From owner-freebsd-bugs@FreeBSD.ORG Tue Jan 2 20:30:17 2007 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3E1BA16A403 for ; Tue, 2 Jan 2007 20:30:17 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40]) by mx1.freebsd.org (Postfix) with ESMTP id 1DC8113C461 for ; Tue, 2 Jan 2007 20:30:17 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l02KUGEA057967 for ; Tue, 2 Jan 2007 20:30:16 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l02KUGDQ057965; Tue, 2 Jan 2007 20:30:16 GMT (envelope-from gnats) Resent-Date: Tue, 2 Jan 2007 20:30:16 GMT Resent-Message-Id: <200701022030.l02KUGDQ057965@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Eugene Grosbein Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A3A3316A412 for ; Tue, 2 Jan 2007 20:21:39 +0000 (UTC) (envelope-from eugen@grosbein.pp.ru) Received: from grosbein.pp.ru (grgw.svzserv.kemerovo.su [213.184.64.166]) by mx1.freebsd.org (Postfix) with ESMTP id 0B20B13C459 for ; Tue, 2 Jan 2007 20:21:38 +0000 (UTC) (envelope-from eugen@grosbein.pp.ru) Received: from grosbein.pp.ru (localhost [127.0.0.1]) by grosbein.pp.ru (8.13.8/8.13.8) with ESMTP id l02KLXAj001600 for ; Wed, 3 Jan 2007 03:21:33 +0700 (KRAT) (envelope-from eugen@grosbein.pp.ru) Received: (from eugen@localhost) by grosbein.pp.ru (8.13.8/8.13.8/Submit) id l02KLXkf001599; Wed, 3 Jan 2007 03:21:33 +0700 (KRAT) (envelope-from eugen) Message-Id: <200701022021.l02KLXkf001599@grosbein.pp.ru> Date: Wed, 3 Jan 2007 03:21:33 +0700 (KRAT) From: Eugene Grosbein To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/107439: 6.2-PRE repeatable panic: userret: Returning with 1 locks held X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jan 2007 20:30:17 -0000 >Number: 107439 >Category: kern >Synopsis: 6.2-PRE repeatable panic: userret: Returning with 1 locks held >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 02 20:30:16 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Eugene Grosbein >Release: FreeBSD 6.2-PRERELEASE i386 >Organization: Svyaz Service JSC >Environment: System: FreeBSD grosbein.pp.ru 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #7: Wed Jan 3 02:16:56 KRAT 2007 eu@grosbein.pp.ru:/mnt/home/obj/usr/local/src/sys/DADV i386 GENERIC kernel plus options INVARIANS/INVARIANT_SUPPORT >Description: An attempt to move file from r/w mounted NTFS to UFS produces deadlock on UFS when a kernel compiled without INVARIANTS or immediate panic with INVARIANTS. >How-To-Repeat: I'll show how to reproduce this with file systems mounted using file-backed md devices; however, this problem exists for "real" file systems too. Feel free to fetch http://www.grosbein.pp.ru/panic/ntfs.img.gz This is compressed (152KB) image of NTFS made (8Mb) with Windows XP Professional Service Pack 2 (or you may use another NTFS if you have one). Then make new UFS to play with. I do not recommend to use with real UFS, it will be locked and clean unmount will be impossible. Again, you may start doing this in single mode without extra FS mounted and processes running. Now do: dd if=/dev/zero of=ufs.img bs=1m count=1 mdufs=/dev/`mdconfig -a -t vnode -f ufs.img` newfs $mdufs mdntfs=/dev/`mdconfig -a -t vnode -f ntfs.img` mkdir -p /mnt/ufs /mnt/ntfs mount $mdufs /mnt/ufs mount_ntfs $mdntfs /mnt/ntfs Now you have NTFS mounted r/w in /mnt/ntfs and UFS mounted r/w in /mnt/ufs. Now do: mv /mnt/ntfs/file /mnt/ufs/ If your kernel was compiled without INVARIANTS, you'll get 'Operation not supported' and the system will continue to run but any process trying to read from /mnt/ufs (including ls -l /mnt/ufs) will lock with uninterruptable disk I/O and will be unkillable even with kill -9. For the kernel with INVARIANTS (including GENERIC plus this option) you'll get kernel panic immediately. Sadly, crashdump always contains corrupted stack, was it compiled with debug info or not. Here is an attempt to get backtrace (I used 'set hw.physmem=33554432' in boot loader prompt or else it does not finish crashdump for all my 1024MB of RAM for unknown reason): panic: userret: Returning with 1 locks held. cpuid = 0 KDB: stack backtrace: kdb_backtrace(c0740077,0,c07214ce,c4b19cbc,c1addc00,...) at 0xc0544a83 = kdb_backtrace+0x2f panic(c07214ce,1,c0596fbf,c1addc00,2d,...) at 0xc0527eb1 = panic+0x129 userret(c1addc00,c4b19d38,1,280bf000,2,...) at 0xc054da0d = userret+0xf5 syscall(3b,3b,3b,bfbfee53,bfbfe8f0,...) at 0xc06e06ea = syscall+0x371 Xint0x80_syscall() at 0xc06ca1ff = Xint0x80_syscall+0x1f --- syscall (45, FreeBSD ELF32, ktrace), eip = 0x280bf94b, esp = 0xbfbfe21c, ebp = 0xbfbfe8a8 --- Uptime: 5m49s Dumping 31 MB (2 chunks) chunk 0: 1MB (159 pages) ... ok chunk 1: 31MB (7936 pages) 16 #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt full #0 doadump () at pcpu.h:165 No locals. #1 0xc0527ba0 in boot (howto=260) at /usr/local/src/sys/kern/kern_shutdown.c:409 first_buf_printf = 1 #2 0xc0527f2d in panic ( fmt=0xc07214ce "userret: Returning with %d locks held.") at /usr/local/src/sys/kern/kern_shutdown.c:565 td = (struct thread *) 0xc1addc00 bootopt = 260 newpanic = 1 ap = 0xc4b19cbc "\001" buf = "userret: Returning with 1 locks held.", '\0' #3 0xc054da0d in userret (td=0xc1addc00, frame=0xc4b19d38, oticks=1) at /usr/local/src/sys/kern/subr_trap.c:140 p = (struct proc *) 0xc1adc430 #4 0xc06e06ea in syscall (frame= {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077940653, tf_esi = -1077942032, tf_ebp = -1077942104, tf_isp = -994992796, tf_ebx = -1077940653, tf_edx = -1, tf_ecx = 2, tf_eax = 45, tf_trapno = 12, tf_err = 2, tf_eip = 671873355, tf_cs = 51, tf_eflags = 647, tf_esp = -1077943780, tf_ss = 59}) at /usr/local/src/sys/i386/i386/trap.c:1034 params = 0xbfbfe220
---Type to continue, or q to quit--- callp = (struct sysent *) 0xc0756be0 td = (struct thread *) 0xc1addc00 p = (struct proc *) 0xc1adc430 orig_tf_eflags = 646 sticks = 1 error = 45 narg = 2 args = {-1077940653, -1077942032, 654, 671873348, 12, 0, 1, -1045576656} code = 128 #5 0xc06ca1ff in Xint0x80_syscall () at /usr/local/src/sys/i386/i386/exception.s:200 No locals. #6 0x00000033 in ?? () No symbol table info available. Previous frame inner to this frame (corrupt stack?) >Fix: Unknown. The workaround is to always mount NTFS read-only. Eugene Grosbein >Release-Note: >Audit-Trail: >Unformatted: