From jamie@bishopston.net Fri Jul 31 17:10:29 2009 Return-Path: Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 41817106564A for ; Fri, 31 Jul 2009 17:10:29 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from pacha.mail.bishopston.net (pacha.mail.bishopston.net [66.148.74.41]) by mx1.freebsd.org (Postfix) with ESMTP id 005C78FC2E for ; Fri, 31 Jul 2009 17:10:28 +0000 (UTC) (envelope-from jamie@bishopston.net) Received: from catflap.bishopston.net (jamie@localhost [127.0.0.1]) by catflap.bishopston.net (8.14.3/8.14.3) with ESMTP id n6VH9Dv7094508 for ; Fri, 31 Jul 2009 18:09:13 +0100 (BST) (envelope-from jamie@catflap.bishopston.net) Received: (from jamie@localhost) by catflap.bishopston.net (8.14.3/8.12.9/Submit) id n6VH9C3T094507; Fri, 31 Jul 2009 18:09:12 +0100 (BST) Message-Id: <200907311709.n6VH9C3T094507@catflap.bishopston.net> Date: Fri, 31 Jul 2009 18:09:12 +0100 (BST) From: Jamie Landeg Jones Reply-To: Jamie Landeg Jones To: FreeBSD-gnats-submit@freebsd.org Cc: Subject: reproducable kernel panic: page fault FreeBSD 7.2-STABLE X-Send-Pr-Version: 3.113 X-GNATS-Notify: >Number: 137310 >Category: kern >Synopsis: [kernel] [panic] reproducable kernel panic: page fault FreeBSD 7.2-STABLE [regression] >Confidential: no >Severity: serious >Priority: medium >Responsible: kib >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 31 17:20:04 UTC 2009 >Closed-Date: Sat Sep 05 13:36:01 UTC 2009 >Last-Modified: Wed Nov 10 23:40:08 UTC 2010 >Originator: Jamie Landeg Jones >Release: FreeBSD 7.2-STABLE i386 >Organization: >Environment: System: FreeBSD catflap.bishopston.net 7.2-STABLE FreeBSD 7.2-STABLE #0: Fri Jul 17 14:13:53 BST 2009 root@catflap.bishopston.net:/usr/obj/usr/src/sys/CATFLAP i386 7.2-Stable cvs'ed 17th July 2009. >Description: Exact same kernel panic as shown below everytime I start rsync. It also panics if rsync is run non-root. rsync built from ports with: | # No user-servicable parts inside! | # Options for rsync-3.0.6 | _OPTIONS_READ=rsync-3.0.6 | WITHOUT_POPT_PORT=true | WITH_SSH=true | WITH_FLAGS=true | WITHOUT_ATIMES=true | WITH_ACL=true | WITHOUT_ICONV=true | WITHOUT_TIMELIMIT=true offending line (within script) : | /usr/local/bin/rsync --rsh="ssh -4p 9621" --timeout=1800 -rltHzxS --bwlimit=200 --delete --sparse --fake-super --partial --partial-dir==../../PARTIAL/ --temp-dir=../../TMP/ --compare-dest=../../TMP/ --exclude-from="/usr/catflap/data/do_remote_backup/$remote.exclude" --backup --stats --backup-dir=../../OLD/$date/$remote "$local" jamie@catnip.bishopston.net:/usr/users/jamie/CATFLAPBACKUPS/backup/$remote same script worked with 6.2 >How-To-Repeat: run rsync! >Fix: --- info.20090730 begins here --- Dump header from device /dev/ad0s1b Architecture: i386 Architecture Version: 2 Dump Length: 239001600B (227 MB) Blocksize: 512 Dumptime: Thu Jul 30 14:40:19 2009 Hostname: catflap.bishopston.net Magic: FreeBSD Kernel Dump Version String: FreeBSD 7.2-STABLE #0: Fri Jul 17 14:13:53 BST 2009 root@catflap.bishopston.net:/usr/obj/usr/src/sys/CATFLAP Panic String: page fault Dump Parity: 3373992290 Bounds: 0 Dump Status: good GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... Unread portion of the kernel message buffer: kernel trap 12 with interrupts disabled Fatal trap 12: page fault while in kernel mode fault virtual address = 0x18 fault code = supervisor read, page not present instruction pointer = 0x20:0xc055463c stack pointer = 0x28:0xe659fa20 frame pointer = 0x28:0xe659fa2c code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = resume, IOPL = 0 current process = 907 (rsync) trap number = 12 panic: page fault Uptime: 17h34m28s Physical memory: 1006 MB Dumping 227 MB: 212 196 180 164 148 132 116 100 84 68 52 36 20 4 Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kernel/acpi.ko.symbols...done. done. Loaded symbols for /boot/kernel/acpi.ko Reading symbols from /boot/kernel/linux.ko...Reading symbols from /boot/kernel/linux.ko.symbols...done. done. Loaded symbols for /boot/kernel/linux.ko Reading symbols from /boot/kernel/linprocfs.ko...Reading symbols from /boot/kernel/linprocfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/linprocfs.ko Reading symbols from /boot/kernel/linsysfs.ko...Reading symbols from /boot/kernel/linsysfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/linsysfs.ko Reading symbols from /usr/local/modules/rtc.ko...done. Loaded symbols for /usr/local/modules/rtc.ko #0 doadump () at pcpu.h:196 196 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) (kgdb) list *0xc055463c 0xc055463c is in turnstile_broadcast (/usr/src/sys/kern/subr_turnstile.c:836). 831 832 /* 833 * Transfer the blocked list to the pending list. 834 */ 835 mtx_lock_spin(&td_contested_lock); 836 TAILQ_CONCAT(&ts->ts_pending, &ts->ts_blocked[queue], td_lockq); 837 mtx_unlock_spin(&td_contested_lock); 838 839 /* 840 * Give a turnstile to each thread. The last thread gets 841 * this turnstile if the turnstile is empty. 842 */ 843 TAILQ_FOREACH(td, &ts->ts_pending, td_lockq) { 844 if (LIST_EMPTY(&ts->ts_free)) { 845 MPASS(TAILQ_NEXT(td, td_lockq) == NULL); 846 ts1 = ts; 847 #ifdef TURNSTILE_PROFILING 848 tc->tc_depth--; 849 #endif 850 } else 851 ts1 = LIST_FIRST(&ts->ts_free); 852 MPASS(ts1 != NULL); 853 LIST_REMOVE(ts1, ts_hash); 854 td->td_turnstile = ts1; 855 } 856 } 857 858 /* 859 * Wakeup all threads on the pending list and adjust the priority of the 860 * current thread appropriately. This must be called with the turnstile 861 * chain locked. 862 */ 863 void 864 turnstile_unpend(struct turnstile *ts, int owner_type) 865 { 866 TAILQ_HEAD( ,thread) pending_threads; 867 struct turnstile *nts; 868 struct thread *td; 869 u_char cp, pri; 870 871 MPASS(ts != NULL); 872 mtx_assert(&ts->ts_lock, MA_OWNED); 873 MPASS(ts->ts_owner == curthread || 874 (owner_type == TS_SHARED_LOCK && ts->ts_owner == NULL)); 875 MPASS(!TAILQ_EMPTY(&ts->ts_pending)); 876 877 /* 878 * Move the list of pending threads out of the turnstile and 879 * into a local variable. 880 */ 881 TAILQ_INIT(&pending_threads); 882 TAILQ_CONCAT(&pending_threads, &ts->ts_pending, td_lockq); 883 #ifdef INVARIANTS 884 if (TAILQ_EMPTY(&ts->ts_blocked[TS_EXCLUSIVE_QUEUE]) && 885 TAILQ_EMPTY(&ts->ts_blocked[TS_SHARED_QUEUE])) 886 ts->ts_lockobj = NULL; 887 #endif 888 /* 889 * Adjust the priority of curthread based on other contested 890 * locks it owns. Don't lower the priority below the base (kgdb) back #0 doadump () at pcpu.h:196 #1 0xc05234da in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:418 #2 0xc05236d9 in panic (fmt=Variable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:574 #3 0xc07795bc in trap_fatal (frame=0xe659f9e0, eva=24) at /usr/src/sys/i386/i386/trap.c:938 #4 0xc0779eb9 in trap (frame=0xe659f9e0) at /usr/src/sys/i386/i386/trap.c:319 #5 0xc076331b in calltrap () at /usr/src/sys/i386/i386/exception.s:166 #6 0xc055463c in turnstile_broadcast (ts=0x0, queue=0) at /usr/src/sys/kern/subr_turnstile.c:835 #7 0xc05143ca in _mtx_unlock_sleep (m=0xc3d91020, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:619 #8 0xc04c469f in pfs_getextattr (va=0xe659fab4) at pseudofs_internal.h:110 #9 0xc078db53 in VOP_GETEXTATTR_APV (vop=0xc07dbda0, a=0xe659fab4) at vnode_if.c:2451 #10 0xc058ee7c in extattr_get_vp (vp=0xc80c9678, attrnamespace=1, attrname=0xe659fb29 "rsync.%stat", data=0xbfbfc080, nbytes=255, td=0xc4bb1460) at vnode_if.h:1327 #11 0xc058efec in extattr_get_link (td=0xc4bb1460, uap=0xe659fcfc) at /usr/src/sys/kern/vfs_extattr.c:495 #12 0xc0779b51 in syscall (frame=0xe659fd38) at /usr/src/sys/i386/i386/trap.c:1089 #13 0xc0763380 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:262 #14 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb)  15:03 (2) "crash" root@catflap# ^D Script done on Thu Jul 30 15:03:59 2009 --- info.20090730 ends here --- >Release-Note: >Audit-Trail: From: Jamie Landeg Jones To: jamie@bishopston.net, FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org Cc: Subject: Re: kern/137310: reproducable kernel panic: page fault FreeBSD 7.2-STABLE Date: Sun, 02 Aug 2009 20:02:15 +0100 Further testing has shown that it's the "--fake-super" attribute that triggers the panic.. From: Jamie Landeg Jones To: FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: Re: kern/137310: reproducable kernel panic: page fault FreeBSD 7.2-STABLE Date: Thu, 20 Aug 2009 16:13:11 +0100 This is a multi-part message in MIME format. --=_4a8d6807.ZUT2Fiky2wRmBS/l+DzoioihvRRAQgbvuSxZGcKRJnWC5eKu Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline Also occurs in 8.0-BETA2 --=_4a8d6807.ZUT2Fiky2wRmBS/l+DzoioihvRRAQgbvuSxZGcKRJnWC5eKu Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="typescript" GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd"... Unread portion of the kernel message buffer: kernel trap 12 with interrupts disabled Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x14 fault code = supervisor read, page not present instruction pointer = 0x20:0xc064c150 stack pointer = 0x28:0xe70649fc frame pointer = 0x28:0xe7064a18 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, def32 1, gran 1 processor eflags = resume, IOPL = 0 current process = 9475 (rsync) trap number = 12 panic: page fault cpuid = 0 Uptime: 3h39m11s Physical memory: 1463 MB Dumping 206 MB: 191 175 159 143 127 111 95 79 63 47 (CTRL-C to abort) 31 (CTRL-C to abort) 15 (CTRL-C to abort) (CTRL-C to abort) Reading symbols from /boot/kernel/ntfs.ko...Reading symbols from /boot/kernel/ntfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/ntfs.ko Reading symbols from /boot/kernel/linprocfs.ko...Reading symbols from /boot/kernel/linprocfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/linprocfs.ko Reading symbols from /boot/kernel/linsysfs.ko...Reading symbols from /boot/kernel/linsysfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/linsysfs.ko Reading symbols from /usr/local/modules/fuse.ko...done. Loaded symbols for /usr/local/modules/fuse.ko Reading symbols from /boot/kernel/fade_saver.ko...Reading symbols from /boot/kernel/fade_saver.ko.symbols...done. done. Loaded symbols for /boot/kernel/fade_saver.ko Reading symbols from /usr/local/modules/rtc.ko...done. Loaded symbols for /usr/local/modules/rtc.ko #0 doadump () at pcpu.h:246 246 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) list *0xc064c150 0xc064c150 is in turnstile_broadcast (/usr/src/sys/kern/subr_turnstile.c:831). 826 827 /* 828 * Transfer the blocked list to the pending list. 829 */ 830 mtx_lock_spin(&td_contested_lock); 831 TAILQ_CONCAT(&ts->ts_pending, &ts->ts_blocked[queue], td_lockq); 832 mtx_unlock_spin(&td_contested_lock); 833 834 /* 835 * Give a turnstile to each thread. The last thread gets 836 * this turnstile if the turnstile is empty. 837 */ 838 TAILQ_FOREACH(td, &ts->ts_pending, td_lockq) { 839 if (LIST_EMPTY(&ts->ts_free)) { 840 MPASS(TAILQ_NEXT(td, td_lockq) == NULL); 841 ts1 = ts; 842 #ifdef TURNSTILE_PROFILING 843 tc->tc_depth--; 844 #endif 845 } else 846 ts1 = LIST_FIRST(&ts->ts_free); 847 MPASS(ts1 != NULL); 848 LIST_REMOVE(ts1, ts_hash); 849 td->td_turnstile = ts1; 850 } 851 } 852 853 /* 854 * Wakeup all threads on the pending list and adjust the priority of the 855 * current thread appropriately. This must be called with the turnstile 856 * chain locked. 857 */ 858 void 859 turnstile_unpend(struct turnstile *ts, int owner_type) 860 { 861 TAILQ_HEAD( ,thread) pending_threads; 862 struct turnstile *nts; 863 struct thread *td; 864 u_char cp, pri; 865 866 MPASS(ts != NULL); 867 mtx_assert(&ts->ts_lock, MA_OWNED); 868 MPASS(ts->ts_owner == curthread || ts->ts_owner == NULL); 869 MPASS(!TAILQ_EMPTY(&ts->ts_pending)); 870 871 /* 872 * Move the list of pending threads out of the turnstile and 873 * into a local variable. 874 */ 875 TAILQ_INIT(&pending_threads); (kgdb) back #0 doadump () at pcpu.h:246 #1 0xc0615843 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:416 #2 0xc0615b26 in panic (fmt=Variable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:579 #3 0xc088d3cd in trap_fatal (frame=0xe70649bc, eva=20) at /usr/src/sys/i386/i386/trap.c:931 #4 0xc088dcf3 in trap (frame=0xe70649bc) at /usr/src/sys/i386/i386/trap.c:323 #5 0xc0872b7b in calltrap () at /usr/src/sys/i386/i386/exception.s:165 #6 0xc064c150 in turnstile_broadcast (ts=0x0, queue=0) at /usr/src/sys/kern/subr_turnstile.c:831 #7 0xc06069e7 in _mtx_unlock_sleep (m=0xc4af92a0, opts=0, file=0x0, line=0) at /usr/src/sys/kern/kern_mutex.c:677 #8 0xc05b338d in pfs_getextattr (va=0xe7064aa0) at pseudofs_internal.h:110 #9 0xc089d9e3 in VOP_GETEXTATTR_APV (vop=0xc0936f80, a=0xe7064aa0) at vnode_if.c:2978 #10 0xc068983c in extattr_get_vp (vp=0xc4a2353c, attrnamespace=1, attrname=0xe7064b71 "rsync.%stat", data=0xbfbfb2b0, nbytes=255, td=0xc54f4230) at vnode_if.h:1332 #11 0xc06899b0 in extattr_get_link (td=0xc54f4230, uap=0xe7064cf8) at /usr/src/sys/kern/vfs_extattr.c:492 #12 0xc088d942 in syscall (frame=0xe7064d38) at /usr/src/sys/i386/i386/trap.c:1071 #13 0xc0872be0 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:261 #14 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) --=_4a8d6807.ZUT2Fiky2wRmBS/l+DzoioihvRRAQgbvuSxZGcKRJnWC5eKu-- From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/137310: commit references a PR Date: Mon, 31 Aug 2009 09:26:20 +0000 (UTC) Author: kib Date: Mon Aug 31 09:26:04 2009 New Revision: 196689 URL: http://svn.freebsd.org/changeset/base/196689 Log: Remove spurious pfs_unlock(). PR: kern/137310 Reviewed by: des MFC after: 3 days Modified: head/sys/fs/pseudofs/pseudofs_vnops.c Modified: head/sys/fs/pseudofs/pseudofs_vnops.c ============================================================================== --- head/sys/fs/pseudofs/pseudofs_vnops.c Mon Aug 31 09:20:37 2009 (r196688) +++ head/sys/fs/pseudofs/pseudofs_vnops.c Mon Aug 31 09:26:04 2009 (r196689) @@ -339,7 +339,6 @@ pfs_getextattr(struct vop_getextattr_arg if (proc != NULL) PROC_UNLOCK(proc); - pfs_unlock(pn); PFS_RETURN (error); } _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" From: Jamie Landeg Jones To: jamie@bishopston.net, FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org Cc: kostikbel@gmail.com Subject: Re: kern/137310: reproducable kernel panic: page fault FreeBSD 7.2-STABLE Date: Tue, 01 Sep 2009 17:54:54 +0100 I tried that patch and it does indeed fix the problem. Please feel free to close this PR when you want. Thanks, Jamie State-Changed-From-To: open->patched State-Changed-By: linimon State-Changed-When: Wed Sep 2 09:29:49 UTC 2009 State-Changed-Why: set as MFC reminder. Responsible-Changed-From-To: freebsd-bugs->kib Responsible-Changed-By: linimon Responsible-Changed-When: Wed Sep 2 09:29:49 UTC 2009 Responsible-Changed-Why: http://www.freebsd.org/cgi/query-pr.cgi?pr=137310 State-Changed-From-To: patched->closed State-Changed-By: kib State-Changed-When: Sat Sep 5 13:35:37 UTC 2009 State-Changed-Why: Fix is in RELENG_7 and RELENG_8. http://www.freebsd.org/cgi/query-pr.cgi?pr=137310 From: dfilter@FreeBSD.ORG (dfilter service) To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/137310: commit references a PR Date: Wed, 10 Nov 2010 23:36:18 +0000 (UTC) Author: cperciva Date: Wed Nov 10 23:36:13 2010 New Revision: 215103 URL: http://svn.freebsd.org/changeset/base/215103 Log: Don't unlock a mutex which wasn't locked. PR: kern/137310 Approved by: so (cperciva) Security: FreeBSD-SA-10:09.pseudofs Modified: releng/7.1/UPDATING releng/7.1/sys/conf/newvers.sh releng/7.1/sys/fs/pseudofs/pseudofs_vnops.c Modified: releng/7.1/UPDATING ============================================================================== --- releng/7.1/UPDATING Wed Nov 10 21:06:49 2010 (r215102) +++ releng/7.1/UPDATING Wed Nov 10 23:36:13 2010 (r215103) @@ -8,6 +8,9 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20101110: p15 FreeBSD-SA-10:09.pseudofs + Don't unlock a mutex which wasn't locked. + 20100920: p14 FreeBSD-SA-10:08.bzip2 Fix an integer overflow in RLE length parsing when decompressing corrupt bzip2 data. Modified: releng/7.1/sys/conf/newvers.sh ============================================================================== --- releng/7.1/sys/conf/newvers.sh Wed Nov 10 21:06:49 2010 (r215102) +++ releng/7.1/sys/conf/newvers.sh Wed Nov 10 23:36:13 2010 (r215103) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.1" -BRANCH="RELEASE-p14" +BRANCH="RELEASE-p15" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.1/sys/fs/pseudofs/pseudofs_vnops.c ============================================================================== --- releng/7.1/sys/fs/pseudofs/pseudofs_vnops.c Wed Nov 10 21:06:49 2010 (r215102) +++ releng/7.1/sys/fs/pseudofs/pseudofs_vnops.c Wed Nov 10 23:36:13 2010 (r215103) @@ -305,7 +305,6 @@ pfs_getextattr(struct vop_getextattr_arg if (proc != NULL) PROC_UNLOCK(proc); - pfs_unlock(pn); PFS_RETURN (error); } _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org" >Unformatted: