Date: Mon, 01 Dec 2008 23:11:44 -0600 From: Richard Todd <rmtodd@ichotolot.servalan.com> To: freebsd-current@freebsd.org Subject: Re: Panic upon unmounting zfs snapshot: "vput: negative ref cnt" Message-ID: <x74p1nqhyn.fsf@ichotolot.servalan.com> In-Reply-To: <servalan.mailinglist.fbsd-current/20081129184515.C3803C97@mx1.synetsystems.com> (Richard Todd's message of "Sat, 29 Nov 2008 12:16:23 -0600") References: <servalan.mailinglist.fbsd-current/20081129184515.C3803C97@mx1.synetsystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Richard Todd <rmtodd@ichotolot.servalan.com> writes:
> I'm running -CURRENT as of this Thursday, and discovered the following panic
> upon doing the fairly straightforward steps of making a snapshot, mounting
> it, doing some activity reading from the snapshot, and unmounting it --
> the exact sequence of commands was something like
> zfs snapshot u1@foosnap
> mount -r -t zfs u1@foosnap /mnt
> ls -lR /mnt
> umount /mnt
>
> Got a crash dump, gdb info follows. Note that the offending vp seems to be
> the vnode for the mount point that the snapshot was mounted on.
A bit more exploration and littering the unmount code with vprint()s and I
think I've narrowed down the problem to the following bit of code near the
end of zfs_umount in
/usr/src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c
if (zfsvfs->z_issnap) {
vnode_t *svp = vfsp->mnt_vnodecovered;
ASSERT(svp->v_count == 2);
VN_RELE(svp);
}
The above code seems to assume that the ZFS snapshot being unmounted was
mounted through the .zfs/snapshot pseudo-directory mechanism; apparently
on mount the underlying vnode (for the .zfs/snapshot/xxx) has an extra
reference added, so a VN_RELE needs to be done. But if the mount of the
snapshot was done manually (via mount -t zfs), then the underlying vnode
*doesn't* have the extra reference, so the VN_RELE here means that the later
vput() in dounmount will panic.
The above code should be probably smarter and test whether
vfsp->mnt_vnodecovered points to the .zfs/snapshot pseudodirectory or not;
unfortunately, I'm not sure how to do that. Since I usually mount snapshots
by hand instead of using the .zfs/snapshot mechanism, for my purposes just
commenting out the above chunk of code solves my problem for the time being.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?x74p1nqhyn.fsf>