Bug 162997

Comment 1 Mark Linimon 2011-12-01 16:49:44 UTC

Responsible Changed
From-To: freebsd-bugs->freebsd-geom

Over to maintainer(s).

Comment 2 Florian Smeets 2011-12-01 18:37:40 UTC

I was tracking down a similar problem. My sparc64 machine with multiple
gmirrors stopped rebooting, it hangs after the first mirror is
destroyed, and never recovers. I have to reset it via LOM.

I can confirm the hang is caused by r227015.


Syncing disks, vnodes remaining...1 1 0 0 done
GEOM_MIRROR: Device var: provider mirror/var destroyed.
GEOM_MIRROR: Device var destroyed.
*hang*

Florian

Comment 3 dfilter service 2011-12-02 17:10:11 UTC

Author: mav
Date: Fri Dec  2 17:09:48 2011
New Revision: 228204
URL: http://svn.freebsd.org/changeset/base/228204

Log:
  Close race between geom destruction on g_vfs_close() when softc destroyed
  and g_vfs_orphan() call that tries to access softc, intruced at r227015.
  
  PR:		kern/162997

Modified:
  head/sys/geom/geom_vfs.c

Modified: head/sys/geom/geom_vfs.c
==============================================================================
--- head/sys/geom/geom_vfs.c	Fri Dec  2 15:47:05 2011	(r228203)
+++ head/sys/geom/geom_vfs.c	Fri Dec  2 17:09:48 2011	(r228204)
@@ -169,8 +169,10 @@ g_vfs_orphan(struct g_consumer *cp)
 	g_topology_assert();
 
 	gp = cp->geom;
-	sc = gp->softc;
 	g_trace(G_T_TOPOLOGY, "g_vfs_orphan(%p(%s))", cp, gp->name);
+	sc = gp->softc;
+	if (sc == NULL)
+		return;
 	mtx_lock(&sc->sc_mtx);
 	sc->sc_orphaned = 1;
 	destroy = (sc->sc_active == 0);
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"

Hello,

I don't like to crash real machine many times and build test
environment on qemu. md0p2a is labeled gm0 and md0p2h is gm1,
and mount as UFS2. After sysctl kern.geom.debugflags=7,
machine was rebooted. The copy from console before panic is here.

open delta:[r-1w-1e-3] old:[r2w2e6] provider:[r2w2e6] 0xc14eac00(md0)
g_post_event_x(0xc052c830, 0xc166c300, 2, 0)
  ref 0xc166c300
g_post_event_x(0xc0a03e40, 0xc1446b00, 2, 0)
g_wither_geom(0xc17ffa80(gm1.sync))
GEOM_MIRROR: Device gm1 destroyed.
g_wither_geom(0xc17ffb00(gm1))
g_orphan_register(mirror/gm1)
g_vfs_orphan(0xc1800400(ffs.mirror/gm1))
kernel trap 12 with interrupts disabled

The situation looks like this:
gm1 was destroyed in g_vfs_close() and then g_vfs_orphan() was called to
manipulate gm1. The function g_vfs_close() was freed softc and 
g_vfs_orphan() would like to use softc already freed and it causes
panic. 

I think that malloc() in g_vfs_open() and free() in g_vfs_close()
for mtx_lock is not valid method. malloc() should not be used,
or fee() should be used in other function. Or correct other code
which never call destroyed provider.

--
kaho Toshikazu

I missed r228204 and it makes machine reboot without panic.
Thanks.

-- 
Kaho Toshikazu

Comment 6 Alexander Motin 2011-12-05 08:45:17 UTC

State Changed
From-To: open->closed

Problem fixed by r228204.