Bug 201003

Summary: forcibly unmounting a filesystem with running binaries results in panic
Product: Base System Reporter: Edward Tomasz Napierala <trasz>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: New ---    
Severity: Affects Some People    
Priority: ---    
Version: CURRENT   
Hardware: Any   
OS: Any   

Description Edward Tomasz Napierala freebsd_committer 2015-06-21 10:47:05 UTC
Forcible unmount of a filesystem containing a binary that's executing at that time results in a panic.  Note that the binary must have called mlockall(2), otherwise it will simply segfault.  Backtrace looks like this:

panic: vm_page_unwire: page 0xfffff800b7b8b980's wire count is zero

#10 0xffffffff80976903 in panic (fmt=0xffffffff81675540 "\004") at /usr/home/trasz/svn/head/sys/kern/kern_shutdown.c:868
#11 0xffffffff80c25838 in vm_page_unwire (m=<value optimized out>, queue=<value optimized out>) at /usr/home/trasz/svn/head/sys/vm/vm_page.c:2516
#12 0xffffffff80c21079 in vm_object_unwire (object=0xfffff8012f13ea00, offset=<value optimized out>, length=<value optimized out>, 
    queue=<value optimized out>) at /usr/home/trasz/svn/head/sys/vm/vm_object.c:2273
#13 0xffffffff80c180f7 in vm_map_entry_unwire (map=0xfffff8012f0f5000, entry=0xfffff8012f0cd400) at /usr/home/trasz/svn/head/sys/vm/vm_map.c:2842
#14 0xffffffff80c1628a in vm_map_delete (map=0xfffff8012f0f5000, start=<value optimized out>, end=140737488355328)
    at /usr/home/trasz/svn/head/sys/vm/vm_map.c:3002
#15 0xffffffff80c18fa3 in vm_map_remove (map=0xfffff8012f0f5000, start=140737488355328, end=18446744071579148419)
    at /usr/home/trasz/svn/head/sys/vm/vm_map.c:3032
#16 0xffffffff80c14349 in vmspace_exit (td=0xfffff80019edb000) at /usr/home/trasz/svn/head/sys/vm/vm_map.c:335
#17 0xffffffff8093817e in exit1 (td=0xfffff80019edb000, rv=<value optimized out>) at /usr/home/trasz/svn/head/sys/kern/kern_exit.c:391
#18 0xffffffff80979ee0 in sigexit (td=0xfffff80019edb000, sig=Unhandled dwarf expression opcode 0x93
) at /usr/home/trasz/svn/head/sys/kern/kern_sig.c:2974
#19 0xffffffff8097a50c in postsig (sig=<value optimized out>) at /usr/home/trasz/svn/head/sys/kern/kern_sig.c:2877
#20 0xffffffff809cb2f7 in ast (framep=<value optimized out>) at /usr/home/trasz/svn/head/sys/kern/subr_trap.c:274
#21 0xffffffff80d728f9 in doreti_ast () at /usr/home/trasz/svn/head/sys/amd64/amd64/exception.S:681
#22 0x00007fffffffea58 in ?? ()

Steps to reproduce:

# mdconfig -s1g
# newfs /dev/md0
# mount /dev/md0 /mnt
# cp loop /mnt
# /mnt/loop

In another terminal:

# umount -f /mnt


#include <sys/mman.h>
#include <err.h>
#include <stdio.h>
#include <unistd.h>

        int error;

        error = mlockall(MCL_CURRENT | MCL_FUTURE);
        if (error != 0)
                err(1, "mlockall");

        for (;;) {
                fprintf(stderr, ".");