(kgdb) bt #0 doadump () at pcpu.h:166 During symbol reading, Incomplete CFI data; unspecified registers at 0xc04a098e. #1 0xc04a105e in boot (howto=0x104) at ../../../kern/kern_shutdown.c:411 #2 0xc04a0bad in panic (fmt=0xc05c5bbf "relpbuf with vp") at ../../../kern/kern_shutdown.c:567 #3 0xc056b21a in relpbuf (bp=0xcceaed30, pfreecnt=0xc05f0f0c) at ../../../vm/vm_pager.c:397 #4 0xc054bd1e in ffs_rawread_main (vp=0xc325dc90, uio=0xd6aaec68) at ../../../ufs/ffs/ffs_rawread.c:417 #5 0xc054c2e1 in ffs_rawread (vp=0xc325dc90, uio=0xd6aaec68, workdone=0xd6aaeb58) at ../../../ufs/ffs/ffs_rawread.c:476 #6 0xc0549cc3 in ffs_read (ap=0xd6aaeba0) at ../../../ufs/ffs/ffs_vnops.c:432 #7 0xc0599394 in VOP_READ_APV (vop=0x0, a=0xd6aaeba0) at vnode_if.c:637 #8 0xc04faf73 in vn_read (fp=0xc3c3e3a8, uio=0xd6aaec68, active_cred=0xc2fbe400, flags=0x0, td=0xc5014bd0) at vnode_if.h:343 #9 0xc04c579e in dofileread (td=0xc5014bd0, fd=0x4, fp=0xc3c3e3a8, auio=0xd6aaec68, offset=Unhandled dwarf expression opcode 0x93 ) at file.h:242 #10 0xc04c593c in kern_readv (td=0xc5014bd0, fd=0x4, auio=0xd6aaec68) at ../../../kern/sys_generic.c:192 #11 0xc04c59da in read (td=0xc5014bd0, uap=0x0) at ../../../kern/sys_generic.c:116 #12 0xc058f87d in syscall (frame=0xd6aaed38) at ../../../i386/i386/trap.c:1008 #13 0xc05811f0 in Xint0x80_syscall () at ../../../i386/i386/exception.s:196 #14 0x281100e8 in ?? () Previous frame inner to this frame (corrupt stack?) (kgdb) up 3 #3 0xc056b21a in relpbuf (bp=0xcceaed30, pfreecnt=0xc05f0f0c) at ../../../vm/vm_pager.c:397 397 KASSERT(bp->b_bufobj == NULL, ("relpbuf with bufobj")); (kgdb) list 392 crfree(bp->b_wcred); 393 bp->b_wcred = NOCRED; 394 } 395 396 KASSERT(bp->b_vp == NULL, ("relpbuf with vp")); 397 KASSERT(bp->b_bufobj == NULL, ("relpbuf with bufobj")); 398 399 BUF_UNLOCK(bp); 400 401 mtx_lock(&pbuf_mtx); (kgdb) print bp $1 = (struct buf *) 0xcceaed30 (kgdb) print *bp $2 = { b_bufobj = 0x0, b_bcount = 0x2000, b_caller1 = 0x0, b_data = 0x804f000 <Address 0x804f000 out of bounds>, b_error = 0x0, b_iocmd = 0x1, b_ioflags = 0x2, b_iooffset = 0x44feb8000, b_resid = 0x0, b_iodone = 0, b_blkno = 0x227f5c0, b_offset = 0x44feb8000, b_bobufs = { tqe_next = 0x0, tqe_prev = 0x0 }, b_left = 0x0, b_right = 0x0, b_vflags = 0x0, b_freelist = { tqe_next = 0xcceb2dd0, tqe_prev = 0xc062caf8 }, b_qindex = 0x0, b_flags = 0x200, b_xflags = 0x0, b_lock = { lk_object = { lo_name = 0xc05b7ad2 "bufwait", lo_type = 0x0, lo_flags = 0x40000, lo_witness_data = { lod_list = { stqe_next = 0x0 }, lod_witness = 0x0 } }, lk_interlock = 0xc0614340, lk_sharecount = 0x0, lk_waitcount = 0x0, lk_exclusivecount = 0x1, lk_prio = 0x50, lk_timo = 0x0, lk_lockholder = 0xc5014bd0, lk_newlock = 0x0 }, b_bufsize = 0x2000, b_runningbufspace = 0x0, b_kvabase = 0xd22bc000 <Address 0xd22bc000 out of bounds>, b_kvasize = 0x20000, b_lblkno = 0x0, b_vp = 0xc325dc90, b_dirtyoff = 0x0, b_dirtyend = 0x1c000, b_rcred = 0x0, b_wcred = 0x0, b_saveaddr = 0x804f000, b_pager = { pg_reqpage = 0x0 }, b_cluster = { cluster_head = { tqh_first = 0xccede2d0, tqh_last = 0xccef3e10 }, cluster_entry = { tqe_next = 0xccede2d0, tqe_prev = 0xccef3e10 } }, b_pages = {0xc137e548, 0xc1344570, 0xc16ac9a0, 0xc1366ab8, 0xc1463058, 0xc1249650, 0xc13548c0, 0xc11ce1e8, 0xc13671c0, 0xc17ca6c0, 0xc1302900, 0xc1371180, 0xc18a2630, 0xc1186ff8, 0xc12bb6c8, 0xc1139dd8, 0xc16a6ec8, 0xc13b99f0, 0xc1305b10, 0xc10e01c8, 0xc136e3f0, 0xc1386540, 0xc188b770, 0xc18704a0, 0xc1552308, 0xc11f12b8, 0xc1207098, 0xc1271598, 0xc13e9d68, 0xc1594b48, 0xc1433748, 0xc134a798}, b_npages = 0x2, b_dep = { lh_first = 0x0 }, b_fsprivate1 = 0x0, b_fsprivate2 = 0x0, b_fsprivate3 = 0x0, b_pin_count = 0x0 } How-To-Repeat: Running the fsx filesystem test in the linuxulator (linux test project version of fsx). This succeeded a lot of times before. The panic started to appear at the start of this year (already reported to current). I just need to run the entire LTP test (see http://wiki.freebsd.org/linux-kernel for more) and at some point it panics.
ffs_rawread_main() should call pbgetvp()/pbrelvp() instead of just setting b_vp directly. A suggested fix is enclosed. - Tor Egge Index: sys/ufs/ffs/ffs_rawread.c =================================================================== RCS file: /home/ncvs/src/sys/ufs/ffs/ffs_rawread.c,v retrieving revision 1.28 diff -u -r1.28 ffs_rawread.c --- sys/ufs/ffs/ffs_rawread.c 5 May 2006 21:27:31 -0000 1.28 +++ sys/ufs/ffs/ffs_rawread.c 21 Jan 2007 00:05:47 -0000 @@ -310,7 +310,7 @@ /* XXX: Leave some bufs for swap */ bp = getpbuf(&ffsrawbufcnt); sa = bp->b_data; - bp->b_vp = vp; + pbgetvp(vp, bp); error = ffs_rawread_readahead(vp, udata, offset, resid, td, bp, sa); if (error != 0) @@ -324,7 +324,7 @@ nbp = NULL; if (nbp != NULL) { nsa = nbp->b_data; - nbp->b_vp = vp; + pbgetvp(vp, nbp); nerror = ffs_rawread_readahead(vp, udata + @@ -337,6 +337,7 @@ nbp, nsa); if (nerror) { + pbrelvp(nbp); relpbuf(nbp, &ffsrawbufcnt); nbp = NULL; } @@ -385,6 +386,7 @@ nsa = tsa; if (resid <= bp->b_bufsize) { /* No more readaheads */ + pbrelvp(nbp); relpbuf(nbp, &ffsrawbufcnt); nbp = NULL; } else { /* Setup next readahead */ @@ -399,6 +401,7 @@ nbp, nsa); if (nerror != 0) { + pbrelvp(nbp); relpbuf(nbp, &ffsrawbufcnt); nbp = NULL; } @@ -413,13 +416,16 @@ } } - if (bp != NULL) + if (bp != NULL) { + pbrelvp(bp); relpbuf(bp, &ffsrawbufcnt); + } if (nbp != NULL) { /* Run down readahead buffer */ spl = splbio(); bwait(nbp, PRIBIO, "rawrd"); splx(spl); vunmapbuf(nbp); + pbrelvp(nbp); relpbuf(nbp, &ffsrawbufcnt); }
Works like a charm. A full LTP run without a panic. Thanks! Bye, Alexander. -- ...and that is how we know the Earth to be banana-shaped. http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137
Responsible Changed From-To: freebsd-bugs->tegge Assign to tegge, he provided the fix (works without a problem so far).
tegge 2007-02-04 23:42:02 UTC FreeBSD src repository Modified files: sys/ufs/ffs ffs_rawread.c Log: Call pbgetvp() and pbrelvp() instead of setting b_vp directly. PR: kern/108151 Revision Changes Path 1.29 +9 -3 src/sys/ufs/ffs/ffs_rawread.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: open->patched This was committed. To tegge: has this been MFCed?
State Changed From-To: patched->closed Merged to RELENG_6 as 1.25.2.4.