam.dinoco.de X-Send-Pr-Version: 3.2 Subject: kern/6981: CD unmount w/o CD in drive can cause panic Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 6981 >Category: kern >Synopsis: CD unmount w/o CD in drive can cause panic >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jun 18 07:20:01 PDT 1998 >Last-Modified: >Originator: Stefan Eggers >Organization: none >Release: FreeBSD 2.2.6-STABLE i386 >Environment: My 2.2-current machine. It has a SCSI CD-ROM drive attached to an AMM-1570 host adapter (AIC-6360, utilizes aic driver). The OS was cvsuped at about May 29th, 1998. >Description: Under certain circumstances removing a mounted CD-ROM from its drive can cause an unmount attempt w/o propperly reinserting it to fail with a panic. See below. GDB is free software and you are welcome to distribute copies of it under certain conditions; type "show copying" to see the conditions. There is absolutely no warranty for GDB; type "show warranty" for details. GDB 4.16 (i386-unknown-freebsd), Copyright 1996 Free Software Foundation, Inc... IdlePTD 1bd000 current pcb at 1a3f70 panic: vref used where vget required #0 boot (howto=256) at ../../kern/kern_shutdown.c:266 266 dumppcb.pcb_cr3 = rcr3(); (kgdb) bt #0 boot (howto=256) at ../../kern/kern_shutdown.c:266 #1 0xf0110d92 in panic (fmt=0xf012db96 "vref used where vget required") at ../../kern/kern_shutdown.c:400 #2 0xf012dbca in vref (vp=0xf0602100) at ../../kern/vfs_subr.c:833 #3 0xf0102290 in iso_iget (xp=0xefbffd60, ino=49152, relocated=1, ipp=0xefbffcec, isodir=0xf05cd74c) at ../../isofs/cd9660/cd9660_node.c:247 #4 0xf01042f9 in cd9660_root (mp=0xf05d2000, vpp=0xefbffe14) at ../../isofs/cd9660/cd9660_vfsops.c:559 #5 0xf012c8f8 in lookup (ndp=0xefbffeac) at ../../kern/vfs_lookup.c:482 #6 0xf012c30b in namei (ndp=0xefbffeac) at ../../kern/vfs_lookup.c:156 #7 0xf01304bc in stat (p=0xf05d8400, uap=0xefbfff94, retval=0xefbfff84) at ../../kern/vfs_syscalls.c:1290 #8 0xf017b1a7 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 2, tf_esi = -272640596, tf_ebp = -272639460, tf_isp = -272629788, tf_ebx = -272640596, tf_edx = -272639572, tf_ecx = -272640595, tf_eax = 188, tf_trapno = 7, tf_err = 7, tf_eip = 89093, tf_cs = 31, tf_eflags = 646, tf_esp = -272640648, tf_ss = 39}) at ../../i386/i386/trap.c:920 #9 0x15c05 in ?? () #10 0x12d3 in ?? () #11 0x107e in ?? () (kgdb) q I will keep around the crash dump for some time in case someone wants more details. And anyway, I can easily reproduce it on my system and as I am the only user it won't cause any trouble to me. So just ask. >How-To-Repeat: 1) Mount a CD-ROM but do not do any access on it. 2) Start some program like xmcd (with tray locking disabled) which causes the tray to get unlocked. 3) Open the tray. 4) I closed it at this point but made sure the next step was performed before the drive realized it had a CD-ROM in it. For repeating I think it is good enough to leave the tray open. 5) Try to unmount the CD-ROM. >Fix: Not known. I think doing a lock on the right vnode will do the trick when done in the mount function of the CD9660 file system but am not able to fully understand it, yet. Then it will be legal to do a VREF(9) on it at the place it panics at present. To repeat what I wrote in a reply to a somewhat related problem report (bin/5134): I did some investigation and an experiment. The panic only shows up when I do not access the CD's directory. If I do an "ls" before eject with unmount everything is fine. So I took a look at the locking operations the cd9660 file system does on inodes and vnodes as my thought was that the accesses to some directory or file will probably lock the node and thus then the VREF() is legal. W/o the lookup the node is as unlocked as when it was created. Trying a VREF() on it will cause the panic. I didn't understand it, yet (only looked at it for a few minutes) but it seems as if the name lookup in cd9660_lookup.c locks them on its way down but does not unlock them. That would explain why a simple "ls" on the CD-ROM prevented the panic. It was locked by the lookup already. >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message