kern/107439: 6.2-PRE repeatable panic: userret: Returning with 1 locks held

Eugene Grosbein eugen at
Tue Jan 2 12:30:17 PST 2007

>Number:         107439
>Category:       kern
>Synopsis:       6.2-PRE repeatable panic: userret: Returning with 1 locks held
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 02 20:30:16 GMT 2007
>Originator:     Eugene Grosbein
>Release:        FreeBSD 6.2-PRERELEASE i386
Svyaz Service JSC
System: FreeBSD 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #7: Wed Jan 3 02:16:56 KRAT 2007 eu at i386

	An attempt to move file from r/w mounted NTFS to UFS
	produces deadlock on UFS when a kernel compiled without
	INVARIANTS or immediate panic with INVARIANTS.


	I'll show how to reproduce this with file systems mounted
	using file-backed md devices; however, this problem
	exists for "real" file systems too.

	Feel free to fetch
	This is compressed (152KB) image of NTFS made (8Mb) with
	Windows XP Professional Service Pack 2 (or you may use
	another NTFS if you have one).

	Then make new UFS to play with. I do not recommend to use
	with real UFS, it will be locked and clean unmount will be impossible.
	Again, you may start doing this in single mode without extra
	FS mounted and processes running.

	Now do:

dd if=/dev/zero of=ufs.img bs=1m count=1
mdufs=/dev/`mdconfig -a -t vnode -f ufs.img`
newfs $mdufs
mdntfs=/dev/`mdconfig -a -t vnode -f ntfs.img`
mkdir -p /mnt/ufs /mnt/ntfs
mount $mdufs /mnt/ufs
mount_ntfs $mdntfs /mnt/ntfs

	Now you have NTFS mounted r/w in /mnt/ntfs
	and UFS mounted r/w in /mnt/ufs. Now do:

mv /mnt/ntfs/file /mnt/ufs/

	If your kernel was compiled without INVARIANTS,
	you'll get 'Operation not supported' and the system will
	continue to run but any process trying to read from /mnt/ufs
	(including ls -l /mnt/ufs) will lock with uninterruptable disk I/O
	and will be unkillable even with kill -9.

	For the kernel with INVARIANTS (including GENERIC plus this option)
	you'll get kernel panic immediately. Sadly, crashdump always
	contains corrupted stack, was it compiled with debug info or not.
	Here is an attempt to get backtrace
	(I used 'set hw.physmem=33554432' in boot loader prompt
	or else it does not finish crashdump for all my 1024MB of RAM
	for unknown reason):

panic: userret: Returning with 1 locks held.
cpuid = 0
KDB: stack backtrace:
kdb_backtrace(c0740077,0,c07214ce,c4b19cbc,c1addc00,...) at 0xc0544a83 = kdb_backtrace+0x2f
panic(c07214ce,1,c0596fbf,c1addc00,2d,...) at 0xc0527eb1 = panic+0x129
userret(c1addc00,c4b19d38,1,280bf000,2,...) at 0xc054da0d = userret+0xf5
syscall(3b,3b,3b,bfbfee53,bfbfe8f0,...) at 0xc06e06ea = syscall+0x371
Xint0x80_syscall() at 0xc06ca1ff = Xint0x80_syscall+0x1f
--- syscall (45, FreeBSD ELF32, ktrace), eip = 0x280bf94b, esp = 0xbfbfe21c, ebp = 0xbfbfe8a8 ---
Uptime: 5m49s
Dumping 31 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 31MB (7936 pages) 16

#0  doadump () at pcpu.h:165
165		__asm __volatile("movl %%fs:0,%0" : "=r" (td));
(kgdb) bt full
#0  doadump () at pcpu.h:165
No locals.
#1  0xc0527ba0 in boot (howto=260)
    at /usr/local/src/sys/kern/kern_shutdown.c:409
	first_buf_printf = 1
#2  0xc0527f2d in panic (
    fmt=0xc07214ce "userret: Returning with %d locks held.")
    at /usr/local/src/sys/kern/kern_shutdown.c:565
	td = (struct thread *) 0xc1addc00
	bootopt = 260
	newpanic = 1
	ap = 0xc4b19cbc "\001"
	buf = "userret: Returning with 1 locks held.", '\0' <repeats 218 times>
#3  0xc054da0d in userret (td=0xc1addc00, frame=0xc4b19d38, oticks=1)
    at /usr/local/src/sys/kern/subr_trap.c:140
	p = (struct proc *) 0xc1adc430
#4  0xc06e06ea in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077940653, tf_esi = -1077942032, tf_ebp = -1077942104, tf_isp = -994992796, tf_ebx = -1077940653, tf_edx = -1, tf_ecx = 2, tf_eax = 45, tf_trapno = 12, tf_err = 2, tf_eip = 671873355, tf_cs = 51, tf_eflags = 647, tf_esp = -1077943780, tf_ss = 59})
    at /usr/local/src/sys/i386/i386/trap.c:1034
	params = 0xbfbfe220 <Address 0xbfbfe220 out of bounds>
---Type <return> to continue, or q <return> to quit---
	callp = (struct sysent *) 0xc0756be0
	td = (struct thread *) 0xc1addc00
	p = (struct proc *) 0xc1adc430
	orig_tf_eflags = 646
	sticks = 1
	error = 45
	narg = 2
	args = {-1077940653, -1077942032, 654, 671873348, 12, 0, 1, 
	code = 128
#5  0xc06ca1ff in Xint0x80_syscall ()
    at /usr/local/src/sys/i386/i386/exception.s:200
No locals.
#6  0x00000033 in ?? ()
No symbol table info available.
Previous frame inner to this frame (corrupt stack?)


	Unknown. The workaround is to always mount NTFS read-only.

Eugene Grosbein

More information about the freebsd-bugs mailing list