Bug 19553
| Summary: | "panic: zone: entry not free" in namei() | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Gregory Bond <gnb> | ||||
| Component: | kern | Assignee: | assar <assar> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | ||||||
| Priority: | Normal | ||||||
| Version: | 4.0-STABLE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
On Wed, Jun 28, 2000 at 11:15:34AM +1000, Gregory Bond wrote:
> Kernel compiled with "options INVARIANTS"
You often see panics if you compile with INVARIANTS and then load
modules which have not been compiled with INVARIANTS. Could this
be the problem?
David.
David Malone wrote: > > Kernel compiled with "options INVARIANTS" > > You often see panics if you compile with INVARIANTS and then load > modules which have not been compiled with INVARIANTS. Could this > be the problem? If it is, then we either still have a bug, or we have a bug in our documentation (maybe depending on which is easier to fix :-)). From src/sys/i386/conf/NOTES (in -current, was LINT): # The INVARIANT_SUPPORT option makes us compile in support for # verifying some of the internal structures. It is a prerequisite for # 'INVARIANTS', as enabling 'INVARIANTS' will make these functions be |# called. The intent is that you can set 'INVARIANTS' for single |# source files (by changing the source file or specifying it on the |# command line) if you have 'INVARIANT_SUPPORT' enabled. From my reading of this, it is more likely that problems will occur when mixing kernel/modules with differing options "INVARIANT_SUPPORT" than "INVARIANTS". Of course, this may well be what you meant. :) -- || David Nugent || TS Manager, ISP Limited || \\ davidn@austel.net | davidn@blaze.net.au | davidn@freebsd.org // .\\ Ph: +61396422322 Fax: +61396422063 Cell: +61404867638 //. > If it is, then we either still have a bug, or we have a bug in our > documentation (maybe depending on which is easier to fix :-)). I thought I'd had problems with this as recently as a few months ago while trying to install NetBSD on my amiga via NFS over a slip link to my FreeBSD machine. Though, I have to admit I fixed some bugs in the slip driver about the same time - so that could be what I'm remembering. > From src/sys/i386/conf/NOTES (in -current, was LINT): > # The INVARIANT_SUPPORT option makes us compile in support for > # verifying some of the internal structures. It is a prerequisite for > # 'INVARIANTS', as enabling 'INVARIANTS' will make these functions be > |# called. The intent is that you can set 'INVARIANTS' for single > |# source files (by changing the source file or specifying it on the > |# command line) if you have 'INVARIANT_SUPPORT' enabled. > From my reading of this, it is more likely that problems will occur > when mixing kernel/modules with differing options "INVARIANT_SUPPORT" > than "INVARIANTS". Of course, this may well be what you meant. :) Could easily be ;-) I'll test it when I get home again, and see if I can reproduce it. David. > You often see panics if you compile with INVARIANTS and then load
> modules which have not been compiled with INVARIANTS. Could this
> be the problem?
Well spotted.
I was loading cd9660 from a module. Once I compiled it into the kernel (with
INVARIANTS), the recipe no longer panics but works as expected.
The trick is that isofs/cd9660/cd9660_vnops.c also uses namei_zone, but when
compiled without INVARIANTS (in the module), the deallocator is not clearing
the "in use" flag that the allocator in the kernel (compiled with INVARIANTS)
is checking at the next allocation, which happens to be inside namei().
nfs.ko and union.ko also use namei_zone and would be vulnerable to the same
problem.
Perhaps a note in LINT next to the INVARIANTS entry explaining this? [Patch
attached]
And perhaps whatever mechanism is being worked on to manage the versioning of
klds can take up this problem?
And perhaps namei_zone should be called maxpathlen_zone ! :>
Thanks all, this PR can be closed.
On Wed, 28 Jun 2000, Gregory Bond wrote:
> To: David Malone <dwmalone@maths.tcd.ie>
> > You often see panics if you compile with INVARIANTS and then load
> > modules which have not been compiled with INVARIANTS. Could this
> > be the problem?
>
> Well spotted.
>
> I was loading cd9660 from a module. Once I compiled it into the kernel (with
> INVARIANTS), the recipe no longer panics but works as expected.
>
> The trick is that isofs/cd9660/cd9660_vnops.c also uses namei_zone, but when
> compiled without INVARIANTS (in the module), the deallocator is not clearing
> the "in use" flag that the allocator in the kernel (compiled with INVARIANTS)
> is checking at the next allocation, which happens to be inside namei().
>
> nfs.ko and union.ko also use namei_zone and would be vulnerable to the same
> problem.
>
> Perhaps a note in LINT next to the INVARIANTS entry explaining this? [Patch
> attached]
No, this is a bug in INVARIANTS. It is caused by bogus ifdefs on
INVARIANTS in vm_zone.h. All ifdefs on kernel options in header
files are wrong, but these ifdefs are wronger than others since
INVARIANTS is supposed to be settable for single source files.
The correct fix seems to be to clear the "in use" flag unconditionally,
although this will bloat the zone allocator a little.
INVARIANTS support in vm_zone.c is also broken. Some things conditional
on INVARIANTS need to be conditional on INVARIANT_SUPPORT in case
vm_zone.c is not one of the source files compiled with INVARIANTS
configured.
Bruce
Actually, thinking about it some more the whole concept of invariants in the zone allocator is currently busted, because it relies on the fact that memory returned to zfree() will not have a certain bit pattern in the second longword. There is no way to guarantee that in general. About all you can usefully do is mark stuff as it goes on the free list and check it as it comes off, which will find some problems with the zone internal freelist mgmt, plus I guess find a fairly small proportion of use-after-zfree() problems (where the subsequent use changes the second longword). But you can't reliably find zfree()-after-zfree() or failure-to-zfree() or zfree()-to-the- wrong-zone or zfree()-after-malloc() or or or or.... So perhaps we orta either ditch the invariants in vm_zone.[ch] altogether. Or change the zone implementation to use a hidden longword at the start of each zalloc'd chunk. This longword would either be the next free entry (for free chunks) or a pointer to the owning vm_zone object (for allocated chunks). The downside here is of course size - a couple hundred K of kernel memory on my fairly unloaded system (I have ~30k zone chunks active according to "sysctl vm.zone"). If people think this is reasonable, I can put something together, but I suspect the cost is too high. Greg. Responsible Changed From-To: freebsd-bugs->assar I closed it State Changed From-To: open->closed I think this problem should have been fixed in both -current (Wed Dec 27 02:54:37 2000 UTC) and 4.X (Sun Mar 4 09:04:39 2001 UTC) by assar. |
When using a FreeBSD 4 ftp client to ls a CD with symlinks, kernel panics with "zone: entry not free" This is quite scary because the traceback includes namei()..... Traceback, config file & dmesg attached below. hellcat## gdb -k kernel.debug.1 vmcore.1 GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-unknown-freebsd"... IdlePTD 3342336 initial pcb at 2b7420 panicstr: zone: entry not free panic messages: --- panic: zone: entry not free syncing disks... done Uptime: 20m18s dumping to dev #ad/1, offset 131072 dump ata0: resetting devices .. done 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 1 1 10 9 8 7 6 5 4 3 2 1 --- #0 boot (howto=256) at ../../kern/kern_shutdown.c:302 302 dumppcb.pcb_cr3 = rcr3(); (kgdb) where #0 boot (howto=256) at ../../kern/kern_shutdown.c:302 #1 0xc014ba11 in panic (fmt=0xc0265bf9 "zone: entry not free") at ../../kern/kern_shutdown.c:552 #2 0xc01f95a7 in zerror () at ../../vm/vm_zone.c:456 #3 0xc0173a78 in namei (ndp=0xc6240ec4) at ../../vm/vm_zone.h:91 #4 0xc0179b68 in readlink (p=0xc5c9f1e0, uap=0xc6240f80) at ../../kern/vfs_syscalls.c:1902 #5 0xc0235951 in syscall2 (frame={tf_fs = 671744047, tf_es = 671744047, tf_ds = -1078001617, tf_edi = 134657024, tf_esi = 134657100, tf_ebp = -1077945572, tf_isp = -970715180, tf_ebx = -1077946600, tf_edx = 10, tf_ecx = -1077947756, tf_eax = 58, tf_trapno = 12, tf_err = 2, tf_eip = 672018760, tf_cs = 31, tf_eflags = 663, tf_esp = -1077947664, tf_ss = 47}) at ../../i386/i386/trap.c:1126 #6 0xc02298e6 in Xint0x80_syscall () #7 0x66c4c083 in ?? () Cannot access memory at address 0x6602b70f. (kgdb) ^D machine i386 cpu I686_CPU ident Hellcat maxusers 32 makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols options INET #InterNETworking #options INET6 #IPv6 communications protocols options FFS #Berkeley Fast Filesystem options FFS_ROOT #FFS usable as root device [keep this!] options MFS #Memory Filesystem #options MD_ROOT #MD is a potential root device options NFS #Network Filesystem #options NFS_ROOT #NFS usable as root device, NFS required #options MSDOSFS #MSDOS Filesystem #options CD9660 #ISO 9660 Filesystem #options CD9660_ROOT #CD-ROM usable as root, CD9660 required options PROCFS #Process filesystem options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!] options SCSI_DELAY=5000 #Delay (in ms) before probing SCSI options UCONSOLE #Allow users to grab the console options USERCONFIG #boot -c editor options VISUAL_USERCONFIG #visual boot -c editor options KTRACE #ktrace(1) support options SYSVSHM #SYSV-style shared memory options SYSVMSG #SYSV-style message queues options SYSVSEM #SYSV-style semaphores options P1003_1B #Posix P1003_1B real-time extensions options _KPOSIX_PRIORITY_SCHEDULING options ICMP_BANDLIM #Rate limit bad replies options KBD_INSTALL_CDEV # install a CDEV entry in /dev device isa device pci # Floppy drives device fdc0 at isa? port IO_FD1 irq 6 drq 2 device fd0 at fdc0 drive 0 device fd1 at fdc0 drive 1 # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives #device atapifd # ATAPI floppy drives #device atapist # ATAPI tape drives options ATA_STATIC_ID #Static device numbering #options ATA_ENABLE_ATAPI_DMA #Enable DMA on ATAPI devices device adv # SCSI peripherals device scbus # SCSI bus (required) device da # Direct Access (disks) device sa # Sequential Access (tape etc) #device cd # CD device pass # Passthrough device (direct SCSI access) # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc0 at isa? port IO_KBD device atkbd0 at atkbdc? irq 1 flags 0x1 device psm0 at atkbdc? irq 12 device vga0 at isa? # splash screen/screen saver pseudo-device splash # syscons is the default console driver, resembling an SCO console device sc0 at isa? flags 0x100 # Floating point support - do not disable. device npx0 at nexus? port IO_NPX irq 13 # Serial (COM) ports device sio0 at isa? port IO_COM1 flags 0x10 irq 4 device sio1 at isa? disable port IO_COM2 irq 3 device sio2 at isa? disable port IO_COM3 irq 5 device sio3 at isa? disable port IO_COM4 irq 9 # Parallel port device ppc0 at isa? irq 7 device ppbus # Parallel port bus (required) device lpt # Printer #device plip # TCP/IP over parallel device ppi # Parallel port interface device #device vpo # Requires scbus and da device miibus # MII bus support device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'') # Pseudo devices - the number indicates how many units to allocated. pseudo-device loop # Network loopback pseudo-device ether # Ethernet support #pseudo-device sl 1 # Kernel SLIP #pseudo-device ppp 1 # Kernel PPP pseudo-device tun # Packet tunnel. pseudo-device pty # Pseudo-ttys (telnet etc) #pseudo-device md # Memory "disks" #pseudo-device gif 4 # IPv6 and IPv4 tunneling #pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation) # The `bpf' pseudo-device enables the Berkeley Packet Filter. # Be aware of the administrative consequences of enabling this! pseudo-device bpf #Berkeley packet filter options SOFTUPDATES options DDB options INVARIANTS options INVARIANT_SUPPORT pseudo-device vn options MSGBUF_SIZE=40960 device pcm Copyright (c) 1992-2000 The FreeBSD Project. Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. FreeBSD 4.0-STABLE #3: Tue Jun 27 13:45:49 EST 2000 toor@hellcat.itga.com.au:/usr/src/sys/compile/Hellcat Timecounter "i8254" frequency 1193182 Hz Timecounter "TSC" frequency 350797085 Hz CPU: Pentium II/Pentium II Xeon/Celeron (350.80-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x652 Stepping = 2 Features=0x183f9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR> real memory = 67108864 (65536K bytes) avail memory = 62132224 (60676K bytes) Preloaded elf kernel "kernel" at 0xc031e000. Pentium Pro MTRR support enabled npx0: <math processor> on motherboard npx0: INT 16 interface pcib0: <Intel 82443BX (440 BX) host to PCI bridge> on motherboard pci0: <PCI bus> on pcib0 pcib1: <Intel 82443BX (440 BX) PCI-PCI (AGP) bridge> at device 1.0 on pci0 pci1: <PCI bus> on pcib1 pci1: <Matrox MGA G100 AGP graphics accelerator> at 0.0 irq 9 isab0: <Intel 82371AB PCI to ISA bridge> at device 4.0 on pci0 isa0: <ISA bus> on isab0 atapci0: <Intel PIIX4 ATA33 controller> port 0xfcd0-0xfcdf at device 4.1 on pci0 ata0: at 0x1f0 irq 14 on atapci0 ata1: at 0x170 irq 15 on atapci0 pci0: <Intel 82371AB/EB (PIIX4) USB controller> at 4.2 irq 11 chip1: <Intel 82371AB Power management controller> port 0x2180-0x218f at device 4.3 on pci0 adv0: <AdvanSys ASC3030/50 SCSI controller> port 0xf800-0xf8ff mem 0xfedffc00-0xfedffcff irq 11 at device 11.0 on pci0 adv0: Warning EEPROM Checksum mismatch. Using default device parameters adv0: AdvanSys SCSI Host Adapter, SCSI ID 7, queue depth 16 xl0: <3Com 3c905B-TX Fast Etherlink XL> port 0xfc00-0xfc7f mem 0xfedff800-0xfedff87f irq 9 at device 14.0 on pci0 xl0: Ethernet address: 00:10:5a:a1:7c:7a miibus0: <MII bus> on xl0 xlphy0: <3Com internal media interface> on miibus0 xlphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto fdc0: <NEC 72065B or clone> at port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on isa0 fdc0: FIFO enabled, 8 bytes threshold fd0: <1440-KB 3.5" drive> on fdc0 drive 0 atkbdc0: <Keyboard controller (i8042)> at port 0x60,0x64 on isa0 atkbd0: <AT Keyboard> flags 0x1 irq 1 on atkbdc0 kbd0 at atkbd0 psm0: <PS/2 Mouse> irq 12 on atkbdc0 psm0: model MouseMan+, device ID 0 vga0: <Generic ISA VGA> at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 sc0: <System console> at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio0 at port 0x3f8-0x3ff irq 4 flags 0x10 on isa0 sio0: type 16550A ppc0: <Parallel port> at port 0x378-0x37f irq 7 on isa0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold ppi0: <Parallel I/O> on ppbus0 lpt0: <Printer> on ppbus0 lpt0: Interrupt-driven port adv1: Invalid baseport of 0x220 specified. Neerest valid baseport is 0x230. Failing probe. sbc0: <Creative SB16/SB32> at port 0x220-0x22f,0x330-0x331,0x388-0x38b irq 5 drq 1,5 on isa0 sbc0: setting card to irq 5, drq 1, 5 pcm0: <SB DSP 4.13> on sbc0 adv1: Invalid baseport of 0x168 specified. Neerest valid baseport is 0x190. Failing probe. unknown0: <Generic ESDI/IDE/ATA controller> at port 0x168-0x16f,0x36e-0x36f irq 10 on isa0 unknown1: <Reserved> at port 0x100 on isa0 adv1: Invalid baseport of 0x200 specified. Neerest valid baseport is 0x210. Failing probe. unknown2: <Game> at port 0x200-0x207 on isa0 ad0: 4104MB <QUANTUM FIREBALL EX4.3A> [8895/15/63] at ata0-master using UDMA33 ad2: 4104MB <QUANTUM FIREBALL EX4.3A> [8895/15/63] at ata1-master using UDMA33 acd0: CD-RW <Hewlett-Packard CD-Writer Plus 8100> at ata1-slave using PIO3 Waiting 5 seconds for SCSI devices to settle Mounting root from ufs:/dev/ad0s1a WARNING: / was not properly dismounted Fix: None known. How-To-Repeat: This recipe will panic my system 100% of the time: Compile 4-Stable kernel with "options INVARIANTS" (and "options INVARIANT_SUPPORT" of course!) I've rebuilt the kernel from scratch (to get a debugging kernel) and this still fails. Mount WC 4.0 CD#1 on /cdrom. From another FreeBSD 4 machine, ftp to this host as a non-root, non-anonymous user. (I have not tried anon-ftp or root, I suspect no difference). [NB: Does _not_ panic if you ftp in from Solaris 2.6!] Inside ftp, do cd /cdrom/packages/Latest dir rsy* Boom, server panics.