Date: Thu, 05 Dec 2002 17:35:46 -0800 From: Kirk McKusick <mckusick@beastie.mckusick.com> To: Kris Kennaway <kris@obsecurity.org> Cc: Robert Watson <rwatson@tislabs.com>, fs@FreeBSD.ORG Subject: panic: ffs_vfree: range: dev = ad4s1c, ino = -1690809896, fs = /mnt2 Message-ID: <200212060135.gB61Zk59092119@beastie.mckusick.com> In-Reply-To: Your message of "Thu, 05 Dec 2002 16:49:21 PST." <20021206004921.GB69174@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Well it is not at all clear how the dirpref routine came up with
such an out of whack inode preference (2604157400 when the filesystem
has only 3538944 inodes), but the following fix should catch it and
make it harmless. I have submitted the patch to release engineering.
Kirk McKusick
=-=-=-=-=
Index: ffs_alloc.c
===================================================================
RCS file: /usr/ncvs/src/sys/ufs/ffs/ffs_alloc.c,v
retrieving revision 1.102
diff -c -r1.102 ffs_alloc.c
*** ffs_alloc.c 2002/09/19 03:55:30 1.102
--- ffs_alloc.c 2002/12/06 01:15:50
***************
*** 841,847 ****
ipref = ffs_dirpref(pip);
else
ipref = pip->i_number;
! if (ipref >= fs->fs_ncg * fs->fs_ipg)
ipref = 0;
cg = ino_to_cg(fs, ipref);
/*
--- 841,847 ----
ipref = ffs_dirpref(pip);
else
ipref = pip->i_number;
! if ((unsigned)ipref >= fs->fs_ncg * fs->fs_ipg)
ipref = 0;
cg = ino_to_cg(fs, ipref);
/*
=-=-=-=-=
Date: Thu, 5 Dec 2002 16:49:21 -0800
From: Kris Kennaway <kris@obsecurity.org>
To: Kirk McKusick <mckusick@beastie.mckusick.com>
Cc: Kris Kennaway <kris@obsecurity.org>, Robert Watson <rwatson@tislabs.com>,
fs@FreeBSD.ORG
Subject: panic: ffs_vfree: range: dev = ad4s1c, ino = -1690809896, fs = /mnt2
X-ASK-Info: Whitelist match
On Thu, Dec 05, 2002 at 04:43:32PM -0800, Kirk McKusick wrote:
> Do you still have this crash dump available? The back trace looks
> "impossible". The call to ffs_vfree at line #16 below shows pvp=0
> and ino=0. Inspection of the code shows this to be impossible
> as three lines above the call to ffs_vfree is a check for ino == 0
> which takes a different path. The call to softdep_freefile at #15
> uses the passed in value of ino, yet shows ino=2604157400. So I
> have no idea what is really going on here. I am guessing that gdb
> must be lying about the values. Alternatively you kernel stack is
> somehow getting trashed. At any rate, if you still have the dump
> available, it would be useful to send me the output from the
> following gdb commands:
>
> frame 17
> print error
> print ino
> print ipref
> print cg
> print pvp
> print *pvp
> print pip
> print *pip
> print fs
> print *fs
(kgdb) frame 17
#17 0xc02aa604 in ffs_valloc (pvp=0xc7b0ea8c, mode=16832, cred=0xc710fe80, vpp=0xdc06aa54)
at ../../../ufs/ffs/ffs_alloc.c:864
864 UFS_VFREE(pvp, ino, mode);
(kgdb) print error
$1 = 5
(kgdb) print ino
$2 = 2604157400
(kgdb) print ipref
$3 = 0
(kgdb) print cg
$4 = 16832
(kgdb) print pvp
$5 = (struct vnode *) 0xc7b0ea8c
(kgdb) print *pvp
$6 = {v_interlock = {mtx_object = {lo_class = 0xc038f2a0,
lo_name = 0xc0367c5d "vnode interlock", lo_type = 0xc0367c5d "vnode interlock",
lo_flags = 196608, lo_list = {tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0},
mtx_lock = 4, mtx_recurse = 0, mtx_blocked = {tqh_first = 0x0, tqh_last = 0xc7b0eab0},
mtx_contested = {le_next = 0x0, le_prev = 0x0}, mtx_acqtime = 0, mtx_filename = 0x0,
mtx_lineno = 0}, v_iflag = 512, v_usecount = 1, v_numoutput = 0, v_vxproc = 0x0,
v_holdcnt = 2, v_cleanblkhd = {tqh_first = 0x0, tqh_last = 0xc7b0eae4}, v_cleanblkroot = 0x0,
v_dirtyblkhd = {tqh_first = 0xce594ec0, tqh_last = 0xce594f4c}, v_dirtyblkroot = 0xce594ec0,
v_vflag = 0, v_writecount = 0, v_object = 0x0, v_lastw = 0, v_cstart = 0, v_lasta = 0,
v_clen = 0, v_un = {vu_mountedhere = 0x0, vu_socket = 0x0, vu_spec = {vu_cdev = 0x0,
vu_specnext = {sle_next = 0x0}}, vu_fifoinfo = 0x0}, v_freelist = {tqe_next = 0xc7d53384,
tqe_prev = 0xc03c5174}, v_nmntvnodes = {tqe_next = 0xc7d53384, tqe_prev = 0xc67bcd8c},
v_synclist = {le_next = 0xc67bcce4, le_prev = 0xc7d53434}, v_type = VDIR,
v_tag = 0xc0369ec6 "ufs", v_data = 0xc6475300, v_lock = {lk_interlock = 0xc03c1ab4,
lk_flags = 16778304, lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 1,
lk_prio = 80, lk_wmesg = 0xc0369ec6 "ufs", lk_timo = 6, lk_lockholder = 12154,
lk_newlock = 0x0}, v_vnlock = 0xc7b0eb50, v_op = 0xc403c100, v_mount = 0xc4514800,
v_cache_src = {lh_first = 0xc61aff40}, v_cache_dst = {tqh_first = 0xc72cf100,
tqh_last = 0xc72cf110}, v_id = 27432477, v_dd = 0xc552ace4, v_ddid = 27432291,
v_pollinfo = 0x0, v_label = {l_flags = 0, l_perpolicy = {{l_ptr = 0x0, l_long = 0}, {
l_ptr = 0x0, l_long = 0}, {l_ptr = 0x0, l_long = 0}, {l_ptr = 0x0, l_long = 0}}},
v_cachedfs = 1034, v_cachedid = 4294967295}
(kgdb) print pip
$7 = (struct inode *) 0x5
(kgdb) print *pip
---Can't read userspace from dump, or kernel process---
(kgdb) print fs
$8 = (struct fs *) 0xc4304800
(kgdb) print *fs
$9 = {fs_firstfield = 0, fs_unused_1 = 0, fs_sblkno = 8, fs_cblkno = 16, fs_iblkno = 24,
fs_dblkno = 792, fs_old_cgoffset = 1024, fs_old_cgmask = -1, fs_old_time = 1038811783,
fs_old_size = 28523391, fs_old_dsize = 28297588, fs_ncg = 288, fs_bsize = 16384,
fs_fsize = 2048, fs_frag = 8, fs_minfree = 8, fs_old_rotdelay = 0, fs_old_rps = 60,
fs_bmask = -16384, fs_fmask = -2048, fs_bshift = 14, fs_fshift = 11, fs_maxcontig = 7,
fs_maxbpg = 4096, fs_fragshift = 3, fs_fsbtodb = 2, fs_sbsize = 2048, fs_spare1 = {-1024,
10}, fs_nindir = 4096, fs_inopb = 128, fs_old_nspf = 4, fs_optim = 0, fs_old_npsect = 4096,
fs_old_interleave = 1, fs_old_trackskew = 0, fs_id = {852110010, 602686169},
fs_old_csaddr = 792, fs_cssize = 6144, fs_cgsize = 16384, fs_spare2 = 1, fs_old_nsect = 4096,
fs_old_spc = 4096, fs_old_ncyl = 27855, fs_old_cpg = 97, fs_ipg = 12288, fs_fpg = 99328,
fs_old_cstotal = {cs_ndir = 175477, cs_nbfree = 2335208, cs_nifree = 2455182,
cs_nffree = 134981}, fs_fmod = 1 '\001', fs_clean = 0 '\0', fs_ronly = 0 '\0',
fs_old_flags = -126 '\202', fs_fsmnt = "/mnt2", '\0' <repeats 506 times>, fs_cgrotor = 33,
fs_ocsp = {0x0 <repeats 28 times>}, fs_contigdirs = 0xc418dc80 "", fs_csp = 0xc418c000,
fs_maxcluster = 0xc418d800, fs_active = 0x0, fs_old_cpc = 0, fs_maxbsize = 16384,
fs_sparecon64 = {0 <repeats 17 times>}, fs_sblockloc = 8192, fs_cstotal = {cs_ndir = 200327,
cs_nbfree = 2081558, cs_nifree = 2374747, cs_nffree = 165297, cs_numclusters = 0,
cs_spare = {0, 0, 0}}, fs_time = 1039118152, fs_size = 28523391, fs_dsize = 28297588,
fs_csaddr = 792, fs_pendingblocks = 14244, fs_pendinginodes = 61, fs_snapinum = {
0 <repeats 20 times>}, fs_avgfilesize = 16384, fs_avgfpdir = 64, fs_save_cgsize = 0,
fs_sparecon32 = {0 <repeats 26 times>}, fs_flags = 2, fs_contigsumsize = 7,
fs_maxsymlinklen = 60, fs_old_inodefmt = 2, fs_maxfilesize = 17592186044415,
fs_qbmask = 16383, fs_qfmask = 2047, fs_state = 0, fs_old_postblformat = 1, fs_old_nrpos = 1,
fs_spare5 = {0, 0}, fs_magic = 72020}
(kgdb)
Kris
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-fs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200212060135.gB61Zk59092119>