panic in nfsd in freebsd7-release and -stable

Kostik Belousov kostikbel at gmail.com
Mon May 26 13:45:50 UTC 2008 

On Sun, May 25, 2008 at 09:28:36PM -0400, Andrew Edwards wrote:
> I have a system that was running some version of redhat (I don't
> remember now) and I upgraded it to freebsd7 and I would get an immediate
> panic when nfsd is started.  I then updated to 7-stable (on May 24th)
> and built a new kerenl and userland and the panic continued. 
> 
> This was happening 100% of the time whenever nfsd is started but what  I
> later discovered was that because I had used the same IP's as the linux
> host there were some systems that still had a filesystem mounted from
> before the conversion.  I put in an ipfw rule to block those hosts and
> then I was able to start nfsd without crashing and then create new
> mounts.  I have been able to work-around the issue by forcing all of the
> servers that were mounting from the linux os to remount, I am only
> including this information just in case someone else runs into a similar
> problem.
> 
> Thanks,
> Andrew
> 
> Here's the backtrace
> 
> Fatal trap 12: page fault while in kernel mode
> cpuid = 1; apic id = 06
> fault virtual address   = 0x18
> fault code              = supervisor read, page not present
> instruction pointer     = 0x20:0xc06ce915
> stack pointer           = 0x28:0xe8f32a48
> frame pointer           = 0x28:0xe8f32a64
> code segment            = base 0x0, limit 0xfffff, type 0x1b
>                         = DPL 0, pres 1, def32 1, gran 1
> processor eflags        = resume, IOPL = 0
> current process         = 755 (nfsd)
> trap number             = 12
> panic: page fault
> cpuid = 1
> Uptime: 40m22s
> Physical memory: 3318 MB
> Dumping 93 MB: 78 62 46 30 14
> 
> #0  doadump () at pcpu.h:195
> 195     pcpu.h: No such file or directory.
>         in pcpu.h
> (kgdb) bt
> #0  doadump () at pcpu.h:195
> #1  0xc069a917 in boot (howto=260) at
> /usr/src/sys/kern/kern_shutdown.c:418
> #2  0xc069ac13 in panic (fmt=Variable "fmt" is not available.
> ) at /usr/src/sys/kern/kern_shutdown.c:572
> #3  0xc0926763 in trap_fatal (frame=0xe8f32a08, eva=24)
>     at /usr/src/sys/i386/i386/trap.c:899
> #4  0xc09270ff in trap (frame=0xe8f32a08) at
> /usr/src/sys/i386/i386/trap.c:280
> #5  0xc090c84b in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> #6  0xc06ce915 in turnstile_broadcast (ts=0x0, queue=0)
>     at /usr/src/sys/kern/subr_turnstile.c:835
> #7  0xc068d292 in _mtx_unlock_sleep (m=0xc0a47e10, opts=0, file=0x0,
> line=0)
>     at /usr/src/sys/kern/kern_mutex.c:611
> #8  0xc0849b79 in nfsrv3_access (nfsd=0xc6ba5d00, slp=0xc6b7f700,
>     td=0xc6856c60, mrq=0xe8f32c58) at
> /usr/src/sys/nfsserver/nfs_serv.c:253
> #9  0xc085bc71 in nfssvc (td=0xc6856c60, uap=0xe8f32cfc)
>     at /usr/src/sys/nfsserver/nfs_syscalls.c:461
> #10 0xc0926d35 in syscall (frame=0xe8f32d38)
>     at /usr/src/sys/i386/i386/trap.c:1035
> #11 0xc090c8b0 in Xint0x80_syscall ()
>     at /usr/src/sys/i386/i386/exception.s:196
> #12 0x00000033 in ?? ()

Please, test the change below.

The nfsm_srvmtofh() may execute nfsm_reply(), that contains the goto nfsmout.
Since the code under the label includes conditional unlock of the Giant,
vfslocked must be initialized prior to the nfsm_srvmtofh. I found three
ommissions.

The patch also contains the removal of the duplicated code for the rev. 1.179.

diff --git a/sys/nfsserver/nfs_serv.c b/sys/nfsserver/nfs_serv.c
index 5343627..6e716e4 100644
--- a/sys/nfsserver/nfs_serv.c
+++ b/sys/nfsserver/nfs_serv.c
@@ -210,6 +210,7 @@ nfsrv3_access(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp,
 	nfsdbprintf(("%s %d\n", __FILE__, __LINE__));
 	if (!v3)
 		panic("nfsrv3_access: v3 proc called on a v2 connection");
+	vfslocked = 0;
 	fhp = &nfh.fh_generic;
 	nfsm_srvmtofh(fhp);
 	tl = nfsm_dissect_nonblock(u_int32_t *, NFSX_UNSIGNED);
@@ -1285,6 +1286,7 @@ nfsrv_writegather(struct nfsrv_descript **ndp, struct nfssvc_sock *slp,
 	i = 0;
 	len = 0;
 #endif
+	vfslocked = 0;
 	*mrq = NULL;
 	if (*ndp) {
 	    nfsd = *ndp;
@@ -2146,7 +2148,7 @@ nfsrv_remove(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp,
 	nfsfh_t nfh;
 	fhandle_t *fhp;
 	struct mount *mp = NULL;
-	int vfslocked, vfslocked1;
+	int vfslocked;
 
 	nfsdbprintf(("%s %d\n", __FILE__, __LINE__));
 	ndclear(&nd);
@@ -2168,11 +2170,7 @@ nfsrv_remove(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp,
 	nd.ni_cnd.cn_flags = LOCKPARENT | LOCKLEAF | MPSAFE;
 	error = nfs_namei(&nd, fhp, len, slp, nam, &md, &dpos,
 		&dirp, v3,  &dirfor, &dirfor_ret, td, FALSE);
-	vfslocked1 = NDHASGIANT(&nd);
-	if (vfslocked && vfslocked1)
-		VFS_UNLOCK_GIANT(vfslocked1);
-	if (vfslocked || vfslocked1)
-		vfslocked = 1;
+	vfslocked = nfsrv_lockedpair_nd(vfslocked, &nd);
 	if (dirp && !v3) {
 		vrele(dirp);
 		dirp = NULL;
@@ -4132,6 +4130,7 @@ nfsrv_pathconf(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp,
 	nfsdbprintf(("%s %d\n", __FILE__, __LINE__));
 	if (!v3)
 		panic("nfsrv_pathconf: v3 proc called on a v2 connection");
+	vfslocked = 0;
 	fhp = &nfh.fh_generic;
 	nfsm_srvmtofh(fhp);
 	error = nfsrv_fhtovp(fhp, 1, &vp, &vfslocked, cred, slp,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080526/82e007cc/attachment.pgp

More information about the freebsd-net mailing list