From owner-freebsd-current@FreeBSD.ORG Tue Dec 2 05:45:07 2008 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C8A21065675 for ; Tue, 2 Dec 2008 05:45:07 +0000 (UTC) (envelope-from rmtodd@ichotolot.servalan.com) Received: from mx1.synetsystems.com (mx1.synetsystems.com [76.10.206.14]) by mx1.freebsd.org (Postfix) with ESMTP id 023A08FC16 for ; Tue, 2 Dec 2008 05:45:06 +0000 (UTC) (envelope-from rmtodd@ichotolot.servalan.com) Received: by mx1.synetsystems.com (Postfix, from userid 66) id 2E3D2C8C; Tue, 2 Dec 2008 00:45:06 -0500 (EST) Received: from rmtodd by servalan.servalan.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1L7NY0-0003S1-Qi; Mon, 01 Dec 2008 23:11:44 -0600 To: freebsd-current@freebsd.org References: From: Richard Todd Date: Mon, 01 Dec 2008 23:11:44 -0600 In-Reply-To: (Richard Todd's message of "Sat, 29 Nov 2008 12:16:23 -0600") Message-ID: User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.21 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Panic upon unmounting zfs snapshot: "vput: negative ref cnt" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Dec 2008 05:45:07 -0000 Richard Todd writes: > I'm running -CURRENT as of this Thursday, and discovered the following panic > upon doing the fairly straightforward steps of making a snapshot, mounting > it, doing some activity reading from the snapshot, and unmounting it -- > the exact sequence of commands was something like > zfs snapshot u1@foosnap > mount -r -t zfs u1@foosnap /mnt > ls -lR /mnt > umount /mnt > > Got a crash dump, gdb info follows. Note that the offending vp seems to be > the vnode for the mount point that the snapshot was mounted on. A bit more exploration and littering the unmount code with vprint()s and I think I've narrowed down the problem to the following bit of code near the end of zfs_umount in /usr/src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vfsops.c if (zfsvfs->z_issnap) { vnode_t *svp = vfsp->mnt_vnodecovered; ASSERT(svp->v_count == 2); VN_RELE(svp); } The above code seems to assume that the ZFS snapshot being unmounted was mounted through the .zfs/snapshot pseudo-directory mechanism; apparently on mount the underlying vnode (for the .zfs/snapshot/xxx) has an extra reference added, so a VN_RELE needs to be done. But if the mount of the snapshot was done manually (via mount -t zfs), then the underlying vnode *doesn't* have the extra reference, so the VN_RELE here means that the later vput() in dounmount will panic. The above code should be probably smarter and test whether vfsp->mnt_vnodecovered points to the .zfs/snapshot pseudodirectory or not; unfortunately, I'm not sure how to do that. Since I usually mount snapshots by hand instead of using the .zfs/snapshot mechanism, for my purposes just commenting out the above chunk of code solves my problem for the time being.