From owner-freebsd-fs Thu Dec 5 17:35:52 2002 Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C48137B401 for ; Thu, 5 Dec 2002 17:35:48 -0800 (PST) Received: from beastie.mckusick.com (beastie.mckusick.com [209.31.233.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75A3C43EB2 for ; Thu, 5 Dec 2002 17:35:47 -0800 (PST) (envelope-from mckusick@beastie.mckusick.com) Received: from beastie.mckusick.com (localhost [127.0.0.1]) by beastie.mckusick.com (8.12.3/8.12.3) with ESMTP id gB61Zk59092119; Thu, 5 Dec 2002 17:35:46 -0800 (PST) (envelope-from mckusick@beastie.mckusick.com) Message-Id: <200212060135.gB61Zk59092119@beastie.mckusick.com> To: Kris Kennaway Subject: panic: ffs_vfree: range: dev = ad4s1c, ino = -1690809896, fs = /mnt2 Cc: Robert Watson , fs@FreeBSD.ORG In-Reply-To: Your message of "Thu, 05 Dec 2002 16:49:21 PST." <20021206004921.GB69174@rot13.obsecurity.org> Date: Thu, 05 Dec 2002 17:35:46 -0800 From: Kirk McKusick Sender: owner-freebsd-fs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well it is not at all clear how the dirpref routine came up with such an out of whack inode preference (2604157400 when the filesystem has only 3538944 inodes), but the following fix should catch it and make it harmless. I have submitted the patch to release engineering. Kirk McKusick =-=-=-=-= Index: ffs_alloc.c =================================================================== RCS file: /usr/ncvs/src/sys/ufs/ffs/ffs_alloc.c,v retrieving revision 1.102 diff -c -r1.102 ffs_alloc.c *** ffs_alloc.c 2002/09/19 03:55:30 1.102 --- ffs_alloc.c 2002/12/06 01:15:50 *************** *** 841,847 **** ipref = ffs_dirpref(pip); else ipref = pip->i_number; ! if (ipref >= fs->fs_ncg * fs->fs_ipg) ipref = 0; cg = ino_to_cg(fs, ipref); /* --- 841,847 ---- ipref = ffs_dirpref(pip); else ipref = pip->i_number; ! if ((unsigned)ipref >= fs->fs_ncg * fs->fs_ipg) ipref = 0; cg = ino_to_cg(fs, ipref); /* =-=-=-=-= Date: Thu, 5 Dec 2002 16:49:21 -0800 From: Kris Kennaway To: Kirk McKusick Cc: Kris Kennaway , Robert Watson , fs@FreeBSD.ORG Subject: panic: ffs_vfree: range: dev = ad4s1c, ino = -1690809896, fs = /mnt2 X-ASK-Info: Whitelist match On Thu, Dec 05, 2002 at 04:43:32PM -0800, Kirk McKusick wrote: > Do you still have this crash dump available? The back trace looks > "impossible". The call to ffs_vfree at line #16 below shows pvp=0 > and ino=0. Inspection of the code shows this to be impossible > as three lines above the call to ffs_vfree is a check for ino == 0 > which takes a different path. The call to softdep_freefile at #15 > uses the passed in value of ino, yet shows ino=2604157400. So I > have no idea what is really going on here. I am guessing that gdb > must be lying about the values. Alternatively you kernel stack is > somehow getting trashed. At any rate, if you still have the dump > available, it would be useful to send me the output from the > following gdb commands: > > frame 17 > print error > print ino > print ipref > print cg > print pvp > print *pvp > print pip > print *pip > print fs > print *fs (kgdb) frame 17 #17 0xc02aa604 in ffs_valloc (pvp=0xc7b0ea8c, mode=16832, cred=0xc710fe80, vpp=0xdc06aa54) at ../../../ufs/ffs/ffs_alloc.c:864 864 UFS_VFREE(pvp, ino, mode); (kgdb) print error $1 = 5 (kgdb) print ino $2 = 2604157400 (kgdb) print ipref $3 = 0 (kgdb) print cg $4 = 16832 (kgdb) print pvp $5 = (struct vnode *) 0xc7b0ea8c (kgdb) print *pvp $6 = {v_interlock = {mtx_object = {lo_class = 0xc038f2a0, lo_name = 0xc0367c5d "vnode interlock", lo_type = 0xc0367c5d "vnode interlock", lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4, mtx_recurse = 0, mtx_blocked = {tqh_first = 0x0, tqh_last = 0xc7b0eab0}, mtx_contested = {le_next = 0x0, le_prev = 0x0}, mtx_acqtime = 0, mtx_filename = 0x0, mtx_lineno = 0}, v_iflag = 512, v_usecount = 1, v_numoutput = 0, v_vxproc = 0x0, v_holdcnt = 2, v_cleanblkhd = {tqh_first = 0x0, tqh_last = 0xc7b0eae4}, v_cleanblkroot = 0x0, v_dirtyblkhd = {tqh_first = 0xce594ec0, tqh_last = 0xce594f4c}, v_dirtyblkroot = 0xce594ec0, v_vflag = 0, v_writecount = 0, v_object = 0x0, v_lastw = 0, v_cstart = 0, v_lasta = 0, v_clen = 0, v_un = {vu_mountedhere = 0x0, vu_socket = 0x0, vu_spec = {vu_cdev = 0x0, vu_specnext = {sle_next = 0x0}}, vu_fifoinfo = 0x0}, v_freelist = {tqe_next = 0xc7d53384, tqe_prev = 0xc03c5174}, v_nmntvnodes = {tqe_next = 0xc7d53384, tqe_prev = 0xc67bcd8c}, v_synclist = {le_next = 0xc67bcce4, le_prev = 0xc7d53434}, v_type = VDIR, v_tag = 0xc0369ec6 "ufs", v_data = 0xc6475300, v_lock = {lk_interlock = 0xc03c1ab4, lk_flags = 16778304, lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 1, lk_prio = 80, lk_wmesg = 0xc0369ec6 "ufs", lk_timo = 6, lk_lockholder = 12154, lk_newlock = 0x0}, v_vnlock = 0xc7b0eb50, v_op = 0xc403c100, v_mount = 0xc4514800, v_cache_src = {lh_first = 0xc61aff40}, v_cache_dst = {tqh_first = 0xc72cf100, tqh_last = 0xc72cf110}, v_id = 27432477, v_dd = 0xc552ace4, v_ddid = 27432291, v_pollinfo = 0x0, v_label = {l_flags = 0, l_perpolicy = {{l_ptr = 0x0, l_long = 0}, { l_ptr = 0x0, l_long = 0}, {l_ptr = 0x0, l_long = 0}, {l_ptr = 0x0, l_long = 0}}}, v_cachedfs = 1034, v_cachedid = 4294967295} (kgdb) print pip $7 = (struct inode *) 0x5 (kgdb) print *pip ---Can't read userspace from dump, or kernel process--- (kgdb) print fs $8 = (struct fs *) 0xc4304800 (kgdb) print *fs $9 = {fs_firstfield = 0, fs_unused_1 = 0, fs_sblkno = 8, fs_cblkno = 16, fs_iblkno = 24, fs_dblkno = 792, fs_old_cgoffset = 1024, fs_old_cgmask = -1, fs_old_time = 1038811783, fs_old_size = 28523391, fs_old_dsize = 28297588, fs_ncg = 288, fs_bsize = 16384, fs_fsize = 2048, fs_frag = 8, fs_minfree = 8, fs_old_rotdelay = 0, fs_old_rps = 60, fs_bmask = -16384, fs_fmask = -2048, fs_bshift = 14, fs_fshift = 11, fs_maxcontig = 7, fs_maxbpg = 4096, fs_fragshift = 3, fs_fsbtodb = 2, fs_sbsize = 2048, fs_spare1 = {-1024, 10}, fs_nindir = 4096, fs_inopb = 128, fs_old_nspf = 4, fs_optim = 0, fs_old_npsect = 4096, fs_old_interleave = 1, fs_old_trackskew = 0, fs_id = {852110010, 602686169}, fs_old_csaddr = 792, fs_cssize = 6144, fs_cgsize = 16384, fs_spare2 = 1, fs_old_nsect = 4096, fs_old_spc = 4096, fs_old_ncyl = 27855, fs_old_cpg = 97, fs_ipg = 12288, fs_fpg = 99328, fs_old_cstotal = {cs_ndir = 175477, cs_nbfree = 2335208, cs_nifree = 2455182, cs_nffree = 134981}, fs_fmod = 1 '\001', fs_clean = 0 '\0', fs_ronly = 0 '\0', fs_old_flags = -126 '\202', fs_fsmnt = "/mnt2", '\0' , fs_cgrotor = 33, fs_ocsp = {0x0 }, fs_contigdirs = 0xc418dc80 "", fs_csp = 0xc418c000, fs_maxcluster = 0xc418d800, fs_active = 0x0, fs_old_cpc = 0, fs_maxbsize = 16384, fs_sparecon64 = {0 }, fs_sblockloc = 8192, fs_cstotal = {cs_ndir = 200327, cs_nbfree = 2081558, cs_nifree = 2374747, cs_nffree = 165297, cs_numclusters = 0, cs_spare = {0, 0, 0}}, fs_time = 1039118152, fs_size = 28523391, fs_dsize = 28297588, fs_csaddr = 792, fs_pendingblocks = 14244, fs_pendinginodes = 61, fs_snapinum = { 0 }, fs_avgfilesize = 16384, fs_avgfpdir = 64, fs_save_cgsize = 0, fs_sparecon32 = {0 }, fs_flags = 2, fs_contigsumsize = 7, fs_maxsymlinklen = 60, fs_old_inodefmt = 2, fs_maxfilesize = 17592186044415, fs_qbmask = 16383, fs_qfmask = 2047, fs_state = 0, fs_old_postblformat = 1, fs_old_nrpos = 1, fs_spare5 = {0, 0}, fs_magic = 72020} (kgdb) Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-fs" in the body of the message