panic during shutdown from vfs_umountall()
Robert Watson
rwatson at FreeBSD.org
Mon Dec 1 09:33:20 PST 2003
Running with a MAC kernel, about to try booting identical but non-MAC; I'm
not able to reproduceit , however. bgfsck may have been running during
the shutdown. Apparently the device vnode for /usr is vrele()'d one too
many times at some point during the run, resulting in a panic. This is
with vfs_mount.c:1.116.
Robert N M Watson FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org Senior Research Scientist, McAfee Research
Script started on Mon Dec 1 12:23:10 2003
GNU gdb 5.2.1 (FreeBSD)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-undermydesk-freebsd"...
panic: vrele: negative ref cnt
panic messages:
---
panic: vrele: negative ref cnt
cpuid = 0;
panic: from debugger
cpuid = 0;
Uptime: 23h36m45s
Dumping 511 MB
16 32 48 64 80 96 112 128 144 160 176 192 208 224 240 256 272 288 304 320 336 352 368 384 400 416 432 448 464 480 496
---
Reading symbols from /boot/kernel/snd_maestro3.ko...done.
Loaded symbols for /boot/kernel/snd_maestro3.ko
Reading symbols from /boot/kernel/snd_pcm.ko...done.
Loaded symbols for /boot/kernel/snd_pcm.ko
Reading symbols from /usr/obj/usr/src/sys/PAPRIKAMAC/modules/usr/src/sys/modules/mac_biba/mac_biba.ko.debug...done.
Loaded symbols for /usr/obj/usr/src/sys/PAPRIKAMAC/modules/usr/src/sys/modules/mac_biba/mac_biba.ko.debug
Reading symbols from /usr/obj/usr/src/sys/PAPRIKAMAC/modules/usr/src/sys/modules/mac_mls/mac_mls.ko.debug...done.
Loaded symbols for /usr/obj/usr/src/sys/PAPRIKAMAC/modules/usr/src/sys/modules/mac_mls/mac_mls.ko.debug
Reading symbols from /boot/kernel/r128.ko...done.
Loaded symbols for /boot/kernel/r128.ko
Reading symbols from /usr/obj/usr/src/sys/PAPRIKAMAC/modules/usr/src/sys/modules/linprocfs/linprocfs.ko.debug...done.
Loaded symbols for /usr/obj/usr/src/sys/PAPRIKAMAC/modules/usr/src/sys/modules/linprocfs/linprocfs.ko.debug
Reading symbols from /usr/obj/usr/src/sys/PAPRIKAMAC/modules/usr/src/sys/modules/linux/linux.ko.debug...done.
Loaded symbols for /usr/obj/usr/src/sys/PAPRIKAMAC/modules/usr/src/sys/modules/linux/linux.ko.debug
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240
240 dumping++;
(kgdb) bt
#0 doadump () at /usr/src/sys/kern/kern_shutdown.c:240
#1 0xc06719f7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:372
#2 0xc0671dfd in panic () at /usr/src/sys/kern/kern_shutdown.c:550
#3 0xc048cc82 in db_panic () at /usr/src/sys/ddb/db_command.c:450
#4 0xc048cbe2 in db_command (last_cmdp=0xc094efc0, cmd_table=0x0,
aux_cmd_tablep=0xc08d09cc, aux_cmd_tablep_end=0xc08d09e4)
at /usr/src/sys/ddb/db_command.c:346
#5 0xc048cd25 in db_command_loop () at /usr/src/sys/ddb/db_command.c:472
#6 0xc048fd25 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:73
#7 0xc082861c in kdb_trap (type=3, code=0, regs=0xd77c6b48)
at /usr/src/sys/i386/i386/db_interface.c:171
#8 0xc083e688 in trap (frame=
{tf_fs = 24, tf_es = -1064697840, tf_ds = 16, tf_edi = -1064617494, tf_esi = 1, tf_ebp = -679711852, tf_isp = -679711884, tf_ebx = 0, tf_edx = 0, tf_ecx = 32, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1065187035, tf_cs = 8, tf_eflags = 642,
tf_esp = -1064532435, tf_ss = -1064643348})
at /usr/src/sys/i386/i386/trap.c:580
#9 0xc082a068 in calltrap () at {standard input}:94
#10 0xc0671d96 in panic (fmt=0xc08b39ea "vrele: negative ref cnt")
at /usr/src/sys/kern/kern_shutdown.c:534
#11 0xc06cb44e in vrele () at /usr/src/sys/kern/vfs_subr.c:2221
#12 0xc07d4b18 in ffs_unmount (mp=0xc481c800, mntflags=524288, td=0xc1d29500)
at /usr/src/sys/ufs/ffs/ffs_vfsops.c:999
#13 0xc06c68f4 in dounmount (mp=0xc481c800, flags=524288, td=0xc1d29500)
at /usr/src/sys/kern/vfs_mount.c:1126
#14 0xc06cce3e in vfs_unmountall () at /usr/src/sys/kern/vfs_subr.c:3176
#15 0xc06718c3 in boot (howto=16392) at /usr/src/sys/kern/kern_shutdown.c:357
#16 0xc06711d4 in reboot (td=0xc1d29500, uap=0xd77c6d14)
at /usr/src/sys/kern/kern_shutdown.c:178
#17 0xc083f050 in syscall (frame=
{tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = -1077940488, tf_esi = -1077940488, tf_ebp = -1077940744, tf_isp = -679711372, tf_ebx = -1077940584, tf_edx = -1, tf_ecx = 4, tf_eax = 55, tf_trapno = 12, tf_err = 2, tf_eip = 134547627, tf_cs = 31, tf_ef
lags = 515, tf_esp = -1077940948, tf_ss = 47})
at /usr/src/sys/i386/i386/trap.c:1010
#18 0xc082a0bd in Xint0x80_syscall () at {standard input}:136
---Can't read userspace from dump, or kernel process---
(kgdb) up
#1 0xc06719f7 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:372
372 doadump();
(kgdb) up
#2 0xc0671dfd in panic () at /usr/src/sys/kern/kern_shutdown.c:550
550 boot(bootopt);
(kgdb) up
#3 0xc048cc82 in db_panic () at /usr/src/sys/ddb/db_command.c:450
450 panic("from debugger");
(kgdb) up
#4 0xc048cbe2 in db_command (last_cmdp=0xc094efc0, cmd_table=0x0,
aux_cmd_tablep=0xc08d09cc, aux_cmd_tablep_end=0xc08d09e4)
at /usr/src/sys/ddb/db_command.c:346
346 (*cmd->fcn)(addr, have_addr, count, modif);
(kgdb) up
#5 0xc048cd25 in db_command_loop () at /usr/src/sys/ddb/db_command.c:472
472 db_command(&db_last_command, db_command_table,
(kgdb) up
#6 0xc048fd25 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_trap.c:73
73 db_command_loop();
(kgdb) up
#7 0xc082861c in kdb_trap (type=3, code=0, regs=0xd77c6b48)
at /usr/src/sys/i386/i386/db_interface.c:171
171 db_trap(type, code);
(kgdb) up
#8 0xc083e688 in trap (frame=
{tf_fs = 24, tf_es = -1064697840, tf_ds = 16, tf_edi = -1064617494, tf_esi = 1, tf_ebp = -679711852, tf_isp = -679711884, tf_ebx = 0, tf_edx = 0, tf_ecx = 32, tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1065187035, tf_cs = 8, tf_eflags = 642,
tf_esp = -1064532435, tf_ss = -1064643348})
at /usr/src/sys/i386/i386/trap.c:580
580 if (kdb_trap (type, 0, &frame))
(kgdb) up
#9 0xc082a068 in calltrap () at {standard input}:94
94 {standard input}: No such file or directory.
in {standard input}
Current language: auto; currently asm
(kgdb) up
#10 0xc0671d96 in panic (fmt=0xc08b39ea "vrele: negative ref cnt")
at /usr/src/sys/kern/kern_shutdown.c:534
534 Debugger ("panic");
Current language: auto; currently c
(kgdb) up
#11 0xc06cb44e in vrele () at /usr/src/sys/kern/vfs_subr.c:2221
2221 panic("vrele: negative ref cnt");
(kgdb) list
2216 } else {
2217 #ifdef DIAGNOSTIC
2218 vprint("vrele: negative ref count", vp);
2219 #endif
2220 VI_UNLOCK(vp);
2221 panic("vrele: negative ref cnt");
2222 }
2223 }
2224
2225 /*
(kgdb) inspect *vp
$1 = {v_interlock = {mtx_object = {lo_class = 0xc0907a9c,
lo_name = 0xc08b37b0 "vnode interlock",
lo_type = 0xc08b37b0 "vnode interlock", lo_flags = 196608, lo_list = {
tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4,
mtx_recurse = 0}, v_iflag = 256, v_usecount = 0, v_numoutput = 0,
v_vxproc = 0x0, v_holdcnt = 0, v_cleanblkhd = {tqh_first = 0x0,
tqh_last = 0xc49c4b64}, v_cleanblkroot = 0x0, v_cleanbufcnt = 0,
v_dirtyblkhd = {tqh_first = 0x0, tqh_last = 0xc49c4b74},
v_dirtyblkroot = 0x0, v_dirtybufcnt = 0, v_vflag = 8, v_writecount = 0,
v_object = 0xc10366b4, v_lastw = 0, v_cstart = 0, v_lasta = 0, v_clen = 0,
v_un = {vu_mountedhere = 0xc486a300, vu_socket = 0xc486a300, vu_spec = {
vu_cdev = 0xc486a300, vu_specnext = {sle_next = 0x0}},
vu_fifoinfo = 0xc486a300}, v_freelist = {tqe_next = 0x0,
tqe_prev = 0xc4974088}, v_nmntvnodes = {tqe_next = 0xc49c4a28,
tqe_prev = 0xc4946090}, v_synclist = {le_next = 0x0,
le_prev = 0xc47e6830}, v_type = VCHR, v_tag = 0xc08a7281 "devfs",
v_data = 0xc4968580, v_lock = {lk_interlock = 0xc096ccf8,
lk_flags = 16777216, lk_sharecount = 0, lk_waitcount = 0,
lk_exclusivecount = 0, lk_prio = 80, lk_wmesg = 0xc08a7281 "devfs",
lk_timo = 6, lk_lockholder = 0xffffffff, lk_newlock = 0x0},
v_vnlock = 0xc49c4bd8, v_op = 0xc480cc00, v_mount = 0xc481e000,
v_cache_src = {lh_first = 0x0}, v_cache_dst = {tqh_first = 0x0,
tqh_last = 0xc49c4c0c}, v_id = 179, v_dd = 0xc49c4b2c, v_ddid = 0,
v_pollinfo = 0x0, v_label = 0xc4967618, v_cachedfs = 4294967295,
v_cachedid = 97}
(kgdb) up
#12 0xc07d4b18 in ffs_unmount (mp=0xc481c800, mntflags=524288, td=0xc1d29500)
at /usr/src/sys/ufs/ffs/ffs_vfsops.c:999
999 vrele(ump->um_devvp);
(kgdb) inspect *ump
$2 = {um_mountp = 0xc481c800, um_dev = 0xc486a300, um_devvp = 0xc49c4b2c,
um_fstype = 2, um_fs = 0xc4911000, um_quotas = {0x0, 0x0}, um_cred = {0x0,
0x0}, um_extattr = {uepm_lock = {lk_interlock = 0x0, lk_flags = 0,
lk_sharecount = 0, lk_waitcount = 0, lk_exclusivecount = 0, lk_prio = 0,
lk_wmesg = 0x0, lk_timo = 0, lk_lockholder = 0x0, lk_newlock = 0x0},
uepm_list = {lh_first = 0x0}, uepm_ucred = 0x0, uepm_flags = 0},
um_nindir = 2048, um_bptrtodb = 2, um_seqinc = 8, um_numindirdeps = 0,
um_btime = {0, 0}, um_itime = {0, 0}, um_qflags = "\0",
um_savedmaxfilesize = 0, um_balloc = 0xc07beee0 <ffs_balloc_ufs2>,
um_blkatoff = 0xc07d25a0 <ffs_blkatoff>,
um_truncate = 0xc07c0fa0 <ffs_truncate>,
um_update = 0xc07c0c50 <ffs_update>, um_valloc = 0xc07ba700 <ffs_valloc>,
um_vfree = 0xc07bcd60 <ffs_vfree>, um_ifree = 0xc07d5c90 <ffs_ifree>}
(kgdb) inspect *mp
$3 = {mnt_list = {tqe_next = 0x0, tqe_prev = 0xc481e000}, mnt_op = 0xc0940220,
mnt_vfc = 0xc0940260, mnt_vnodecovered = 0xc4946924, mnt_syncer = 0x0,
mnt_nvnodelist = {tqh_first = 0x0, tqh_last = 0xc481c818},
mnt_reservedvnlist = {tqh_first = 0x0, tqh_last = 0xc481c820}, mnt_lock = {
lk_interlock = 0xc096ce3c, lk_flags = 16794624, lk_sharecount = 0,
lk_waitcount = 0, lk_exclusivecount = 1, lk_prio = 80,
lk_wmesg = 0xc08b312b "vfslock", lk_timo = 0, lk_lockholder = 0xc1d29500,
lk_newlock = 0x0}, mnt_mtx = {mtx_object = {lo_class = 0xc0907a9c,
lo_name = 0xc08b311a "struct mount mtx",
lo_type = 0xc08b311a "struct mount mtx", lo_flags = 196608, lo_list = {
tqe_next = 0x0, tqe_prev = 0x0}, lo_witness = 0x0}, mtx_lock = 4,
mtx_recurse = 0}, mnt_writeopcount = 1, mnt_flag = 2101248, mnt_opt = 0x0,
mnt_optnew = 0x0, mnt_kern_flag = 16777217, mnt_maxsymlinklen = 120,
mnt_stat = {f_version = 537068824, f_type = 4, f_flags = 2101248,
f_bsize = 2048, f_iosize = 16384, f_blocks = 8707399, f_bfree = 1046155,
f_bavail = 349564, f_files = 2260990, f_ffree = 1262107,
f_syncwrites = 152, f_asyncwrites = 56103, f_syncreads = 234360,
f_asyncreads = 1263, f_spare = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
f_namemax = 255, f_owner = 0, f_fsid = {val = {1048561141, 1317826222}},
f_charspare = '\0' <repeats 79 times>,
f_fstypename = "ufs", '\0' <repeats 12 times>,
f_mntfromname = "/dev/ad0s1e", '\0' <repeats 76 times>,
f_mntonname = "/usr", '\0' <repeats 83 times>}, mnt_cred = 0xc496e780,
mnt_data = 0xc499b300, mnt_time = 0, mnt_iosize_max = 131072,
mnt_export = 0x0, mnt_mntlabel = 0xc496767c, mnt_fslabel = 0xc49677bc,
mnt_nvnodelistsize = 0}
(kgdb) list
994 NOCRED, td);
995 #else
996 error = VOP_CLOSE(ump->um_devvp, FREAD|FWRITE, NOCRED, td);
997 #endif
998
999 vrele(ump->um_devvp);
1000
1001 free(fs->fs_csp, M_UFSMNT);
1002 free(fs, M_UFSMNT);
1003 free(ump, M_UFSMNT);
(kgdb) up
#13 0xc06c68f4 in dounmount (mp=0xc481c800, flags=524288, td=0xc1d29500)
at /usr/src/sys/kern/vfs_mount.c:1126
1126 error = VFS_UNMOUNT(mp, flags, td);
(kgdb) inspect flags
$4 = 524288
(kgdb) up
#14 0xc06cce3e in vfs_unmountall () at /usr/src/sys/kern/vfs_subr.c:3176
3176 error = dounmount(mp, MNT_FORCE, td);
(kgdb) quit
Script done on Mon Dec 1 12:23:54 2003
More information about the freebsd-current
mailing list