211531 – Hitting non sleepable lock panic for lock "unp_link_rwlock"

Bug 211531 - Hitting non sleepable lock panic for lock "unp_link_rwlock"

Summary: Hitting non sleepable lock panic for lock "unp_link_rwlock"

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.3-STABLE
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Mark Johnston

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2016-08-02 17:18 UTC by rdarbha
Modified:	2016-08-31 21:36 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description rdarbha 2016-08-02 17:18:24 UTC

I encountered a double lock issue in unp_connectat function. After looking at the code , I think the unp_link_rwlock is being locked once unp_connectat and once again in unp_detach  (called from sofree ). Below is the exact call stack.


UNP_LINK_WLOCK();         <——————————  1 st call 
…..
…..
if (so->so_proto->pr_flags & PR_CONNREQUIRED) {
     if (so2->so_options & SO_ACCEPTCONN
         CURVNET_SET(so2->so_vnet); 
          so3 = sonewconn(so2, 0);
          // Expanding sonewconn 
          { 
             sonewconn 
              {
                   ……
                   soalloc
                   …….
                   pru_attach 
                   …….
                   if (!(head->so_options & SO_ACCEPTCONN) &&
                   ((head->so_proto->pr_protocol != IPPROTO_SCTP) ||
                    (head->so_type != SOCK_SEQPACKET))) {
                       ……….
                       sofree(so);             /* NB: returns ACCEPT_UNLOCK'ed. */
                       // Expanding sofree 

                      {   

                        …….

                        pru_detach

                        // expanding pru_detach 

                        {

                             // Recursive wlock acquiring. 

                             UNP_LINK_WLOCK()     <——————————  2nd Call 

------------------------------------------------

Backtrace:
#0  doadump (textdump=1) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/kern_shutdown.c:269
#1  0xffffffff8041084f in kern_reboot (howto=260) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/kern_shutdown.c:452
#2  0xffffffff80410d32 in vpanic (fmt=<value optimized out>, ap=<value optimized out>) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/kern_shutdown.c:759
#3  0xffffffff80410f23 in kassert_panic (fmt=0xffffffff805e4300 "%s: recursing but non-recursive rw %s @ %s:%d\n")
    at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/kern_shutdown.c:647
#4  0xffffffff8040e2c5 in __rw_wlock_hard (c=<value optimized out>, tid=18446735292422403312, file=0x0, line=0)
    at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/kern_rwlock.c:739
#5  0xffffffff8040ed21 in _rw_wlock_cookie (c=<value optimized out>, file=0xffffffff805f4e20 "/.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/uipc_usrreq.c", 
    line=654) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/kern_rwlock.c:267
#6  0xffffffff8049b1c4 in uipc_detach (so=<value optimized out>) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/uipc_usrreq.c:654
#7  0xffffffff80490203 in sofree (so=0xfffff80372dc5000) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/uipc_socket.c:791
#8  0xffffffff80490c21 in sonewconn (head=0xfffff80735e98000, connstatus=0) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/uipc_socket.c:617
#9  0xffffffff80498f79 in unp_connectat (fd=<value optimized out>, so=0xfffff8066ee292e0, nam=<value optimized out>, td=0xfffff803727fb4f0)
    at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/uipc_usrreq.c:1359
#10 0xffffffff8049c0c1 in uipc_connect (so=0xfffff8066ee292e0, nam=0xfffffe085d25d170, td=0xfffff803727fb4f0)
    at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/kern/uipc_usrreq.c:585
#11 0xffffffff83879e5a in clnt_vc_create (so=0xfffff8066ee292e0, raddr=<value optimized out>, prog=100000, vers=3, sendsz=9000, recvsz=9000, intrflag=1)
    at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/rpc/clnt_vc.c:154
#12 0xffffffff8387caa6 in local_rpcb () at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/rpc/rpcb_clnt.c:461
#13 0xffffffff8387cb0d in rpcb_unset (program=0, version=0, nconf=0x0) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/rpc/rpcb_clnt.c:616
#14 0xffffffff8387f57c in svc_unreg (pool=0xfffffe0003d27000, prog=100003, vers=2) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/rpc/svc.c:532
#15 0xffffffff8387f991 in svcpool_destroy (pool=0xfffffe0003d27000) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/rpc/svc.c:204
#16 0xffffffff838c3cf9 in nfsrvd_init (terminating=<value optimized out>) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/fs/nfsserver/nfs_nfsdkrpc.c:539
#17 0xffffffff838c490b in nfsrvd_nfsd (td=<value optimized out>, args=0xfffffe085d25da70)
    at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/fs/nfsserver/nfs_nfsdkrpc.c:516
#18 0xffffffff838d4f9b in nfssvc_nfsd (td=0xfffff803727fb4f0, uap=<value optimized out>)
    at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/fs/nfsserver/nfs_nfsdport.c:3081
#19 0xffffffff838b111b in sys_nfssvc (td=0xfffff803727fb4f0, uap=0xfffffe085d25db70) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/nfs/nfs_nfssvc.c:108
#20 0xffffffff805597a6 in amd64_syscall (td=0xfffff803727fb4f0, traced=0) at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/amd64/amd64/../../kern/subr_syscall.c:145
#21 0xffffffff8053e647 in Xfast_syscall () at /.amd/svl-engdata1vs1/occamdev/build/freebsd/stable_10/20160419.182836_fbsd-builder_10.325814/src/sys/amd64/amd64/exception.S:396
#22 0x0000000800a915fa in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)




I am working on a patch for the fix

Comment 1 rdarbha 2016-08-02 20:08:39 UTC

Can someone please review this ? 

https://reviews.freebsd.org/D7398

Comment 2 Mark Johnston freebsd_committer

2016-08-08 20:30:46 UTC

Fixed with r303855.

Comment 3 commit-hook freebsd_committer

2016-08-09 11:37:56 UTC

A commit references this bug:

Author: pho
Date: Tue Aug  9 11:37:08 UTC 2016
New revision: 303871
URL: https://svnweb.freebsd.org/changeset/base/303871

Log:
  Added a regression test.

  PR:		211531
  Submitted by:	markj
  Sponsored by:	EMC / Isilon Storage Division

Changes:
  user/pho/stress2/misc/unix_socket_detach.sh

Comment 4 commit-hook freebsd_committer

2016-08-31 21:36:06 UTC

A commit references this bug:

Author: markj
Date: Wed Aug 31 21:35:12 UTC 2016
New revision: 305159
URL: https://svnweb.freebsd.org/changeset/base/305159

Log:
  MFC r303855:
  Handle races with listening socket close when connecting a unix socket.

  PR:	211531

Changes:
_U  stable/11/
  stable/11/sys/kern/uipc_usrreq.c
  stable/11/sys/sys/unpcb.h

Comment 5 commit-hook freebsd_committer

2016-08-31 21:36:07 UTC

A commit references this bug:

Author: markj
Date: Wed Aug 31 21:35:51 UTC 2016
New revision: 305161
URL: https://svnweb.freebsd.org/changeset/base/305161

Log:
  MFC 303855:
  Handle races with listening socket close when connecting a unix socket.

  PR:	211531

Changes:
_U  stable/10/
  stable/10/sys/kern/uipc_usrreq.c
  stable/10/sys/sys/unpcb.h