From owner-freebsd-bugs@freebsd.org  Wed Apr 11 13:43:26 2018
Return-Path: <owner-freebsd-bugs@freebsd.org>
Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 92157F95A19
 for <freebsd-bugs@mailman.ysv.freebsd.org>;
 Wed, 11 Apr 2018 13:43:26 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id 29E6A78F47
 for <freebsd-bugs@freebsd.org>; Wed, 11 Apr 2018 13:43:26 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.ysv.freebsd.org (Postfix)
 id DC07BF95A18; Wed, 11 Apr 2018 13:43:25 +0000 (UTC)
Delivered-To: bugs@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id A16DDF95A17
 for <bugs@mailman.ysv.freebsd.org>; Wed, 11 Apr 2018 13:43:25 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.ysv.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3B8C478F40
 for <bugs@FreeBSD.org>; Wed, 11 Apr 2018 13:43:25 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 6DC051DD50
 for <bugs@FreeBSD.org>; Wed, 11 Apr 2018 13:43:24 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w3BDhOW9042924
 for <bugs@FreeBSD.org>; Wed, 11 Apr 2018 13:43:24 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
 by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w3BDhOFd042923
 for bugs@FreeBSD.org; Wed, 11 Apr 2018 13:43:24 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
 bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 222027] panic on non-zero RACCT destroy
Date: Wed, 11 Apr 2018 13:43:24 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: avg@FreeBSD.org
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_status
Message-ID: <bug-222027-227-Z6AcZ8dtXq@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-222027-227@https.bugs.freebsd.org/bugzilla/>
References: <bug-222027-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2018 13:43:26 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D222027

Andriy Gapon <avg@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Open

--- Comment #9 from Andriy Gapon <avg@FreeBSD.org> ---
I devised a scenario for this bug.  Running it for 10 minutes reliably
reproduces the crash.

In one shell executed this small script as root:
    while true ; do ( sleep 2 ; exec su -c xuser -m root -c ':' ) & sleep 0=
.001
; done
The idea behind this script is to make a process noticed by vm_daemon so th=
at
its RACCT_RSS gets set and then call setloginclass() hoping to expose the r=
ace
described in comment #7.
"xuser" login class is selected because it's not used by anything else, so =
the
experiment is more pure.

In another shell executed this dtrace command:
    dtrace -w -n 'sys_setloginclass:entry { self->t =3D 1; }
sys_setloginclass:return { self->t =3D 0; }  proc_set_cred:entry /self->t/ {
chill(100000000); }'
The idea is to make proc_set_cred() take much longer than usual while holdi=
ng
the proc lock, so that vm_daemon has much higher chances of running into th=
at
lock and getting blocked on it.  When sys_setloginclass() releases the lock,
vm_daemon gets a chance to run and expose the race.

When stop the test and initiate a graceful reboot, I get a panic about
RACCT_RSS underflow in "root" login class:
panic: racct_adjust_resource: resource 4 usage < 0
cpuid =3D 2
time =3D 1523437499
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe002b46d=
860
vpanic() at vpanic+0x19c/frame 0xfffffe002b46d8e0
kassert_panic() at kassert_panic+0x126/frame 0xfffffe002b46d950
racct_adjust_resource() at racct_adjust_resource+0xd2/frame 0xfffffe002b46d=
980
racct_set_locked() at racct_set_locked+0x135/frame 0xfffffe002b46d9d0
racct_set() at racct_set+0x51/frame 0xfffffe002b46da00
vmspace_exit() at vmspace_exit+0x147/frame 0xfffffe002b46da40
exit1() at exit1+0x5ad/frame 0xfffffe002b46dab0
sys_sys_exit() at sys_sys_exit+0xd/frame 0xfffffe002b46dac0
amd64_syscall() at amd64_syscall+0x79b/frame 0xfffffe002b46dbf0
fast_syscall_common() at fast_syscall_common+0x105/frame 0xfffffe002b46dbf0
--- syscall (1, FreeBSD ELF64, sys_sys_exit), rip =3D 0x8008eb77a, rsp =3D
0x7fffffffe1a8, rbp =3D 0x7fffffffe1c0 ---

(kgdb) bt
#0  kdb_enter (why=3D0xffffffff814ee179 "panic", msg=3D<optimized out>) at
/usr/devel/svn/autoro/sys/kern/subr_kdb.c:479
#1  0xffffffff80ac6549 in vpanic (fmt=3D<optimized out>, ap=3D0xfffffe002b4=
6d920)
at /usr/devel/svn/autoro/sys/kern/kern_shutdown.c:826
#2  0xffffffff80ac62f6 in kassert_panic (fmt=3D0xffffffff814ec548 "%s: reso=
urce
%d usage < 0") at /usr/devel/svn/autoro/sys/kern/kern_shutdown.c:723
#3  0xffffffff80ab6ea2 in racct_adjust_resource (racct=3D0xfffff800074c6dd0,
resource=3D4, amount=3D<optimized out>) at
/usr/devel/svn/autoro/sys/kern/kern_racct.c:526
#4  0xffffffff80ab6965 in racct_set_locked (p=3D<optimized out>, resource=
=3D4,
amount=3D<optimized out>, force=3D0) at
/usr/devel/svn/autoro/sys/kern/kern_racct.c:618
#5  0xffffffff80ab67d1 in racct_set (p=3D0xfffff800149f7000, resource=3D4,
amount=3D0) at /usr/devel/svn/autoro/sys/kern/kern_racct.c:739
#6  0xffffffff80de9577 in vmspace_container_reset (p=3D<optimized out>) at
/usr/devel/svn/autoro/sys/vm/vm_map.c:318
#7  vmspace_exit (td=3D0xfffff8005d353000) at
/usr/devel/svn/autoro/sys/vm/vm_map.c:427
#8  0xffffffff80a8175d in exit1 (td=3D0xfffff8005d353000, rval=3D<optimized=
 out>,
signo=3D0) at /usr/devel/svn/autoro/sys/kern/kern_exit.c:403
#9  0xffffffff80a811ad in sys_sys_exit (td=3D0xffffffff81d58408 <cnputs_mtx=
>,
uap=3D<optimized out>) at /usr/devel/svn/autoro/sys/kern/kern_exit.c:181
#10 0xffffffff80f7df7b in syscallenter (td=3D0xfffff8005d353000) at
/usr/devel/svn/autoro/sys/amd64/amd64/../../kern/subr_syscall.c:134
#11 amd64_syscall (td=3D0xfffff8005d353000, traced=3D0) at
/usr/devel/svn/autoro/sys/amd64/amd64/trap.c:936

(kgdb) fr 3
#3  0xffffffff80ab6ea2 in racct_adjust_resource (racct=3D0xfffff800074c6dd0,
resource=3D4, amount=3D<optimized out>) at
/usr/devel/svn/autoro/sys/kern/kern_racct.c:526
526                     KASSERT(RACCT_IS_SLOPPY(resource) ||
RACCT_IS_DECAYING(resource),
(kgdb) p *racct
$1 =3D {r_resources =3D {15961661599, 98304, 794624, 0, -1314816, 0, 3, 0,
51683328, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 2817797305501, 132851, 0, 0, 0, 0},
r_rule_links =3D {lh_first =3D 0x0}}

(kgdb) p *p->p_ucred->cr_loginclass
$4 =3D {lc_next =3D {le_next =3D 0xfffff800030692c0, le_prev =3D 0xfffff800=
0377b380},
lc_name =3D "root", '\000' <repeats 28 times>, lc_refcount =3D 6, lc_racct =
=3D
0xfffff800074c6dd0}

(kgdb) p *p->p_ucred->cr_loginclass->lc_racct
$5 =3D {r_resources =3D {15961661599, 98304, 794624, 0, -1314816, 0, 3, 0,
51683328, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 2817797305501, 132851, 0, 0, 0, 0},
r_rule_links =3D {lh_first =3D 0x0}}

--=20
You are receiving this mail because:
You are the assignee for the bug.=