kern/89102: [geom_vfs] panic when forced unmount FS from unplugged device

Andrey V. Elsukov bu7cher at yandex.ru
Wed Nov 16 05:50:18 GMT 2005 

>Number:         89102
>Category:       kern
>Synopsis:       [geom_vfs] panic when forced unmount FS from unplugged device
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 16 05:50:17 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Andrey V. Elsukov
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
	7.0-CURRENT
>Description:
System panic when i try forced unmount file system from 
an unplugged flash device.
>How-To-Repeat:
always.
>Fix:

--- umount_detached_device.txt begins here ---
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
g_vfs_done():da0s1[WRITE(offset=17408, length=4096)]error = 6
g_vfs_done():da0s1[WRITE(offset=17408, length=4096)]error = 6
fsync: giving up on dirty
0xc1815aa0: tag devfs, type VCHR
    usecount 1, writecount 0, refcount 126 mountedhere 0xc1802800
    flags ()
    v_object 0xc1813ce4 ref 0 pages 123
    
	dev da0s1
(da0:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0xdeadc0de
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc069aef8
stack pointer	        = 0x28:0xccad1740
frame pointer	        = 0x28:0xccad1740
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 513 (umount)
panic: from debugger
cpuid = 0
Uptime: 2m44s
Dumping 127 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 127MB (32512 pages) 112 96 80 64 48 32 16

#0  doadump () at pcpu.h:165
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc06389c0 in boot (howto=260)
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/kern_shutdown.c:399
#2  0xc0638cd5 in panic (fmt=0xc082fec8 "from debugger")
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/kern_shutdown.c:555
#3  0xc04697b1 in db_panic (addr=-1066815752, have_addr=0, count=-1, 
    modif=0xccad1510 "")
    at /usr/home/butcher/freebsd/HEAD/src/sys/ddb/db_command.c:434
#4  0xc0469748 in db_command (last_cmdp=0xc09185e4, cmd_table=0x0, 
    aux_cmd_tablep=0xc08942ac, aux_cmd_tablep_end=0xc08942c8)
    at /usr/home/butcher/freebsd/HEAD/src/sys/ddb/db_command.c:403
#5  0xc0469810 in db_command_loop ()
    at /usr/home/butcher/freebsd/HEAD/src/sys/ddb/db_command.c:454
#6  0xc046b429 in db_trap (type=12, code=0)
    at /usr/home/butcher/freebsd/HEAD/src/sys/ddb/db_main.c:221
#7  0xc0651464 in kdb_trap (type=12, code=0, tf=0xccad1700)
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/subr_kdb.c:473
#8  0xc07fb768 in trap_fatal (frame=0xccad1700, eva=3735929054)
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/trap.c:846
#9  0xc07fb4af in trap_pfault (frame=0xccad1700, usermode=0, eva=3735929054)
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/trap.c:766
#10 0xc07fb0c9 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = -1048655744, tf_ebp = -861071552, tf_isp = -861071572, tf_ebx = -1065181642, tf_edx = -559038242, tf_ecx = 0, tf_eax = -559038242, tf_trapno = 12, tf_err = 0, tf_eip = -1066815752, tf_cs = 32, tf_eflags = 66118, tf_esp = -861071352, tf_ss = -1067108740}) at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/trap.c:451
#11 0xc07e89da in calltrap ()
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/exception.s:139
#12 0xc069aef8 in strlen (str=0xdeadc0de <Address 0xdeadc0de out of bounds>)
    at /usr/home/butcher/freebsd/HEAD/src/sys/libkern/strlen.c:41
#13 0xc065367c in kvprintf (fmt=0xc0829e36 "%d:%d:", 
    func=0xc0652e00 <putchar>, arg=0xccad1824, radix=10, 
    ap=0xccad1848 "ÞÀ­ÞÞÀ­Þ")
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/subr_prf.c:679
#14 0xc0652d7b in printf (fmt=0xc0829e34 "%s%d:%d:")
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/subr_prf.c:296
#15 0xc044fba6 in xpt_print_path (path=0xc14e7350)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/cam_xpt.c:4208
#16 0xc045a43f in dacleanup (periph=0xc17ec880)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/scsi/scsi_da.c:815
#17 0xc044b289 in camperiphfree (periph=0xc17ec880)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/cam_periph.c:457
#18 0xc044afd7 in cam_periph_release (periph=0xdeadc0de)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/cam_periph.c:294
#19 0xc045a054 in daclose (dp=0xdeadc0de)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/scsi/scsi_da.c:568
#20 0xc060130c in g_disk_access (pp=0xc17ec180, r=0, w=0, e=0)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_disk.c:152
#21 0xc060722e in g_access (cp=0xc1818e00, dcr=-1, dcw=-1, dce=-2)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_subr.c:730
#22 0xc0605761 in g_slice_access (pp=0xc17ebc80, dr=-1, dw=-1, de=-2)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_slice.c:130
#23 0xc060722e in g_access (cp=0xc1818780, dcr=-1, dcw=-1, dce=-1)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_subr.c:730
#24 0xc0606868 in g_wither_geom_close (gp=0xc17eb880, error=6)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_subr.c:333
#25 0xc06077df in g_vfs_close (cp=0xdeadc0de, td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_vfs.c:172
#26 0xc05f83c8 in msdosfs_unmount (mp=0xc146f800, mntflags=134742016, 
    td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/fs/msdosfs/msdosfs_vfsops.c:789
#27 0xc06898ec in dounmount (mp=0xc146f800, flags=134742016, td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/vfs_mount.c:963
#28 0xc06896c2 in unmount (td=0xc17fd320, uap=0xccad1d04)
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/vfs_mount.c:895
#29 0xc07fbaa6 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134521957, tf_esi = 134535761, tf_ebp = -1077942936, tf_isp = -861069980, tf_ebx = -1077943024, tf_edx = 10, tf_ecx = 0, tf_eax = 22, tf_trapno = 12, tf_err = 2, tf_eip = 671838363, tf_cs = 51, tf_eflags = 518, tf_esp = -1077943108, tf_ss = 59})
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/trap.c:1001
#30 0xc07e8a2f in Xint0x80_syscall ()
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/exception.s:200
#31 0x00000033 in ?? ()
(kgdb) f 26
#26 0xc05f83c8 in msdosfs_unmount (mp=0xc146f800, mntflags=134742016, 
    td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/fs/msdosfs/msdosfs_vfsops.c:789
789		g_vfs_close(pmp->pm_cp, td);
(kgdb) l
784			VI_UNLOCK(vp);
785		}
786	#endif
787		DROP_GIANT();
788		g_topology_lock();
789		g_vfs_close(pmp->pm_cp, td);
790		g_topology_unlock();
791		PICKUP_GIANT();
792		vrele(pmp->pm_devvp);
793		free(pmp->pm_inusemap, M_MSDOSFSFAT);
(kgdb) set output-radix 16
Output radix now set to decimal 16, hex 10, octal 20.
(kgdb) p mntflags 
$1 = 0x8080000
(kgdb) p *mp
$2 = {mnt_list = {tqe_next = 0x0, tqe_prev = 0xc15a2800}, 
  mnt_op = 0xc08c76e0, mnt_vfc = 0xc08c7720, mnt_vnodecovered = 0xc1815990, 
  mnt_syncer = 0x0, mnt_nvnodelist = {tqh_first = 0x0, 
    tqh_last = 0xc146f818}, mnt_lock = {lk_interlock = 0xc09313ec, 
    lk_flags = 0x140000, lk_sharecount = 0x0, lk_waitcount = 0x0, 
    lk_exclusivecount = 0x1, lk_prio = 0x50, lk_wmesg = 0xc0870059 "vfslock", 
    lk_timo = 0x0, lk_lockholder = 0xc17fd320, lk_newlock = 0x0}, mnt_mtx = {
    mtx_object = {lo_class = 0xc08ce424, 
      lo_name = 0xc0870048 "struct mount mtx", 
      lo_type = 0xc0870048 "struct mount mtx", lo_flags = 0x30000, lo_list = {
        tqe_next = 0xc1788aa8, tqe_prev = 0xc18157fc}, 
      lo_witness = 0xc0940f80}, mtx_lock = 0x4, mtx_recurse = 0x0}, 
  mnt_writeopcount = 0x1, mnt_flag = 0x1000, mnt_opt = 0xc1435a50, 
  mnt_optnew = 0x0, mnt_kern_flag = 0x1000001, mnt_maxsymlinklen = 0x0, 
  mnt_stat = {f_version = 0x20030518, f_type = 0x2, f_flags = 0x1000, 
    f_bsize = 0x1000, f_iosize = 0x1000, f_blocks = 0x1e55a, 
    f_bfree = 0x2fdf, f_bavail = 0x2fdf, f_files = 0x0, f_ffree = 0x0, 
    f_syncwrites = 0x0, f_asyncwrites = 0x0, f_syncreads = 0x0, 
    f_asyncreads = 0x0, f_spare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
      0x0, 0x0}, f_namemax = 0xff, f_owner = 0x0, f_fsid = {val = {0x73, 
        0x2}}, f_charspare = '\0' <repeats 79 times>, 
    f_fstypename = "msdosfs\000\000\000\000\000\000\000\000", 
    f_mntfromname = "/dev/da0s1", '\0' <repeats 77 times>, 
    f_mntonname = "/mnt", '\0' <repeats 83 times>}, mnt_cred = 0xc17ebc00, 
  mnt_data = 0xc1802300, mnt_time = 0x0, mnt_iosize_max = 0x10000, 
  mnt_export = 0x0, mnt_mntlabel = 0x0, mnt_fslabel = 0x0, 
  mnt_nvnodelistsize = 0x0, mnt_hashseed = 0x205ad3}
(kgdb) p *pmp
$3 = {pm_mountp = 0xc146f800, pm_cp = 0xc1818780, pm_bo = 0xc1815b60, 
  pm_uid = 0x0, pm_gid = 0x0, pm_mask = 0x1ed, pm_dirmask = 0x1ed, 
  pm_devvp = 0xc1815aa0, pm_bpb = {bpbBytesPerSec = 0x200, 
    bpbSecPerClust = 0x0, bpbResSectors = 0x22, bpbFATs = 0x2, 
    bpbRootDirEnts = 0x0, bpbSectors = 0x0, bpbMedia = 0xf8, 
    bpbFATsecs = 0x0, bpbSecPerTrack = 0x3f, bpbHeads = 0xff, 
    bpbHiddenSecs = 0x3f, bpbHugeSectors = 0xf327f}, pm_BlkPerSec = 0x1, 
  pm_FATsecs = 0x3cb, pm_fatblk = 0x22, pm_rootdirblk = 0x2, 
  pm_rootdirsize = 0x0, pm_firstcluster = 0x7b8, pm_maxcluster = 0x1e559, 
  pm_freeclustercount = 0x2fdf, pm_cnshift = 0xc, pm_crbomask = 0xfff, 
  pm_bnshift = 0x9, pm_bpcluster = 0x1000, pm_fmod = 0x1, 
  pm_fatblocksize = 0x1000, pm_fatblocksec = 0x8, pm_fatsize = 0x79600, 
  pm_fatmask = 0xfffffff, pm_fsinfo = 0x1, pm_nxtfree = 0x19b, 
  pm_fatmult = 0x4, pm_fatdiv = 0x1, pm_curfat = 0x0, 
  pm_inusemap = 0xc181c000, pm_flags = 0x20000002, pm_u2w = 0x0, 
  pm_w2u = 0x0, pm_u2d = 0x0, pm_d2u = 0x0, pm_nfileno = 0x0, pm_filenos = {
    rbh_root = 0x0}}
(kgdb) p *pmp->pm_cp
$4 = {geom = 0xc17eb880, consumer = {le_next = 0x0, le_prev = 0xc17eb890}, 
  provider = 0xc17ebc80, consumers = {le_next = 0xc1818c00, 
    le_prev = 0xc17ebc90}, acr = 0x1, acw = 0x1, ace = 0x1, spoiled = 0x0, 
  stat = 0xc1561b40, nstart = 0x80, nend = 0x80, private = 0x0, index = 0x0}
(kgdb) p *pmp->pm_cp->geom
$5 = {name = 0xc1587320 "msdos.da0s1", class = 0xc08c8620, geom = {
    le_next = 0xc15f1480, le_prev = 0xc08c8660}, consumer = {
    lh_first = 0xc1818780}, provider = {lh_first = 0x0}, geoms = {
    tqe_next = 0x0, tqe_prev = 0xc17eb918}, rank = 0x3, start = 0, 
  spoiled = 0, dumpconf = 0, access = 0, orphan = 0xc06076c4 <g_vfs_orphan>, 
  ioctl = 0, softc = 0xc1815b60, flags = 0x0}
(kgdb) f 25
#25 0xc06077df in g_vfs_close (cp=0xdeadc0de, td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_vfs.c:172
172		g_wither_geom_close(gp, ENXIO);
(kgdb) p l
167		g_topology_assert();
168	
169		gp = cp->geom;
170		bo = gp->softc;
171		bufobj_invalbuf(bo, V_SAVE, td, 0, 0);
172		g_wither_geom_close(gp, ENXIO);
173	}
(kgdb) p gp
$6 = (struct g_geom *) 0xc17eb880
(kgdb) p cp
$7 = (struct g_consumer *) 0xdeadc0de
(kgdb) 
--- umount_detached_device.txt ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list