Date: Thu, 18 Jun 1998 11:54:08 +0200 (CEST) From: Stefan Eggers <seggers@semyam.dinoco.de> To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: seggers@semyam.dinoco.de Subject: kern/6981: CD unmount w/o CD in drive can cause panic Message-ID: <199806180954.LAA02713@semyam.dinoco.de>
next in thread | raw e-mail | index | archive | help
>Number: 6981
>Category: kern
>Synopsis: CD unmount w/o CD in drive can cause panic
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 18 07:20:01 PDT 1998
>Last-Modified:
>Originator: Stefan Eggers
>Organization:
none
>Release: FreeBSD 2.2.6-STABLE i386
>Environment:
My 2.2-current machine. It has a SCSI CD-ROM drive attached
to an AMM-1570 host adapter (AIC-6360, utilizes aic driver). The OS
was cvsuped at about May 29th, 1998.
>Description:
Under certain circumstances removing a mounted CD-ROM from its
drive can cause an unmount attempt w/o propperly reinserting it to
fail with a panic. See below.
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i386-unknown-freebsd),
Copyright 1996 Free Software Foundation, Inc...
IdlePTD 1bd000
current pcb at 1a3f70
panic: vref used where vget required
#0 boot (howto=256) at ../../kern/kern_shutdown.c:266
266 dumppcb.pcb_cr3 = rcr3();
(kgdb) bt
#0 boot (howto=256) at ../../kern/kern_shutdown.c:266
#1 0xf0110d92 in panic (fmt=0xf012db96 "vref used where vget required")
at ../../kern/kern_shutdown.c:400
#2 0xf012dbca in vref (vp=0xf0602100) at ../../kern/vfs_subr.c:833
#3 0xf0102290 in iso_iget (xp=0xefbffd60, ino=49152, relocated=1,
ipp=0xefbffcec, isodir=0xf05cd74c) at ../../isofs/cd9660/cd9660_node.c:247
#4 0xf01042f9 in cd9660_root (mp=0xf05d2000, vpp=0xefbffe14)
at ../../isofs/cd9660/cd9660_vfsops.c:559
#5 0xf012c8f8 in lookup (ndp=0xefbffeac) at ../../kern/vfs_lookup.c:482
#6 0xf012c30b in namei (ndp=0xefbffeac) at ../../kern/vfs_lookup.c:156
#7 0xf01304bc in stat (p=0xf05d8400, uap=0xefbfff94, retval=0xefbfff84)
at ../../kern/vfs_syscalls.c:1290
#8 0xf017b1a7 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 2,
tf_esi = -272640596, tf_ebp = -272639460, tf_isp = -272629788,
tf_ebx = -272640596, tf_edx = -272639572, tf_ecx = -272640595,
tf_eax = 188, tf_trapno = 7, tf_err = 7, tf_eip = 89093, tf_cs = 31,
tf_eflags = 646, tf_esp = -272640648, tf_ss = 39})
at ../../i386/i386/trap.c:920
#9 0x15c05 in ?? ()
#10 0x12d3 in ?? ()
#11 0x107e in ?? ()
(kgdb) q
I will keep around the crash dump for some time in case
someone wants more details. And anyway, I can easily reproduce it on
my system and as I am the only user it won't cause any trouble to me.
So just ask.
>How-To-Repeat:
1) Mount a CD-ROM but do not do any access on it.
2) Start some program like xmcd (with tray locking disabled)
which causes the tray to get unlocked.
3) Open the tray.
4) I closed it at this point but made sure the next step was
performed before the drive realized it had a CD-ROM in it.
For repeating I think it is good enough to leave the tray
open.
5) Try to unmount the CD-ROM.
>Fix:
Not known. I think doing a lock on the right vnode will do
the trick when done in the mount function of the CD9660 file system
but am not able to fully understand it, yet. Then it will be legal to
do a VREF(9) on it at the place it panics at present. To repeat what
I wrote in a reply to a somewhat related problem report (bin/5134):
I did some investigation and an experiment. The panic only shows
up when I do not access the CD's directory. If I do an "ls" before
eject with unmount everything is fine.
So I took a look at the locking operations the cd9660 file system
does on inodes and vnodes as my thought was that the accesses to
some directory or file will probably lock the node and thus then
the VREF() is legal. W/o the lookup the node is as unlocked as
when it was created. Trying a VREF() on it will cause the panic.
I didn't understand it, yet (only looked at it for a few minutes)
but it seems as if the name lookup in cd9660_lookup.c locks them
on its way down but does not unlock them. That would explain why
a simple "ls" on the CD-ROM prevented the panic. It was locked by
the lookup already.
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806180954.LAA02713>