kern/63662: Using read-only NULLFS leads to panic. gdb output included, easy to reproduce.

Pawe³ Ma³achowski pawmal-posting at freebsd.lublin.pl
Tue Mar 2 13:40:05 PST 2004


>Number:         63662
>Category:       kern
>Synopsis:       Using read-only NULLFS leads to panic. gdb output included, easy to reproduce.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 02 13:40:04 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Pawel Malachowski
>Release:        FreeBSD 4.7-RELEASE-p25 i386
>Organization:
ZiN
>Environment:
RELENG_4

	
>Description:
I know NULLFS is documented as broken and incoming PRs are usually put
in suspended state, awaiting a patch.
However, there are people claiming that using NULLFS in read-only mode
is safe. It seems, they are wrong.

I'm not too familiar with debugging, however I decided to use my free
time and try to provide more than backtrace, in hope someone will take
a look at this for a while (maybe it is trivial to fix?).


Environmnet:
(A) FreeBSD 4.9-RELEASE, null.ko.
(B) FreeBSD 4.9-STABLE, NULLFS, almost GENERIC (+IPFIREWALL, IPFILTER...)
(C) FreeBSD 4.8-RELEASE, GENERIC, nullfs.ko (+ipfw.ko)

Original problem touched me on machine A:
% mount | grep -c 'null, local, read-only'
23
It usually comes at night, when cron is doing its job, especially
periodic tasks.

However, I took machine B (completly different, pure routing) and C
(GENERIC+debug), and successfully reproduced this crash with identical
backtrace this way:
mount_null -o ro /usr/ports /mnt/1
mount_null -o ro /usr/ports /mnt/2
mount_null -o ro /usr/ports /mnt/3
find /usr/ports -type f -perm -u+s &
find /usr/ports -type f -perm -u+s &
...
find /mnt/1 -type f -perm -u+s &
find /mnt/1 -type f -perm -u+s &
...
find /mnt/2 -type f -perm -u+s &
find /mnt/2 -type f -perm -u+s &
...

(Machine C crashed after few minutes).


(C)
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc0255ab7
stack pointer           = 0x10:0xcbb38e90
frame pointer           = 0x10:0xcbb38ea4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 58363 (find)
interrupt mask          = none
trap number             = 12
panic: page fault

syncing disks... 65 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
giving up on 1 buffers
Uptime: 24d9h54m57s
(kgdb) add-symbol-file /sys/modules/nullfs/null.ko 0xC1424388
add symbol table from file "/sys/modules/nullfs/null.ko" at text_addr = 0xc1424388?
(y or n) y
Reading symbols from /sys/modules/nullfs/null.ko...done.
(kgdb) bt
#0  dumpsys () at ../../kern/kern_shutdown.c:487
#1  0xc0227653 in boot (howto=256) at ../../kern/kern_shutdown.c:316
#2  0xc0227a78 in poweroff_wait (junk=0xc0421bec, howto=-1069410545)
    at ../../kern/kern_shutdown.c:595
#3  0xc03a522e in trap_fatal (frame=0xcbb38e50, eva=4)
    at ../../i386/i386/trap.c:974
#4  0xc03a4f01 in trap_pfault (frame=0xcbb38e50, usermode=0, eva=4)
    at ../../i386/i386/trap.c:867
#5  0xc03a4abf in trap (frame={tf_fs = 65552, tf_es = 16842768,
      tf_ds = -877461488, tf_edi = -877520608, tf_esi = -875975552,
      tf_ebp = -877424988, tf_isp = -877425028, tf_ebx = 0, tf_edx = 6,
      tf_ecx = -877520608, tf_eax = -877520608, tf_trapno = 12, tf_err = 0,
      tf_eip = -1071293769, tf_cs = 8, tf_eflags = 66178, tf_esp = -1054023424,
      tf_ss = 58363}) at ../../i386/i386/trap.c:466
#6  0xc0255ab7 in vput (vp=0x0) at ../../kern/vfs_subr.c:1608
#7  0xc14252e2 in null_inactive (ap=0xcbb38ee4)
    at /usr/src/sys/modules/nullfs/../../miscfs/nullfs/null_vnops.c:728
#8  0xc0255a57 in vrele (vp=0xcbc9ac80) at vnode_if.h:815
#9  0xc0257e47 in fchdir (p=0xcbb21920, uap=0xcbb38f80)
    at ../../kern/vfs_syscalls.c:842
#10 0xc03a54dd in syscall2 (frame={tf_fs = 134545455, tf_es = 47,
      tf_ds = -1078001617, tf_edi = 134626560, tf_esi = 5, tf_ebp = -1077938908,
      tf_isp = -877424684, tf_ebx = 672079852, tf_edx = 134561920,
      tf_ecx = 672154432, tf_eax = 13, tf_trapno = 7, tf_err = 2,
      tf_eip = 671764044, tf_cs = 31, tf_eflags = 663, tf_esp = -1077939048,
      tf_ss = 47}) at ../../i386/i386/trap.c:1175
#11 0xc03962f5 in Xint0x80_syscall ()
#12 0x280a074d in ?? ()
(kgdb) frame 0
#0  dumpsys () at ../../kern/kern_shutdown.c:487
487             if (dumping++) {
(kgdb) up 6
#6  0xc0255ab7 in vput (vp=0x0) at ../../kern/vfs_subr.c:1608
1608            struct proc *p = curproc;       /* XXX */
(kgdb) l
1603
1604    void
1605    vput(vp)
1606            struct vnode *vp;
1607    {
1608            struct proc *p = curproc;       /* XXX */
1609
1610            KASSERT(vp != NULL, ("vput: null vp"));
1611
1612            simple_lock(&vp->v_interlock);
(kgdb) p vp
$1 = (struct vnode *) 0x0
(kgdb) up
#7  0xc14252e2 in null_inactive (ap=0xcbb38ee4)
    at /usr/src/sys/modules/nullfs/../../miscfs/nullfs/null_vnops.c:728
728             vput(lowervp);
(kgdb) l
723             if (vp->v_vnlock != NULL) {
724                     vp->v_vnlock = &xp->null_lock;  /* we no longer share the lock */
725             } else
726                     VOP_UNLOCK(vp, LK_THISLAYER, p);
727
728             vput(lowervp);
729             /*
730              * Now it is safe to drop references to the lower vnode.
731              * VOP_INACTIVE() will be called by vrele() if necessary.
732              */
(kgdb) p lowervp
$2 = (struct vnode *) 0x0
(kgdb) l -
713             struct vnode *vp = ap->a_vp;
714             struct proc *p = ap->a_p;
715             struct null_node *xp = VTONULL(vp);
716             struct vnode *lowervp = xp->null_lowervp;
717
718             lockmgr(&null_hashlock, LK_EXCLUSIVE, NULL, p);
719             LIST_REMOVE(xp, null_hash);
720             lockmgr(&null_hashlock, LK_RELEASE, NULL, p);
721
722             xp->null_lowervp = NULLVP;
(kgdb) p *xp
$4 = {null_lock = {lk_interlock = {lock_data = -1054640128}, lk_flags = 64,
    lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 0, lk_prio = 8,
    lk_wmesg = 0xc142548d "nullnode", lk_timo = 0, lk_lockholder = -1},
  null_vnlock = 0x0, null_hash = {le_next = 0x0, le_prev = 0xc12c4de4},
  null_lowervp = 0x0, null_vnode = 0xcbc9ac80}
(kgdb) p xp->null_lowervp
$5 = (struct vnode *) 0x0
(kgdb) p vp
$7 = (struct vnode *) 0xcbc9ac80
(kgdb) p vp->v_data
$8 = (void *) 0xc12ce100
(kgdb) p (struct null_node) vp->v_data
$10 = {null_lock = {lk_interlock = {lock_data = -1054023424}, lk_flags = 0,
    lk_sharecount = 0, lk_waitcount = -875975424, lk_exclusivecount = -21376,
    lk_prio = -13367, lk_wmesg = 0x0, lk_timo = 0, lk_lockholder = 0},
  null_vnlock = 0x0, null_hash = {le_next = 0x0, le_prev = 0x0},
  null_lowervp = 0x0, null_vnode = 0x0}
(kgdb) p ((struct null_node)vp->v_data)->null_lowervp
$11 = (struct vnode *) 0x0
(kgdb) up
#9  0xc0257e47 in fchdir (p=0xcbb21920, uap=0xcbb38f80)
    at ../../kern/vfs_syscalls.c:842
842             vrele(fdp->fd_cdir);
(kgdb) l
837             if (error) {
838                     vput(vp);
839                     return (error);
840             }
841             VOP_UNLOCK(vp, 0, p);
842             vrele(fdp->fd_cdir);
843             fdp->fd_cdir = vp;
844             return (0);
845     }
846
(kgdb) p (struct null_node) fdp->fd_cdir->v_data
$16 = {null_lock = {lk_interlock = {lock_data = -1054023424}, lk_flags = 0,
    lk_sharecount = 0, lk_waitcount = -875975424, lk_exclusivecount = -21376,
    lk_prio = -13367, lk_wmesg = 0x0, lk_timo = 0, lk_lockholder = 0},
  null_vnlock = 0x0, null_hash = {le_next = 0x0, le_prev = 0x0},
  null_lowervp = 0x0, null_vnode = 0x0}
(kgdb) l fchdir
806     fchdir(p, uap)
807             struct proc *p;
808             struct fchdir_args /* {
809                     syscallarg(int) fd;
810             } */ *uap;
811     {
812             register struct filedesc *fdp = p->p_fd;
813             struct vnode *vp, *tdp;
814             struct mount *mp;
815             struct file *fp;
(kgdb) p (struct null_node) p->p_fd->fd_cdir->v_data
$20 = {null_lock = {lk_interlock = {lock_data = -1054023424}, lk_flags = 0,
    lk_sharecount = 0, lk_waitcount = -875975424, lk_exclusivecount = -21376,
    lk_prio = -13367, lk_wmesg = 0x0, lk_timo = 0, lk_lockholder = 0},
  null_vnlock = 0x0, null_hash = {le_next = 0x0, le_prev = 0x0},
  null_lowervp = 0x0, null_vnode = 0x0}
(kgdb) p *p
$22 = {p_procq = {tqe_next = 0xcbb20f60, tqe_prev = 0xc04a97d0}, p_list = {
    le_next = 0xcbb20f60, le_prev = 0xc04a9778}, p_cred = 0xc0f731e0,
  p_fd = 0xc10ee500, p_stats = 0xcbb36cd0, p_limit = 0xc11e9e00,
  p_upages_obj = 0xc049b5c0, p_procsig = 0xc1387880, p_flag = 16390,
  p_stat = 2 '\002', p_pad1 = "\000\000", p_pid = 58363, p_hash = {le_next = 0x0,
    le_prev = 0xc0a815ec}, p_pglist = {le_next = 0x0, le_prev = 0xc13ecc28},
  p_pptr = 0xcbb1fd80, p_sibling = {le_next = 0xcbb20f60, le_prev = 0xcbb1fdd0},
  p_children = {lh_first = 0x0}, p_ithandle = {callout = 0xc2befd50}, p_oppid = 0,
  p_dupfd = 0, p_vmspace = 0xcbb52880, p_estcpu = 295, p_cpticks = 75,
  p_pctcpu = 1182, p_wchan = 0x0, p_wmesg = 0xc04113ea "inode", p_swtime = 54,
  p_slptime = 0, p_realtimer = {it_interval = {tv_sec = 0, tv_usec = 0},
    it_value = {tv_sec = 0, tv_usec = 0}}, p_runtime = 5487340, p_uu = 0,
  p_su = 136, p_iu = 0, p_uticks = 99, p_sticks = 2561, p_iticks = 7,
  p_traceflag = 0, p_tracep = 0x0, p_siglist = {__bits = {0, 0, 0, 0}},
  p_textvp = 0xcb96f300, p_lock = 0 '\000', p_oncpu = 0 '\000',
  p_lastcpu = 0 '\000', p_rqindex = 2 '\002', p_locks = -175, p_simple_locks = 0,
  p_stops = 0, p_stype = 0, p_step = 0 '\000', p_pfsflags = 0 '\000',
  p_pad3 = "\000", p_retval = {0, 134561920}, p_sigiolst = {slh_first = 0x0},
  p_sigparent = 20, p_oldsigmask = {__bits = {0, 0, 0, 0}}, p_sig = 0, p_code = 0,
  p_klist = {slh_first = 0x0}, p_sigmask = {__bits = {0, 0, 0, 0}}, p_sigstk = {
    ss_sp = 0x0, ss_size = 0, ss_flags = 4}, p_priority = 8 '\b',
  p_usrpri = 86 'V', p_nice = 0 '\000',
  p_comm = "find\000n\000\000\000\000\000\000\000\000\000\000",
  p_pgrp = 0xc13ecc20, p_sysent = 0xc044b420, p_rtprio = {type = 1, prio = 0},
  p_prison = 0x0, p_args = 0xc12dc300, p_addr = 0xcbb36000, p_md = {
    md_regs = 0xcbb38fa8}, p_xstat = 0, p_acflag = 2, p_ru = 0x0, p_nthreads = 0,
  p_aioinfo = 0x0, p_wakeup = 0, p_peers = 0x0, p_leader = 0xcbb21920, p_asleep = {
    as_priority = 0, as_timo = 0}, p_emuldata = 0x0}
(kgdb)

Why is null_lowervp NULL? It may be significant that problem
appears when I search non-null /usr/ports and null /mnt/x at
the same time.

It may be also interesting, on machine B there were about 30 find(1)
processess around once a time, and all of them stuck into inode state,
becoming zombie. Also new process were not able to go into /usr/ports
(`cd /usr/ports' -> frozen shell). After performing reboot(8) machine
failed to reboot because of these inode-state processess. Power-off/on
cycle was necessery...



Other panic messages:

(A, this _one_ is less common)
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc02766eb
stack pointer           = 0x10:0xe9589dd0
frame pointer           = 0x10:0xe9589de4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 80250 (cron)
interrupt mask          = none
trap number             = 12
panic: page fault

syncing disks... 28 3 1 1 1 1 1 1 1 3 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
giving up on 1 buffers
Uptime: 2d20h42m48s
(kgdb) add-symbol-file /sys/modules/nullfs/null.ko 0xC3811390
add symbol table from file "/sys/modules/nullfs/null.ko" at text_addr = 0xc3811390?
(y or n) y
Reading symbols from /sys/modules/nullfs/null.ko...done.
(kgdb) bt
#0  dumpsys () at ../../kern/kern_shutdown.c:487
#1  0xc0247b4b in boot (howto=256) at ../../kern/kern_shutdown.c:316
#2  0xc0247f70 in poweroff_wait (junk=0xc044a62c, howto=-1069244113)
    at ../../kern/kern_shutdown.c:595
#3  0xc03c2dba in trap_fatal (frame=0xe9589d90, eva=4)
    at ../../i386/i386/trap.c:974
#4  0xc03c2a8d in trap_pfault (frame=0xe9589d90, usermode=0, eva=4)
    at ../../i386/i386/trap.c:867
#5  0xc03c264b in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
      tf_edi = -388392512, tf_esi = -374358784, tf_ebp = -380068380,
      tf_isp = -380068420, tf_ebx = 0, tf_edx = 6, tf_ecx = -388392512,
      tf_eax = -388392512, tf_trapno = 12, tf_err = 0, tf_eip = -1071159573,
      tf_cs = 8, tf_eflags = 66182, tf_esp = -1007055424, tf_ss = 80250})
    at ../../i386/i386/trap.c:466
#6  0xc02766eb in vput (vp=0x0) at ../../kern/vfs_subr.c:1629
#7  0xc38122ea in null_inactive (ap=0xe9589e24)
    at /src/sys/modules/nullfs/../../miscfs/nullfs/null_vnops.c:728
#8  0xc027668b in vrele (vp=0xe9afbd00) at vnode_if.h:815
#9  0xc027cf23 in vn_close (vp=0xe9afbd00, flags=1, cred=0xc54d3100, p=0xe8d999c0)
    at ../../kern/vfs_vnops.c:235
#10 0xc027d843 in vn_closefile (fp=0xc4f78ac0, p=0xe8d999c0)
    at ../../kern/vfs_vnops.c:693
#11 0xc023d6c3 in fdrop (fp=0xc4f78ac0, p=0xe8d999c0) at ../../sys/file.h:218
#12 0xc023d60c in closef (fp=0xc4f78ac0, p=0xe8d999c0)
    at ../../kern/kern_descrip.c:1441
#13 0xc023c743 in close (p=0xe8d999c0, uap=0xe9589f80)
    at ../../kern/kern_descrip.c:623
#14 0xc03c3069 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
      tf_edi = 134574392, tf_esi = 1, tf_ebp = -1077941168, tf_isp = -380067884,
      tf_ebx = 672113388, tf_edx = 134574080, tf_ecx = 134574080, tf_eax = 6,
      tf_trapno = 12, tf_err = 2, tf_eip = 672066564, tf_cs = 31, tf_eflags = 643,
      tf_esp = -1077941212, tf_ss = 47}) at ../../i386/i386/trap.c:1175
#15 0xc03b40e5 in Xint0x80_syscall ()
#16 0x280df523 in ?? ()
(kgdb) up 6
#6  0xc02766eb in vput (vp=0x0) at ../../kern/vfs_subr.c:1629
1629            struct proc *p = curproc;       /* XXX */
(kgdb) l
1624
1625    void
1626    vput(vp)
1627            struct vnode *vp;
1628    {
1629            struct proc *p = curproc;       /* XXX */
1630
1631            KASSERT(vp != NULL, ("vput: null vp"));
1632
1633            simple_lock(&vp->v_interlock);
(kgdb) p vp
$1 = (struct vnode *) 0x0
(kgdb) p (struct null_node) vp->v_data
$2 = {null_lock = {lk_interlock = {lock_data = -1007055424}, lk_flags = 0,
    lk_sharecount = 0, lk_waitcount = -374358656, lk_exclusivecount = -17152,
    lk_prio = -5713, lk_wmesg = 0x0, lk_timo = 0, lk_lockholder = 0},
  null_vnlock = 0x0, null_hash = {le_next = 0x0, le_prev = 0x0},
  null_lowervp = 0x0, null_vnode = 0x0}
(kgdb) up
#9  0xc027cf23 in vn_close (vp=0xe9afbd00, flags=1, cred=0xc54d3100, p=0xe8d999c0)
    at ../../kern/vfs_vnops.c:235
235             vrele(vp);
(kgdb) l
230             int error;
231
232             if (flags & FWRITE)
233                     vp->v_writecount--;
234             error = VOP_CLOSE(vp, flags, cred, p);
235             vrele(vp);
236             return (error);
237     }
238
239     static __inline
(kgdb) up
#10 0xc027d843 in vn_closefile (fp=0xc4f78ac0, p=0xe8d999c0)
    at ../../kern/vfs_vnops.c:693
693             return (vn_close(((struct vnode *)fp->f_data), fp->f_flag,
(kgdb) l
688             struct file *fp;
689             struct proc *p;
690     {
691
692             fp->f_ops = &badfileops;
693             return (vn_close(((struct vnode *)fp->f_data), fp->f_flag,
694                     fp->f_cred, p));
695     }
696
697     static int
(kgdb) p (struct vnode) fp->f_data
$11 = {v_flag = 3920608512, v_usecount = 0, v_writecount = 0,
  v_holdcnt = 858863156, v_id = 0, v_mount = 0x0, v_op = 0xc34adbc8, v_freelist = {
    tqe_next = 0xc4fe7c00, tqe_prev = 0xc3fa04c8}, v_nmntvnodes = {tqe_next = 0x0,
    tqe_prev = 0xe9032180}, v_cleanblkhd = {tqh_first = 0xe905a680,
    tqh_last = 0xe9032100}, v_dirtyblkhd = {tqh_first = 0x33730a00,
    tqh_last = 0x6d373639}, v_synclist = {le_next = 0x67706a2e, le_prev = 0x0},
  v_numoutput = -385670912, v_type = VNON, v_un = {vu_mountedhere = 0x0,
    vu_socket = 0x0, vu_spec = {vu_specinfo = 0x0, vu_specnext = {
        sle_next = 0x67616d00}}, vu_fifoinfo = 0x0}, v_lease = 0x0,
  v_lastw = -1018520864, v_cstart = 0, v_lasta = -994427576, v_clen = -986729152,
  v_object = 0xc3e98450, v_interlock = {lock_data = -374519936}, v_vnlock = 0x0,
  v_tag = 1747847424, v_data = 0x63636174, v_cache_src = {lh_first = 0x737365},
  v_cache_dst = {tqh_first = 0x0, tqh_last = 0x0}, v_dd = 0x0,
  v_ddid = 1747873904, v_pollinfo = {vpi_lock = {lock_data = 1093599266},
    vpi_selinfo = {si_pid = 0, si_note = {slh_first = 0xc3a6fd00},
      si_flags = 4352}, vpi_events = -28088, vpi_revents = -15367}, v_vxproc = 0x0}
(kgdb)  p (struct null_node)((struct vnode) fp->f_data)->v_data
$13 = {null_lock = {lk_interlock = {lock_data = 1667457396}, lk_flags = 7566181,
    lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 0, lk_prio = 0,
    lk_wmesg = 0x682e7070 <Address 0x682e7070 out of bounds>,
    lk_timo = 1093599266, lk_lockholder = 0}, null_vnlock = 0xc3a6fd00,
  null_hash = {le_next = 0xc4b71100, le_prev = 0xc3f99248}, null_lowervp = 0x0,
  null_vnode = 0xe9baaf80}
(kgdb) up
#12 0xc023d60c in closef (fp=0xc4f78ac0, p=0xe8d999c0)
    at ../../kern/kern_descrip.c:1441
1441            return (fdrop(fp, p));
(kgdb) l
1436                                            wakeup(fdtol);
1437                                    }
1438                            }
1439                    }
1440            }
1441            return (fdrop(fp, p));
1442    }
1443
1444    int
1445    fdrop(fp, p)
(kgdb)  p (struct null_node)((struct vnode) fp->f_data)->v_data
$15 = {null_lock = {lk_interlock = {lock_data = 1667457396}, lk_flags = 7566181,
    lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 0, lk_prio = 0,
    lk_wmesg = 0x682e7070 <Address 0x682e7070 out of bounds>,
    lk_timo = 1093599266, lk_lockholder = 0}, null_vnlock = 0xc3a6fd00,
  null_hash = {le_next = 0xc4b71100, le_prev = 0xc3f99248}, null_lowervp = 0x0,
  null_vnode = 0xe9baaf80}
(kgdb) up
#13 0xc023c743 in close (p=0xe8d999c0, uap=0xe9589f80)
    at ../../kern/kern_descrip.c:623
623             error = closef(fp, p);
(kgdb) l
618                     fdp->fd_lastfile--;
619             if (fd < fdp->fd_freefile)
620                     fdp->fd_freefile = fd;
621             if (fd < fdp->fd_knlistsize)
622                     knote_fdclose(p, fd);
623             error = closef(fp, p);
624             if (holdleaders) {
625                     fdp->fd_holdleaderscount--;
626                     if (fdp->fd_holdleaderscount == 0 &&
627                         fdp->fd_holdleaderswakeup != 0) {
(kgdb)  p (struct null_node)((struct vnode) fp->f_data)->v_data
$18 = {null_lock = {lk_interlock = {lock_data = 1667457396}, lk_flags = 7566181,
    lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 0, lk_prio = 0,
    lk_wmesg = 0x682e7070 <Address 0x682e7070 out of bounds>,
    lk_timo = 1093599266, lk_lockholder = 0}, null_vnlock = 0xc3a6fd00,
  null_hash = {le_next = 0xc4b71100, le_prev = 0xc3f99248}, null_lowervp = 0x0,
  null_vnode = 0xe9baaf80}
(kgdb) up
#14 0xc03c3069 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
      tf_edi = 134574392, tf_esi = 1, tf_ebp = -1077941168, tf_isp = -380067884,
      tf_ebx = 672113388, tf_edx = 134574080, tf_ecx = 134574080, tf_eax = 6,
      tf_trapno = 12, tf_err = 2, tf_eip = 672066564, tf_cs = 31, tf_eflags = 643,
      tf_esp = -1077941212, tf_ss = 47}) at ../../i386/i386/trap.c:1175
1175            error = (*callp->sy_call)(p, args);



(A)
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc02766eb
stack pointer           = 0x10:0xe8dcfe90
frame pointer           = 0x10:0xe8dcfea4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 91056 (find)
interrupt mask          = none
trap number             = 12
panic: page fault

syncing disks... 73 27 1 1 1 1 1 1 1 5 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
giving up on 1 buffers
Uptime: 5d8h9m51s
(kgdb) bt
#0  dumpsys () at ../../kern/kern_shutdown.c:487
#1  0xc0247b4b in boot (howto=256) at ../../kern/kern_shutdown.c:316
#2  0xc0247f70 in poweroff_wait (junk=0xc044a62c, howto=-1069244113)
    at ../../kern/kern_shutdown.c:595
#3  0xc03c2dba in trap_fatal (frame=0xe8dcfe50, eva=4)
    at ../../i386/i386/trap.c:974
#4  0xc03c2a8d in trap_pfault (frame=0xe8dcfe50, usermode=0, eva=4)
    at ../../i386/i386/trap.c:867
#5  0xc03c264b in trap (frame={tf_fs = 16, tf_es = 16, tf_ds = 16,
      tf_edi = -388593440, tf_esi = -373419328, tf_ebp = -388170076,
      tf_isp = -388170116, tf_ebx = 0, tf_edx = 6, tf_ecx = -388593440,
      tf_eax = -388593440, tf_trapno = 12, tf_err = 0, tf_eip = -1071159573,
      tf_cs = 8, tf_eflags = 66178, tf_esp = -1013564992, tf_ss = 91056})
    at ../../i386/i386/trap.c:466
#6  0xc02766eb in vput (vp=0x0) at ../../kern/vfs_subr.c:1629
#7  0xc38262ea in ?? ()
#8  0xc027668b in vrele (vp=0xe9be12c0) at vnode_if.h:815
#9  0xc0278a83 in fchdir (p=0xe8d688e0, uap=0xe8dcff80)
    at ../../kern/vfs_syscalls.c:843
#10 0xc03c3069 in syscall2 (frame={tf_fs = 47, tf_es = 47, tf_ds = 47,
      tf_edi = 134623232, tf_esi = 5, tf_ebp = -1077937660, tf_isp = -388169772,
      tf_ebx = 672080620, tf_edx = 134557696, tf_ecx = 672155200, tf_eax = 13,
      tf_trapno = 7, tf_err = 2, tf_eip = 671764800, tf_cs = 31, tf_eflags = 659,
      tf_esp = -1077937800, tf_ss = 47}) at ../../i386/i386/trap.c:1175
#11 0xc03b40e5 in Xint0x80_syscall ()
#12 0x280a0a41 in ?? ()




(B)
Fatal trap 12: page fault while in kernel mode
fault virtual address   = 0x4
fault code              = supervisor read, page not present
instruction pointer     = 0x8:0xc02766eb
stack pointer           = 0x10:0xe8dcfe90
frame pointer           = 0x10:0xe8dcfea4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 91056 (find)
interrupt mask          = none
trap number             = 12
panic: page fault
syncing disks... 73 27 1 1 1 1 1 1 1 5 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
giving up on 1 buffers
Uptime: 5d8h9m51s



(B)
instruction pointer     = 0x8:0xc0269bc7
stack pointer           = 0x10:0xd5d45e90
frame pointer           = 0x10:0xd5d45ea4
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 558 (find)
interrupt mask          = none
trap number             = 12
panic: page fault
syncing disks... 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
giving up on 1 buffers
Uptime: 21m42s


>How-To-Repeat:

mount_null -o ro /usr/ports /mnt/1
mount_null -o ro /usr/ports /mnt/2
mount_null -o ro /usr/ports /mnt/3
find /usr/ports -type f -perm -u+s &
find /usr/ports -type f -perm -u+s &
...
find /mnt/1 -type f -perm -u+s &
find /mnt/1 -type f -perm -u+s &
...
find /mnt/2 -type f -perm -u+s &
find /mnt/2 -type f -perm -u+s &
...

>Fix:

Unknown.

>Release-Note:
>Audit-Trail:
>Unformatted:


More information about the freebsd-bugs mailing list