[Bug 200585] [nlm] Fatal trap 9 when printing out KASSERT trying to run umount -f on an NFS share while it's trying to print out "lockd not responding" in nlm(4)

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jun 2 04:32:09 UTC 2015


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200585

            Bug ID: 200585
           Summary: [nlm] Fatal trap 9 when printing out KASSERT trying to
                    run umount -f on an NFS share while it's trying to
                    print out "lockd not responding" in nlm(4)
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: ngie at FreeBSD.org

Repro:

- Check out head at r283754
- Build/install a kernel with the following options:

include GENERIC
options DEBUG_MEMGUARD

- Add the following config items to /etc/rc.conf:

rpcbind_enable="YES"
nfs_client_enable="YES"

- Mount an NFS share to /mnt.
- Do `svn co http://svn.freebsd.org/base/head /mnt/src`. If lockd's broken then
it
  should start printing out "lockd not responding".
- Let it go its course for a while.
- Run `umount -f /mnt`

Expected results:

The umount -f should succeed.

Actual results:

The kernel panics when running strlen(9) with a Fatal Trap 9 (it looks like
some of the
kernel structures were being torn down while it was trying to print out the
message):

# kgdb /boot/kernel/kernel vmcore.7
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:


Fatal trap 9: general protection fault while in kernel mode
cpuid = 5; apic id = 05
instruction pointer    = 0x20:0xffffffff80a2e51f
stack pointer            = 0x28:0xfffffe2f8fa0dc30
frame pointer            = 0x28:0xfffffe2f8fa0dc40
code segment        = base 0x0, limit 0xfffff, type 0x1b
            = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags    = interrupt enabled, resume, IOPL = 0
current process        = 1730 (svn)

#0  doadump (textdump=0) at pcpu.h:221
221    pcpu.h: No such file or directory.
    in pcpu.h
(kgdb) bt
#0  doadump (textdump=0) at pcpu.h:221
#1  0xffffffff8036503e in db_dump (dummy=<value optimized out>, dummy2=false,
dummy3=0, dummy4=0x0) at /usr/src/sys/ddb/db_command.c:533
#2  0xffffffff80364bb1 in db_command (cmd_table=0x0) at
/usr/src/sys/ddb/db_command.c:440
#3  0xffffffff80364844 in db_command_loop () at
/usr/src/sys/ddb/db_command.c:493
#4  0xffffffff803673db in db_trap (type=<value optimized out>, code=0) at
/usr/src/sys/ddb/db_main.c:251
#5  0xffffffff8099ef54 in kdb_trap (type=9, code=0, tf=<value optimized out>)
at /usr/src/sys/kern/subr_kdb.c:654
#6  0xffffffff80e3b079 in trap_fatal (frame=0xfffffe2f8fa0db80, eva=<value
optimized out>) at /usr/src/sys/amd64/amd64/trap.c:854
#7  0xffffffff80e3ad20 in trap (frame=<value optimized out>) at
/usr/src/sys/amd64/amd64/trap.c:201
#8  0xffffffff80e1bd72 in calltrap () at
/usr/src/sys/amd64/amd64/exception.S:235
#9  0xffffffff80a2e51f in strlen (str=0xdeadc0dedeadc0de <Address
0xdeadc0dedeadc0de out of bounds>) at /usr/src/sys/libkern/strlen.c:98
#10 0xffffffff809a8dea in kvprintf (fmt=0xffffffff810969ba " @ %s:%d",
func=0xffffffff809a9e00 <snprintf_func>, arg=0xfffffe2f8fa0dd70, radix=Cannot
access memory at address 0xa
)
    at /usr/src/sys/kern/subr_prf.c:796
#11 0xffffffff809a9de1 in vsnprintf (str=<value optimized out>, size=<value
optimized out>, 
    format=0xdeadc0dedeadc0de <Address 0xdeadc0dedeadc0de out of bounds>,
ap=0xfefefefefefefeff) at /usr/src/sys/kern/subr_prf.c:529
#12 0xffffffff80961efa in kassert_panic (fmt=0xffffffff8109699f "mtx_lock() of
spin mutex %s @ %s:%d") at /usr/src/sys/kern/kern_shutdown.c:623
#13 0xffffffff80945ec6 in __mtx_lock_flags (c=0xfffff800220fb818, opts=0,
file=0xffffffff810cd0cc "/usr/src/sys/nlm/nlm_advlock.c", line=136)
    at /usr/src/sys/kern/kern_mutex.c:216
#14 0xffffffff80b6b640 in nlm_feedback (type=<value optimized out>, proc=<value
optimized out>, arg=0xfffffe2f8fa0e3c8)
    at /usr/src/sys/nlm/nlm_advlock.c:136
#15 0xffffffff80c36491 in clnt_dg_call (cl=<value optimized out>,
ext=0xfffffe2f8fa0e3d8, proc=2, args=0xfffff8012cf4ab00, 
    resultsp=0xfffffe2f8fa0e038, utimeout={tv_sec = 60, tv_usec = 0}) at
/usr/src/sys/rpc/clnt_dg.c:666
#16 0xffffffff80c3b6bd in clnt_call_private (cl=0xfffff801e13cb140,
ext=0xfffffe2f8fa0e3d8, proc=2, xargs=<value optimized out>, 
    argsp=<value optimized out>, xresults=0xffffffff80b73a10 <xdr_nlm4_res>,
resultsp=0xfffffe2f8fa0e0b8, utimeout={tv_sec = 60, tv_usec = 0})
    at /usr/src/sys/rpc/rpc_generic.c:761
#17 0xffffffff80b6ce80 in nlm4_lock_4 (argp=0xfefefefefefefeff, clnt_res=<value
optimized out>, clnt=0xdeadc0dedeadc0de, ext=0x0)
    at /usr/src/sys/nlm/nlm_prot_clnt.c:212
#18 0xffffffff80b6b979 in nlm_setlock (host=0xfffff80157ab2800,
ext=0xfffffe2f8fa0e3d8, vers=4, timo=0xfffffe2f8fa0e408, 
    retries=<value optimized out>, vp=0xfffff80157a2d588, fl=<value optimized
out>, flags=64, svid=1730, fhlen=32, fh=0xfffffe2f8fa0e630, 
    size=<value optimized out>, reclaim=0) at
/usr/src/sys/nlm/nlm_advlock.c:597
#19 0xffffffff80b6b05e in nlm_advlock_internal (vp=0xfffff80157a2d588,
id=<value optimized out>, op=<value optimized out>, fl=0xfffffe2f8fa0e958, 
    flags=<value optimized out>, reclaim=0, unlock_vp=<value optimized out>) at
/usr/src/sys/nlm/nlm_advlock.c:328
#20 0xffffffff80b6a58d in nlm_advlock (ap=<value optimized out>) at
/usr/src/sys/nlm/nlm_advlock.c:388
#21 0xffffffff8087b4ed in nfs_advlock (ap=<value optimized out>) at
/usr/src/sys/fs/nfsclient/nfs_clvnops.c:3095
#22 0xffffffff80f35e37 in VOP_ADVLOCK_APV (vop=<value optimized out>, a=<value
optimized out>) at vnode_if.c:2529
#23 0xffffffff80913ab3 in kern_fcntl (td=0xfffff80027b53960, fd=<value
optimized out>, cmd=<value optimized out>, arg=<value optimized out>)
    at vnode_if.h:1041
#24 0xffffffff80912f57 in kern_fcntl_freebsd (td=0xfffff80027b53960, fd=3,
cmd=<value optimized out>, arg=140737488344840)
    at /usr/src/sys/kern/kern_descrip.c:451
#25 0xffffffff80e3b8df in amd64_syscall (td=0xfffff80027b53960, traced=0) at
subr_syscall.c:133
#26 0xffffffff80e1c05b in Xfast_syscall () at
/usr/src/sys/amd64/amd64/exception.S:395
#27 0x00000008037b529a in ?? ()
Previous frame inner to this frame (corrupt stack?)
Current language:  auto; currently minimal
(kgdb) p version
$1 = 0xffffffff8149b370 "FreeBSD 11.0-CURRENT #0 9a1d54a(master): Sat May 30
04:02:59 UTC 2015\n    root at bakeoff-dut-101:/usr/obj/usr/src/sys/BAKEOFF\n"
(kgdb) frame 14
#14 0xffffffff80b6b640 in nlm_feedback (type=<value optimized out>, proc=<value
optimized out>, arg=0xfffffe2f8fa0e3c8)
    at /usr/src/sys/nlm/nlm_advlock.c:136
136        mtx_lock(&nmp->nm_mtx);
(kgdb) p *((struct nlm_feedback_arg *)arg)->nf_nmp
$11 = {nm_com = {nmcom_mtx = {lock_object = {lo_name = 0xdeadc0dedeadc0de
<Address 0xdeadc0dedeadc0de out of bounds>, lo_flags = 3735929054, 
        lo_data = 3735929054, lo_witness = 0xdeadc0dedeadc0de}, mtx_lock =
16045693110842147038}, nmcom_flag = -559038242, 
    nmcom_state = -559038242, nmcom_mountp = 0xdeadc0dedeadc0de, nmcom_timeo =
-559038242, nmcom_retry = -559038242, 
    nmcom_hostname = 0xfffff800220fb838
"��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"...,
nmcom_getinfo = 0xdeadc0dedeadc0de, 
    nmcom_vinvalbuf = 0xdeadc0dedeadc0de}, nm_numgrps = -559038242, 
  nm_fh = 0xfffff800220fb8a4
"��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"...,
nm_fhsize = -559038242, nm_sotype = -559038242, 
  nm_soproto = -559038242, nm_soflags = -559038242, nm_nam =
0xdeadc0dedeadc0de, nm_deadthresh = -559038242, nm_rsize = -559038242, 
  nm_wsize = -559038242, nm_readdirsize = -559038242, nm_readahead =
-559038242, nm_wcommitsize = -559038242, nm_acdirmin = -559038242, 
  nm_acdirmax = -559038242, nm_acregmin = -559038242, nm_acregmax = -559038242, 
  nm_verf = 0xfffff800220fb968
"��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"...,
nm_bufq = {tqh_first = 0xdeadc0dedeadc0de, 
    tqh_last = 0xdeadc0dedeadc0de}, nm_bufqlen = -16162, nm_bufqwant = -8531,
nm_bufqiods = -559038242, nm_maxfilesize = 16045693110842147038, 
  nm_rpcops = 0xdeadc0dedeadc0de, nm_tprintf_initial_delay = -559038242,
nm_tprintf_delay = -559038242, nm_secflavor = -559038242, 
  nm_client = 0xdeadc0dedeadc0de, nm_timers = 0xfffff800220fb9b0, 
  nm_principal = 0xfffff800220fb9f0
"��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"...,
nm_mech_oid = 0xdeadc0dedeadc0de, 
  nm_nametimeo = -559038242, nm_negnametimeo = -559038242, nm_clientid =
16045693110842147038, nm_fsid = {val = 0xfffff800220fba60}, 
  nm_lease_time = 3735929054, nm_last_renewal = -2401050962867404578}
(kgdb) p ((struct nlm_feedback_arg *)arg)->nf_nmp->nm_com
$12 = {nmcom_mtx = {lock_object = {lo_name = 0xdeadc0dedeadc0de <Address
0xdeadc0dedeadc0de out of bounds>, lo_flags = 3735929054, 
      lo_data = 3735929054, lo_witness = 0xdeadc0dedeadc0de}, mtx_lock =
16045693110842147038}, nmcom_flag = -559038242, nmcom_state = -559038242, 
  nmcom_mountp = 0xdeadc0dedeadc0de, nmcom_timeo = -559038242, nmcom_retry =
-559038242, 
  nmcom_hostname = 0xfffff800220fb838
"��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������"...,
nmcom_getinfo = 0xdeadc0dedeadc0de, 
  nmcom_vinvalbuf = 0xdeadc0dedeadc0de}
(kgdb) p ((struct nlm_feedback_arg *)arg)->nf_nmp->nm_com.nmcom_mtx
$13 = {lock_object = {lo_name = 0xdeadc0dedeadc0de <Address 0xdeadc0dedeadc0de
out of bounds>, lo_flags = 3735929054, lo_data = 3735929054, 
    lo_witness = 0xdeadc0dedeadc0de}, mtx_lock = 16045693110842147038}
(kgdb) p ((struct nlm_feedback_arg *)arg)->nf_nmp->nm_com.nmcom_mtx.mtx_lock
$14 = 16045693110842147038

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list