Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 14 Jun 2015 14:53:48 +0200
From:      Jeremie Le Hen <jlh@FreeBSD.org>
To:        freebsd-current@freebsd.org
Cc:        trasz@freebsd.org, Konstantin Belousov <kib@freebsd.org>, alc@freebsd.org
Subject:   Re: panic when RACCT_RSS still > 0 when struct racct destroyed
Message-ID:  <CAGSa5y2%2Ba8CDvY4MiBcfzMKR62GNgrcKF%2B7suZ5_6kqYwRhH=w@mail.gmail.com>
In-Reply-To: <CAGSa5y0p_tcDZ1twNVSR5yaL9q_yZY7aFWhCXUY_RC8oqVAQ8A@mail.gmail.com>
References:  <CAGSa5y0p_tcDZ1twNVSR5yaL9q_yZY7aFWhCXUY_RC8oqVAQ8A@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Sorry for the early sending in the previous email.

Hi all,

I keep getting the following panic from time to time:
% panic: destroying non-empty racct: 1142784 allocated for resource 4
%
% cpuid = 1
% KDB: stack backtrace:
% db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00e6240630
% vpanic() at vpanic+0x189/frame 0xfffffe00e62406b0
% kassert_panic() at kassert_panic+0x132/frame 0xfffffe00e6240720
% racct_destroy() at racct_destroy+0x96/frame 0xfffffe00e6240750
% uifree() at uifree+0x5e/frame 0xfffffe00e6240770
% crfree() at crfree+0x48/frame 0xfffffe00e6240790
% thread_wait() at thread_wait+0x8e/frame 0xfffffe00e62407b0
% proc_reap() at proc_reap+0x40e/frame 0xfffffe00e6240800
% proc_to_reap() at proc_to_reap+0x332/frame 0xfffffe00e6240850
% kern_wait6() at kern_wait6+0x1f7/frame 0xfffffe00e62408f0
% sys_wait4() at sys_wait4+0x73/frame 0xfffffe00e6240ae0
% amd64_syscall() at amd64_syscall+0x27f/frame 0xfffffe00e6240bf0
% Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe00e6240bf0

I had already reported this two years ago, but we couldn't find a solution:
https://lists.freebsd.org/pipermail/freebsd-current/2013-June/042528.html

Note that since then I spotted an instance of this which wasn't for a
jailed process.


I made a bit more research today on RACCT_RSS throughout the kernel
source.  It is only set using racct_set() from
- vmspace_container_set() but it only zero a couple of resources
- vm_daemon()

The first question, do you guys (kib, alc) think there could be a bug,
or rather a race, in there?


The other solution where the RSS resource can be modified is through:
- racct_proc_ucred_changed()
- racct_move()
- racct_proc_fork()

I think this is pretty much the surface through which the bug can arise.


In the thread pointed above, Edward advised me to create a rctl rule
to cause the uidinfo to be held, but this can happen with various
users (the last one with user 2 in the root jail).
Any idea what I could do to narrow the issue?

Cheers,
-- 
Jeremie Le Hen
jlh@FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGSa5y2%2Ba8CDvY4MiBcfzMKR62GNgrcKF%2B7suZ5_6kqYwRhH=w>