Panic with SU+J and snapshots on RELENG_9 from november 7

Yamagi Burmeister lists at yamagi.org
Wed Nov 9 11:12:01 UTC 2011 

Hi,
on RELENG_9 built at november 7 it's easy to panic the box by creating
snapshots on an SU+J enabled UFS2 file system when there's some load 
on the filesystem. 

----

To reproduce:
% mount
/dev/ada0p2 on / (ufs, local, journaled soft-updates)

# create some load
% cp -r /usr/src /tmp

# Switch to another tty and create a snapshot
% mksnap_ffs / /.snap/foo1

Repeat this until the box crashes.

----

Some information:

root at vbox:pts/0 /crash> kgdb /boot/kernel/kernel vmcore.0

GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions. Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details. This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
panic: snapacct_ufs2: bad block
cpuid = 0
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2a
kdb_backtrace() at kdb_backtrace+0x37
panic() at panic+0x187
snapacct_ufs2() at snapacct_ufs2+0x14c
indiracct_ufs2() at indiracct_ufs2+0x2d5
indiracct_ufs2() at indiracct_ufs2+0x28a
expunge_ufs2() at expunge_ufs2+0x361
ffs_snapshot() at ffs_snapshot+0xe78
ffs_mount() at ffs_mount+0xa24
vfs_donmount() at vfs_donmount+0xddc
sys_nmount() at sys_nmount+0x63
amd64_syscall() at amd64_syscall+0x3ac
Xfast_syscall() at Xfast_syscall+0xf7
--- syscall (378, FreeBSD ELF64, sys_nmount), rip = 0x8008a1ecc, rsp =
0x7fffffffd398, rbp = 0x7fffffffddf5 --- KDB: enter: panic
Dumping 211 out of 2027
MB:..8%..16%..23%..31%..46%..53%..61%..76%..84%..91%

Reading symbols from /boot/kernel/vesa.ko...Reading symbols
from /boot/kernel/vesa.ko.symbols...done. done.
Loaded symbols for /boot/kernel/vesa.ko
#0  doadump (textdump=2077113264) at /usr/src/sys/kern/kern_shutdown.c:260
260		if (textdump && textdump_pending) {
(kgdb) bt
#0  doadump (textdump=2077113264) at /usr/src/sys/kern/kern_shutdown.c:260
#1  0xffffffff802f95ec in db_fncall (dummy1=Variable "dummy1" is not available.
) at /usr/src/sys/ddb/db_command.c:572
#2  0xffffffff802f9921 in db_command (last_cmdp=0xffffffff810ec5c0, cmd_table=Variable "cmd_table" is not available.
) at /usr/src/sys/ddb/db_command.c:448
#3  0xffffffff802f9b70 in db_command_loop () at /usr/src/sys/ddb/db_command.c:501
#4  0xffffffff802fbcc9 in db_trap (type=Variable "type" is not available.
) at /usr/src/sys/ddb/db_main.c:229
#5  0xffffffff8085b6f1 in kdb_trap (type=3, code=0, tf=0xffffff807bce3de0) at /usr/src/sys/kern/subr_kdb.c:620
#6  0xffffffff80b0e756 in trap (frame=0xffffff807bce3de0) at /usr/src/sys/amd64/amd64/trap.c:590
#7  0xffffffff80af8bef in calltrap () at /usr/src/sys/amd64/amd64/exception.S:228
#8  0xffffffff8085b49b in kdb_enter (why=0xffffffff80d2695b "panic", msg=0x80 <Address 0x80 out of bounds>) at cpufunc.h:63
#9  0xffffffff80825f20 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:599
#10 0xffffffff80a3785c in snapacct_ufs2 (vp=Variable "vp" is not available.
) at /usr/src/sys/ufs/ffs/ffs_snapshot.c:1499
#11 0xffffffff80a37025 in indiracct_ufs2 (snapvp=0xfffffe0065a36780, cancelvp=0xfffffe0002930000, level=0, blkno=Variable "blkno" is not available.
)
    at /usr/src/sys/ufs/ffs/ffs_snapshot.c:1414
#12 0xffffffff80a36fda in indiracct_ufs2 (snapvp=0xfffffe0065a36780, cancelvp=0xfffffe0002930000, level=0, blkno=Variable "blkno" is not available.
)
    at /usr/src/sys/ufs/ffs/ffs_snapshot.c:1424
#13 0xffffffff80a37c41 in expunge_ufs2 (snapvp=0xfffffe0065a36780, cancelip=0xfffffe000292adc8, fs=0xfffffe00028a9000, 
    acctfunc=0xffffffff80a37710 <snapacct_ufs2>, expungetype=2,
clearmode=Variable "clearmode" is not available. )
at /usr/src/sys/ufs/ffs/ffs_snapshot.c:1346
#14 0xffffffff80a3a6e8 in ffs_snapshot (mp=0xfffffe000289dc00, snapfile=Variable "snapfile" is not available.
) at /usr/src/sys/ufs/ffs/ffs_snapshot.c:712
#15 0xffffffff80a55784 in ffs_mount (mp=0xfffffe000289dc00) at /usr/src/sys/ufs/ffs/ffs_vfsops.c:474
#16 0xffffffff808b89bc in vfs_donmount (td=Variable "td" is not available.
) at /usr/src/sys/kern/vfs_mount.c:925
#17 0xffffffff808b9223 in sys_nmount (td=0xfffffe0002c22000, uap=0xffffff807bce4bc0) at /usr/src/sys/kern/vfs_mount.c:410
#18 0xffffffff80b0dacc in amd64_syscall (td=0xfffffe0002c22000, traced=0) at subr_syscall.c:131
#19 0xffffffff80af8ed7 in Xfast_syscall () at /usr/src/sys/amd64/amd64/exception.S:387
#20 0x00000008008a1ecc in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) frame 10
#10 0xffffffff80a3785c in snapacct_ufs2 (vp=Variable "vp" is not available.
) at /usr/src/sys/ufs/ffs/ffs_snapshot.c:1499
1499					panic("snapacct_ufs2: bad
block"); (kgdb) list
1494			if (expungetype == BLK_SNAP && *blkp ==
BLK_NOCOPY) { 1495				if (lbn >= NDADDR)
1496					brelse(ibp);
1497			} else {
1498				if (*blkp != 0)
1499					panic("snapacct_ufs2: bad
block"); 1500				*blkp = expungetype;
1501				if (lbn >= NDADDR)
1502					bdwrite(ibp);
1503			}

----

A screenshot of the panic can be found here:
http://deponie.yamagi.org/freebsd/snapshots_panic/panic2.png

I still have the core so further information can be provided, if
necessary.

Thanks,
Yamagi

-- 
Homepage:  www.yamagi.org
XMPP:      yamagi at yamagi.org
GnuPG/GPG: 0xEFBCCBCB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-fs/attachments/20111109/808a2e84/attachment.pgp

More information about the freebsd-fs mailing list