255119 – kernel panic when a few vnode backed md devices are created

Bug 255119 - kernel panic when a few vnode backed md devices are created

Summary: kernel panic when a few vnode backed md devices are created

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	amd64 Any

Importance:	--- Affects Some People
Assignee:	Konstantin Belousov

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-04-16 11:47 UTC by nvass
Modified:	2021-05-03 17:22 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description nvass 2021-04-16 11:47:28 UTC

The kernel panics when creating several vnode backed md devices. This is from a recent 14-CURRENT but the bug exists on older branches like FREEBSD-12.

Steps to reproduce:
root@sheep:~ # cd /bin
root@sheep:/bin # apply 'mdconfig -f' *
md0
md1
md2
md3
md4
md5
<<kernel panics>>




Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x0
fault code              = supervisor write data, page not present
instruction pointer     = 0x20:0xffffffff80d13968                                                                                    stack pointer           = 0x28:0xfffffe006435b3d0                                                                                    frame pointer           = 0x28:0xfffffe006435b460
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0                                                                        current process         = 1703 (mdconfig)
trap number             = 12
panic: page fault
cpuid = 0
time = 1618572307
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe006435b080
vpanic() at vpanic+0x181/frame 0xfffffe006435b0d0
panic() at panic+0x43/frame 0xfffffe006435b130
trap_fatal() at trap_fatal+0x387/frame 0xfffffe006435b190
trap_pfault() at trap_pfault+0x97/frame 0xfffffe006435b1f0
trap() at trap+0x2ab/frame 0xfffffe006435b300
calltrap() at calltrap+0x8/frame 0xfffffe006435b300
--- trap 0xc, rip = 0xffffffff80d13968, rsp = 0xfffffe006435b3d0, rbp = 0xfffffe006435b460 ---
vn_open_vnode() at vn_open_vnode+0x308/frame 0xfffffe006435b460
vn_open_cred() at vn_open_cred+0x55d/frame 0xfffffe006435b5d0
mdctlioctl() at mdctlioctl+0x997/frame 0xfffffe006435b800
devfs_ioctl() at devfs_ioctl+0xcd/frame 0xfffffe006435b850
vn_ioctl() at vn_ioctl+0x131/frame 0xfffffe006435b960

Comment 1 Peter Holm freebsd_committer

2021-04-16 14:00:20 UTC

Reproduced this with:

cp /bin/sleep $mntpoint
$mntpoint/sleep 60 &
sleep .2
mdconfig -f $mntpoint/sleep -u $md2

Comment 2 Konstantin Belousov freebsd_committer

2021-04-19 07:23:02 UTC

(In reply to Peter Holm from comment #1)
Peter,
could you please show the ususal debugging info?

Comment 3 Peter Holm freebsd_committer

2021-04-19 08:45:55 UTC

(In reply to Konstantin Belousov from comment #2)
Sure: https://people.freebsd.org/~pho/stress/log/log0096.txt

Comment 4 Konstantin Belousov freebsd_committer

2021-04-19 10:32:42 UTC

https://reviews.freebsd.org/D29830

Comment 5 commit-hook freebsd_committer

2021-04-21 15:07:54 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=54f98c4dbf9b1203a4e3e1b13fd0738441226991

commit 54f98c4dbf9b1203a4e3e1b13fd0738441226991
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-04-19 10:25:30 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-04-21 15:06:51 +0000

    vn_open_vnode(): handle error when fp == NULL

    If VOP_ADD_WRITECOUNT() or adv locking failed, so VOP_CLOSE() needs to
    be called, we cannot use fp fo_close() when there is no fp.  This occurs
    when e.g. kernel code directly calls vn_open() instead of the open(2)
    syscall.

    In this case, VOP_CLOSE() can be called directly, after possible lock
    upgrade.

    Reported by:    nvass@gmx.com
    PR:     255119
    Tested by:      pho
    Sponsored by:   The FreeBSD Foundation
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D29830

 sys/kern/vfs_vnops.c | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

Comment 6 commit-hook freebsd_committer

2021-04-23 11:15:53 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=3df91ba10f31942067c55edd2f493daac19a81e4

commit 3df91ba10f31942067c55edd2f493daac19a81e4
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-04-19 10:25:30 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-04-23 11:14:10 +0000

    vn_open_vnode(): handle error when fp == NULL

    PR:     255119

    (cherry picked from commit 54f98c4dbf9b1203a4e3e1b13fd0738441226991)

 sys/kern/vfs_vnops.c | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)

Comment 7 commit-hook freebsd_committer

2021-05-01 00:39:41 UTC

A commit in branch stable/12 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=9102ba040a6faf1badf950d6af104440b667f89f

commit 9102ba040a6faf1badf950d6af104440b667f89f
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2021-04-19 10:25:30 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2021-05-01 00:38:30 +0000

    vn_open_vnode(): handle error when fp == NULL

    PR:     255119

    (cherry picked from commit 54f98c4dbf9b1203a4e3e1b13fd0738441226991)

 sys/kern/vfs_vnops.c | 32 +++++++++++++++++++++++++-------
 1 file changed, 25 insertions(+), 7 deletions(-)