Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 25 Jan 2015 14:06:48 +0200
From:      Konstantin Belousov <kostikbel@gmail.com>
To:        Chagin Dmitry <dchagin@freebsd.org>
Cc:        freebsd-current@freebsd.org, dim@freebsd.org
Subject:   Re: dblfault panic r277611
Message-ID:  <20150125120648.GX42409@kib.kiev.ua>
In-Reply-To: <20150124194245.GA72881@dchagin.static.corbina.net>
References:  <20150124094633.GA1804@dchagin.static.corbina.net> <20150124103519.GR42409@kib.kiev.ua> <20150124194245.GA72881@dchagin.static.corbina.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 24, 2015 at 10:42:45PM +0300, Chagin Dmitry wrote:
> On Sat, Jan 24, 2015 at 12:35:19PM +0200, Konstantin Belousov wrote:
> > On Sat, Jan 24, 2015 at 12:46:33PM +0300, Chagin Dmitry wrote:
> > > Hi,
> > > 
> > > 
> > > dchagin.static.corbina.net dumped core - see /var/crash/vmcore.7
> > > 
> > > Sat Jan 24 01:02:20 MSK 2015
> > > 
> > > FreeBSD dchagin.static.corbina.net 11.0-CURRENT FreeBSD 11.0-CURRENT #2 r277611+c41ef74(lemul): Sat Jan 24 00:53:45 MSK 2015     root@dchagin.static.corbina.net:/home/rootobj/home/git/head/sys/YOY  amd64
> > > 
> > > panic: double fault
> > > 
> > > GNU gdb 6.1.1 [FreeBSD]
> > > Copyright 2004 Free Software Foundation, Inc.
> > > GDB is free software, covered by the GNU General Public License, and you are
> > > welcome to change it and/or distribute copies of it under certain conditions.
> > > Type "show copying" to see the conditions.
> > > There is absolutely no warranty for GDB.  Type "show warranty" for details.
> > > This GDB was configured as "amd64-marcel-freebsd"...
> > > 
> > > Unread portion of the kernel message buffer:
> > > ffs_syncvnode+0x3b0/frame 0xfffffe033c22bd50
> > > ffs_truncate() at ffs_truncate+0xc6a/frame 0xfffffe033c22c150
> > > ufs_direnter() at ufs_direnter+0xde5/frame 0xfffffe033c22c280
> > > ufs_mkdir() at ufs_mkdir+0xb07/frame 0xfffffe033c22c4a0
> > > 
> > > Fatal double fault
> > > rip = 0xffffffff807a8d03
> > > rsp = 0xfffffe033c228e60
> > > rbp = 0xfffffe033c229000
> > > cpuid = 5; apic id = 05
> > > panic: double fault
> > > cpuid = 5
> > > KDB: enter: panic
> > > 
> > > Reading symbols from /boot/kernel/if_tap.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/if_tap.ko.symbols
> > > Reading symbols from /boot/kernel/if_bridge.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/if_bridge.ko.symbols
> > > Reading symbols from /boot/kernel/bridgestp.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/bridgestp.ko.symbols
> > > Reading symbols from /boot/kernel/usb.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/usb.ko.symbols
> > > Reading symbols from /boot/kernel/xhci.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/xhci.ko.symbols
> > > Reading symbols from /boot/kernel/vmm.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/vmm.ko.symbols
> > > Reading symbols from /boot/kernel/nmdm.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/nmdm.ko.symbols
> > > Reading symbols from /boot/kernel/linprocfs.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/linprocfs.ko.symbols
> > > Reading symbols from /boot/kernel/pseudofs.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/pseudofs.ko.symbols
> > > Reading symbols from /boot/kernel/linux_common.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/linux_common.ko.symbols
> > > Reading symbols from /boot/kernel/procfs.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/procfs.ko.symbols
> > > Reading symbols from /boot/kernel/ukbd.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/ukbd.ko.symbols
> > > Reading symbols from /boot/kernel/ums.ko.symbols...done.
> > > Loaded symbols for /boot/kernel/ums.ko.symbols
> > > #0  doadump (textdump=771179792)
> > >     at /home/git/head/sys/kern/kern_shutdown.c:262
> > > 262		dumptid = curthread->td_tid;
> > > (kgdb) #0  doadump (textdump=771179792)
> > >     at /home/git/head/sys/kern/kern_shutdown.c:262
> > > #1  0xffffffff803c1b08 in db_fncall_generic (addr=-2139713712, 
> > >     rv=0xfffffe032df744a0, nargs=0, args=0xfffffe032df744b0)
> > >     at /home/git/head/sys/ddb/db_command.c:568
> > > #2  0xffffffff803c17d3 in db_fncall (dummy1=-2185367173664, dummy2=0, 
> > >     dummy3=0, dummy4=0xfffffe032df745e0 "\n")
> > >     at /home/git/head/sys/ddb/db_command.c:616
> > > #3  0xffffffff803c142b in db_command (last_cmdp=0xffffffff810fd6a8, 
> > >     cmd_table=0x0, dopager=1) at /home/git/head/sys/ddb/db_command.c:440
> > > #4  0xffffffff803c0f9d in db_command_loop ()
> > >     at /home/git/head/sys/ddb/db_command.c:493
> > > #5  0xffffffff803c58d9 in db_trap (type=3, code=0)
> > >     at /home/git/head/sys/ddb/db_main.c:251
> > > #6  0xffffffff807cc704 in kdb_trap (type=3, code=0, tf=0xfffffe032df74cc0)
> > >     at /home/git/head/sys/kern/subr_kdb.c:654
> > > #7  0xffffffff80c94e1d in trap (frame=0xfffffe032df74cc0)
> > >     at /home/git/head/sys/amd64/amd64/trap.c:546
> > > #8  0xffffffff80c9655f in trap_check (frame=0xfffffe032df74cc0)
> > >     at /home/git/head/sys/amd64/amd64/trap.c:645
> > > #9  0xffffffff80c691a2 in calltrap ()
> > >     at /home/git/head/sys/amd64/amd64/exception.S:235
> > > #10 0xffffffff807cbf15 in breakpoint () at cpufunc.h:63
> > > #11 0xffffffff807cbaff in kdb_enter (why=0xffffffff80dcd635 "panic", 
> > >     msg=0xffffffff80dcd635 "panic") at /home/git/head/sys/kern/subr_kdb.c:443
> > > #12 0xffffffff80769768 in vpanic (fmt=0xffffffff80e24597 "double fault", 
> > >     ap=0xfffffe032df74ec0) at /home/git/head/sys/kern/kern_shutdown.c:740
> > > #13 0xffffffff80769820 in panic (fmt=0xffffffff80e24597 "double fault")
> > >     at /home/git/head/sys/kern/kern_shutdown.c:676
> > > #14 0xffffffff80c9667d in dblfault_handler (frame=0xfffffe032df74f40)
> > >     at /home/git/head/sys/amd64/amd64/trap.c:912
> > > #15 0xffffffff80c6929c in Xdblfault ()
> > >     at /home/git/head/sys/amd64/amd64/exception.S:291
> > > #16 0xffffffff807a8d03 in cpu_search_lowest (cg=Cannot access memory at address 0xfffffe033c228ec8
> > > )
> > >     at /home/git/head/sys/kern/sched_ule.c:764
> > > #17 0xffffffff807a9094 in cpu_search_lowest (cg=0xffffffff8128a6e8, 
> > >     low=0xfffffe033c2292f8) at /home/git/head/sys/kern/sched_ule.c:690
> > > #18 0xffffffff807a9094 in cpu_search_lowest (cg=0xffffffff8128a6b0, 
> > >     low=0xfffffe033c229380) at /home/git/head/sys/kern/sched_ule.c:690
> > > #19 0xffffffff807b0f56 in sched_lowest (cg=0xffffffff8128a6b0, mask=
> > >         {__bits = {255, 0, 0, 0}}, pri=121, maxload=2147483647, prefer=5)
> > >     at /home/git/head/sys/kern/sched_ule.c:796
> > > #20 0xffffffff807abcdb in sched_pickcpu (td=0xfffff80009e5a9a0, flags=0)
> > >     at /home/git/head/sys/kern/sched_ule.c:1276
> > > #21 0xffffffff807ace35 in sched_add (td=0xfffff80009e5a9a0, flags=0)
> > >     at /home/git/head/sys/kern/sched_ule.c:2395
> > > #22 0xffffffff807acac9 in sched_wakeup (td=0xfffff80009e5a9a0)
> > >     at /home/git/head/sys/kern/sched_ule.c:2029
> > > #23 0xffffffff8077d6a8 in setrunnable (td=0xfffff80009e5a9a0)
> > >     at /home/git/head/sys/kern/kern_synch.c:544
> > > #24 0xffffffff807e4e98 in sleepq_resume_thread (sq=0xfffff80009e55d80, 
> > >     td=0xfffff80009e5a9a0, pri=0)
> > >     at /home/git/head/sys/kern/subr_sleepqueue.c:776
> > > #25 0xffffffff807e306a in sleepq_timeout (arg=0xfffff80009e5a9a0)
> > >     at /home/git/head/sys/kern/subr_sleepqueue.c:915
> > > #26 0xffffffff80791b40 in softclock_call_cc (c=0xfffff80009e5ad38, 
> > >     cc=0xffffffff813a4200, direct=1)
> > >     at /home/git/head/sys/kern/kern_timeout.c:724
> > > #27 0xffffffff807913bd in callout_process (now=740683739317)
> > >     at /home/git/head/sys/kern/kern_timeout.c:499
> > > #28 0xffffffff80ce346a in handleevents (now=740683739317, fake=0)
> > >     at /home/git/head/sys/kern/kern_clocksource.c:212
> > > #29 0xffffffff80ce3fd6 in timercb (et=0xffffffff8137df68, arg=0x0)
> > >     at /home/git/head/sys/kern/kern_clocksource.c:345
> > > #30 0xffffffff80d376e3 in lapic_handle_timer (frame=0xfffffe033c229c50)
> > >     at /home/git/head/sys/x86/x86/local_apic.c:883
> > > #31 0xffffffff80c69cfc in Xtimerint () at apic_vector.S:109
> > > #32 0xffffffff80c745ef in write_rflags (rf=642) at cpufunc.h:382
> > > #33 0xffffffff80c6f225 in intr_restore (rflags=642) at cpufunc.h:775
> > > #34 0xffffffff80c71ce8 in spinlock_exit ()
> > >     at /home/git/head/sys/amd64/amd64/machdep.c:2177
> > > #35 0xffffffff8074335c in __mtx_unlock_spin_flags (c=0xffffffff8119ec80, 
> > >     opts=0, file=0xffffffff80dc3d2b "/home/git/head/sys/kern/kern_cons.c", 
> > >     line=530) at /home/git/head/sys/kern/kern_mutex.c:305
> > > #36 0xffffffff806df9fc in cnputs (p=0xfffffe033c22a402 "\"<\003þÿÿ")
> > >     at /home/git/head/sys/kern/kern_cons.c:530
> > > #37 0xffffffff807d76ae in putbuf (c=10, ap=0xfffffe033c22a3b8)
> > >     at /home/git/head/sys/kern/subr_prf.c:427
> > > #38 0xffffffff807d60d6 in putchar (c=10, arg=0xfffffe033c22a3b8)
> > >     at /home/git/head/sys/kern/subr_prf.c:471
> > > #39 0xffffffff807d43e3 in kvprintf (fmt=0xffffffff80d77b33 "", 
> > >     func=0xffffffff807d6010 <putchar>, arg=0xfffffe033c22a3b8, radix=10, 
> > >     ap=0xfffffe033c22a510) at /home/git/head/sys/kern/subr_prf.c:720
> > > #40 0xffffffff807d6569 in _vprintf (level=-1, flags=5, 
> > >     fmt=0xffffffff80d77b31 "%c", ap=0xfffffe033c22a510)
> > >     at /home/git/head/sys/kern/subr_prf.c:271
> > > #41 0xffffffff807d68dd in vprintf (fmt=0xffffffff80d77b31 "%c", 
> > >     ap=0xfffffe033c22a510) at /home/git/head/sys/kern/subr_prf.c:388
> > > #42 0xffffffff807d689b in printf (fmt=0xffffffff80d77b31 "%c")
> > >     at /home/git/head/sys/kern/subr_prf.c:377
> > > #43 0xffffffff803c5d55 in db_putc (c=10)
> > >     at /home/git/head/sys/ddb/db_output.c:156
> > > #44 0xffffffff803c5b21 in db_putchar (c=10, arg=0xfffffe033c22aad8)
> > >     at /home/git/head/sys/ddb/db_output.c:128
> > > #45 0xffffffff807d3b65 in kvprintf (fmt=0xffffffff80d8090f "", 
> > >     func=0xffffffff803c5af0 <db_putchar>, arg=0xfffffe033c22aad8, radix=16, 
> > >     ap=0xfffffe033c22aac0) at /home/git/head/sys/kern/subr_prf.c:645
> > > #46 0xffffffff803c5ad8 in db_printf (fmt=0xffffffff80d8090e "\n")
> > >     at /home/git/head/sys/ddb/db_output.c:340
> > > #47 0xffffffff80c67f73 in db_print_stack_entry (
> > >     name=0xffffffff815c8262 "ufs_mkdir", narg=0, argnp=0x0, 
> > >     argp=0xfffffe033c22c4b0, callpc=18446744071574694567, 
> > >     frame=0xfffffe033c22c4a0) at /home/git/head/sys/amd64/amd64/db_trace.c:260
> > > #48 0xffffffff80c66f3b in db_backtrace (td=0xfffff801ad926000, tf=0x0, 
> > >     frame=0xfffffe033c22c4a0, pc=18446744071574694567, count=1005)
> > >     at /home/git/head/sys/amd64/amd64/db_trace.c:462
> > > #49 0xffffffff80c66bdf in db_trace_self ()
> > >     at /home/git/head/sys/amd64/amd64/db_trace.c:498
> > > #50 0xffffffff803c568e in db_trace_self_wrapper ()
> > >     at /home/git/head/sys/ddb/db_main.c:268
> > > #51 0xffffffff807cbcd8 in kdb_backtrace ()
> > >     at /home/git/head/sys/kern/subr_kdb.c:370
> > > #52 0xffffffff807fe924 in _witness_debugger (cond=1, 
> > >     msg=0xffffffff80dd6e29 "witness_checkorder")
> > >     at /home/git/head/sys/kern/subr_witness.c:2904
> > > #53 0xffffffff807fe2de in witness_checkorder (lock=0xfffff80193effd50, 
> > >     flags=9, file=0xffffffff80ddfb99 "/home/git/head/sys/kern/vfs_subr.c", 
> > >     line=2164, interlock=0xfffff80193effd80)
> > >     at /home/git/head/sys/kern/subr_witness.c:1365
> > > #54 0xffffffff80730d65 in __lockmgr_args (lk=0xfffff80193effd50, 
> > >     flags=524544, ilk=0xfffff80193effd80, wmesg=0x0, pri=0, timo=0, 
> > >     file=0xffffffff80ddfb99 "/home/git/head/sys/kern/vfs_subr.c", line=2164)
> > >     at /home/git/head/sys/kern/kern_lock.c:756
> > > #55 0xffffffff80bf1438 in _lockmgr_args (lk=0xfffff80193effd50, flags=524544, 
> > >     ilk=0xfffff80193effd80, wmesg=0x0, prio=0, timo=0, 
> > >     file=0xffffffff80ddfb99 "/home/git/head/sys/kern/vfs_subr.c", line=2164)
> > >     at lockmgr.h:98
> > > #56 0xffffffff80bef677 in ffs_lock (ap=0xfffffe033c22b7c8)
> > >     at /home/git/head/sys/ufs/ffs/ffs_vnops.c:385
> > > #57 0xffffffff80d47cd4 in VOP_LOCK1_APV (vop=0xffffffff810cd328, 
> > >     a=0xfffffe033c22b7c8) at vnode_if.c:2082
> > > #58 0xffffffff808ac2f3 in VOP_LOCK1 (vp=0xfffff80193effce8, flags=524544, 
> > >     file=0xffffffff80ddfb99 "/home/git/head/sys/kern/vfs_subr.c", line=2164)
> > >     at vnode_if.h:859
> > > #59 0xffffffff808aa122 in _vn_lock (vp=0xfffff80193effce8, flags=524544, 
> > >     file=0xffffffff80ddfb99 "/home/git/head/sys/kern/vfs_subr.c", line=2164)
> > >     at /home/git/head/sys/kern/vfs_vnops.c:1531
> > > #60 0xffffffff8088d636 in vget (vp=0xfffff80193effce8, flags=524544, 
> > >     td=0xfffff801ad926000) at /home/git/head/sys/kern/vfs_subr.c:2164
> > > #61 0xffffffff8087884f in vfs_hash_get (mp=0xfffff80009db2000, hash=71269052, 
> > >     flags=524288, td=0xfffff801ad926000, vpp=0xfffffe033c22bb40, fn=0, 
> > >     arg=0x0) at /home/git/head/sys/kern/vfs_hash.c:89
> > > #62 0xffffffff80be7969 in ffs_vgetf (mp=0xfffff80009db2000, ino=71269052, 
> > >     flags=524288, vpp=0xfffffe033c22bb40, ffs_flags=1)
> > >     at /home/git/head/sys/ufs/ffs/ffs_vfsops.c:1636
> > > #63 0xffffffff80bd1d02 in flush_pagedep_deps (pvp=0xfffff80193c8d588, 
> > >     mp=0xfffff80009db2000, diraddhdp=0xfffff80193769b58)
> > >     at /home/git/head/sys/ufs/ffs/ffs_softdep.c:12929
> > > #64 0xffffffff80bd182c in softdep_sync_buf (vp=0xfffff80193c8d588, 
> > >     bp=0xfffffe02d6a8d6d0, waitfor=1)
> > >     at /home/git/head/sys/ufs/ffs/ffs_softdep.c:12621
> > > #65 0xffffffff80bf0d40 in ffs_syncvnode (vp=0xfffff80193c8d588, waitfor=1, 
> > >     flags=0) at /home/git/head/sys/ufs/ffs/ffs_vnops.c:280
> > > #66 0xffffffff80babd9a in ffs_truncate (vp=0xfffff80193c8d588, length=512, 
> > >     flags=2176, cred=0xfffff80009c52b00)
> > >     at /home/git/head/sys/ufs/ffs/ffs_inode.c:339
> > > #67 0xffffffff80bfd315 in ufs_direnter (dvp=0xfffff80193c8d588, 
> > >     tvp=0xfffff80193effce8, dirp=0xfffffe033c22c390, cnp=0xfffffe033c22c720, 
> > >     newdirbp=0xfffffe02d66d7db0, isrename=0)
> > >     at /home/git/head/sys/ufs/ufs/ufs_lookup.c:1133
> > > #68 0xffffffff80c0aaa7 in ufs_mkdir (ap=0xfffffe033c22c558)
> > >     at /home/git/head/sys/ufs/ufs/ufs_vnops.c:1963
> > > #69 0xffffffff80d460fd in VOP_MKDIR_APV (vop=0xffffffff810cddd8, 
> > >     a=0xfffffe033c22c558) at vnode_if.c:1607
> > > #70 0xffffffff808a5979 in VOP_MKDIR (dvp=0xfffff80193c8d588, 
> > >     vpp=0xfffffe033c22c6f8, cnp=0xfffffe033c22c720, vap=0xfffffe033c22c768)
> > >     at vnode_if.h:665
> > > #71 0xffffffff808a585c in kern_mkdirat (td=0xfffff801ad926000, fd=-100, 
> > >     path=0x7fffffffe949 <Address 0x7fffffffe949 out of bounds>, 
> > >     segflg=UIO_USERSPACE, mode=511)
> > >     at /home/git/head/sys/kern/vfs_syscalls.c:3747
> > > #72 0xffffffff808a54c3 in sys_mkdir (td=0xfffff801ad926000, 
> > >     uap=0xfffffe033c22ca58) at /home/git/head/sys/kern/vfs_syscalls.c:3678
> > > #73 0xffffffff80c97044 in syscallenter (td=0xfffff801ad926000, 
> > >     sa=0xfffffe033c22ca48) at subr_syscall.c:133
> > > #74 0xffffffff80c9694a in amd64_syscall (td=0xfffff801ad926000, traced=0)
> > >     at /home/git/head/sys/amd64/amd64/trap.c:986
> > > #75 0xffffffff80c6948b in Xfast_syscall ()
> > >     at /home/git/head/sys/amd64/amd64/exception.S:395
> > > #76 0x0000000800946eca in ?? ()
> > > Previous frame inner to this frame (corrupt stack?)
> > > Current language:  auto; currently minimal
> > > (kgdb) 
> > > 
> > > 
> > 
> > This is fun, for some definition of it.
> > 
> > The process was in the guts of VFS from mkdir(2) syscall, witness
> > triggered printing of the warning for dreaded buf->hashdir->buf non-real
> > LOR. From the ddb stack backtrace routine, when cnputs released the
> > console spinlock yet another time, timer interrupt fired and started
> > proceeding callouts. One of the callout triggered and needs to wake
> > up a thread sleeping with timeout. There, inside the scheduler,
> > cpu_search_lowest() was called, recursed twice and finally
> > overflown the stack.
> > 
> > Is this yet another clang regression ?  The cpu_search_lowest() saga seems
> > to never end. r268211 is uneffective, probably after clang 3.5 import.
> 
> yes, you are right. building kernel without SSP fixes the panic.
> 
How did you ensured that it is fixed ?  There must be very specific
circumstances: timer interrupt fired while in witness, callout activated,
etc to trigger the panic.

Or, do you mean that you looked at the assembly for the cpu_search() and
see that it is no longer recursive ?



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150125120648.GX42409>