Date: Wed, 11 Apr 2018 13:43:24 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 222027] panic on non-zero RACCT destroy Message-ID: <bug-222027-227-Z6AcZ8dtXq@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-222027-227@https.bugs.freebsd.org/bugzilla/> References: <bug-222027-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222027 Andriy Gapon <avg@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|New |Open --- Comment #9 from Andriy Gapon <avg@FreeBSD.org> --- I devised a scenario for this bug. Running it for 10 minutes reliably reproduces the crash. In one shell executed this small script as root: while true ; do ( sleep 2 ; exec su -c xuser -m root -c ':' ) & sleep 0= .001 ; done The idea behind this script is to make a process noticed by vm_daemon so th= at its RACCT_RSS gets set and then call setloginclass() hoping to expose the r= ace described in comment #7. "xuser" login class is selected because it's not used by anything else, so = the experiment is more pure. In another shell executed this dtrace command: dtrace -w -n 'sys_setloginclass:entry { self->t =3D 1; } sys_setloginclass:return { self->t =3D 0; } proc_set_cred:entry /self->t/ { chill(100000000); }' The idea is to make proc_set_cred() take much longer than usual while holdi= ng the proc lock, so that vm_daemon has much higher chances of running into th= at lock and getting blocked on it. When sys_setloginclass() releases the lock, vm_daemon gets a chance to run and expose the race. When stop the test and initiate a graceful reboot, I get a panic about RACCT_RSS underflow in "root" login class: panic: racct_adjust_resource: resource 4 usage < 0 cpuid =3D 2 time =3D 1523437499 KDB: stack backtrace: db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe002b46d= 860 vpanic() at vpanic+0x19c/frame 0xfffffe002b46d8e0 kassert_panic() at kassert_panic+0x126/frame 0xfffffe002b46d950 racct_adjust_resource() at racct_adjust_resource+0xd2/frame 0xfffffe002b46d= 980 racct_set_locked() at racct_set_locked+0x135/frame 0xfffffe002b46d9d0 racct_set() at racct_set+0x51/frame 0xfffffe002b46da00 vmspace_exit() at vmspace_exit+0x147/frame 0xfffffe002b46da40 exit1() at exit1+0x5ad/frame 0xfffffe002b46dab0 sys_sys_exit() at sys_sys_exit+0xd/frame 0xfffffe002b46dac0 amd64_syscall() at amd64_syscall+0x79b/frame 0xfffffe002b46dbf0 fast_syscall_common() at fast_syscall_common+0x105/frame 0xfffffe002b46dbf0 --- syscall (1, FreeBSD ELF64, sys_sys_exit), rip =3D 0x8008eb77a, rsp =3D 0x7fffffffe1a8, rbp =3D 0x7fffffffe1c0 --- (kgdb) bt #0 kdb_enter (why=3D0xffffffff814ee179 "panic", msg=3D<optimized out>) at /usr/devel/svn/autoro/sys/kern/subr_kdb.c:479 #1 0xffffffff80ac6549 in vpanic (fmt=3D<optimized out>, ap=3D0xfffffe002b4= 6d920) at /usr/devel/svn/autoro/sys/kern/kern_shutdown.c:826 #2 0xffffffff80ac62f6 in kassert_panic (fmt=3D0xffffffff814ec548 "%s: reso= urce %d usage < 0") at /usr/devel/svn/autoro/sys/kern/kern_shutdown.c:723 #3 0xffffffff80ab6ea2 in racct_adjust_resource (racct=3D0xfffff800074c6dd0, resource=3D4, amount=3D<optimized out>) at /usr/devel/svn/autoro/sys/kern/kern_racct.c:526 #4 0xffffffff80ab6965 in racct_set_locked (p=3D<optimized out>, resource= =3D4, amount=3D<optimized out>, force=3D0) at /usr/devel/svn/autoro/sys/kern/kern_racct.c:618 #5 0xffffffff80ab67d1 in racct_set (p=3D0xfffff800149f7000, resource=3D4, amount=3D0) at /usr/devel/svn/autoro/sys/kern/kern_racct.c:739 #6 0xffffffff80de9577 in vmspace_container_reset (p=3D<optimized out>) at /usr/devel/svn/autoro/sys/vm/vm_map.c:318 #7 vmspace_exit (td=3D0xfffff8005d353000) at /usr/devel/svn/autoro/sys/vm/vm_map.c:427 #8 0xffffffff80a8175d in exit1 (td=3D0xfffff8005d353000, rval=3D<optimized= out>, signo=3D0) at /usr/devel/svn/autoro/sys/kern/kern_exit.c:403 #9 0xffffffff80a811ad in sys_sys_exit (td=3D0xffffffff81d58408 <cnputs_mtx= >, uap=3D<optimized out>) at /usr/devel/svn/autoro/sys/kern/kern_exit.c:181 #10 0xffffffff80f7df7b in syscallenter (td=3D0xfffff8005d353000) at /usr/devel/svn/autoro/sys/amd64/amd64/../../kern/subr_syscall.c:134 #11 amd64_syscall (td=3D0xfffff8005d353000, traced=3D0) at /usr/devel/svn/autoro/sys/amd64/amd64/trap.c:936 (kgdb) fr 3 #3 0xffffffff80ab6ea2 in racct_adjust_resource (racct=3D0xfffff800074c6dd0, resource=3D4, amount=3D<optimized out>) at /usr/devel/svn/autoro/sys/kern/kern_racct.c:526 526 KASSERT(RACCT_IS_SLOPPY(resource) || RACCT_IS_DECAYING(resource), (kgdb) p *racct $1 =3D {r_resources =3D {15961661599, 98304, 794624, 0, -1314816, 0, 3, 0, 51683328, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 2817797305501, 132851, 0, 0, 0, 0}, r_rule_links =3D {lh_first =3D 0x0}} (kgdb) p *p->p_ucred->cr_loginclass $4 =3D {lc_next =3D {le_next =3D 0xfffff800030692c0, le_prev =3D 0xfffff800= 0377b380}, lc_name =3D "root", '\000' <repeats 28 times>, lc_refcount =3D 6, lc_racct = =3D 0xfffff800074c6dd0} (kgdb) p *p->p_ucred->cr_loginclass->lc_racct $5 =3D {r_resources =3D {15961661599, 98304, 794624, 0, -1314816, 0, 3, 0, 51683328, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 2817797305501, 132851, 0, 0, 0, 0}, r_rule_links =3D {lh_first =3D 0x0}} --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-222027-227-Z6AcZ8dtXq>