From netchild@freebsd.org  Sat Jan 20 13:42:28 2007
Return-Path: <netchild@freebsd.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id BB3D516A401
	for <freebsd-gnats-submit@freebsd.org>; Sat, 20 Jan 2007 13:42:28 +0000 (UTC)
	(envelope-from netchild@freebsd.org)
Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217])
	by mx1.freebsd.org (Postfix) with ESMTP id 6233F13C461
	for <freebsd-gnats-submit@freebsd.org>; Sat, 20 Jan 2007 13:42:28 +0000 (UTC)
	(envelope-from netchild@freebsd.org)
Received: from outgoing.leidinger.net (p54A5DAA7.dip.t-dialin.net [84.165.218.167])
	by redbull.bpaserver.net (Postfix) with ESMTP id AB79C2E1AB
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 20 Jan 2007 14:50:52 +0100 (CET)
Received: from Magellan.Leidinger.net (Magellan.Leidinger.net [192.168.1.1])
	by outgoing.leidinger.net (Postfix) with ESMTP id 0978D5B482A
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 20 Jan 2007 14:42:17 +0100 (CET)
Message-Id: <1169300538.1578@Magellan.Leidinger.net>
Date: Sat, 20 Jan 2007 14:42:18 +0100
From: "Alexander Leidinger" <netchild@FreeBSD.org>
To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@freebsd.org>
Subject: panic: relpbuf with vp
X-Send-Pr-Version: gtk-send-pr 0.4.8 
X-GNATS-Notify:

>Number:         108151
>Category:       kern
>Synopsis:       [ufs] panic: relpbuf with vp
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    tegge
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 20 13:50:15 GMT 2007
>Closed-Date:    Fri Apr 25 10:13:39 UTC 2008
>Last-Modified:  Fri Apr 25 10:13:39 UTC 2008
>Originator:     Alexander Leidinger
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
FreeBSD 
>Environment:


System: FreeBSD 7.0-CURRENT #233: Thu Jan 18 08:37:34 CET 2007
    root@Magellan.Leidinger.net:/big/usr/src/sys/i386/compile/WORK



>Description:


(kgdb) bt
#0  doadump () at pcpu.h:166
During symbol reading, Incomplete CFI data; unspecified registers at 0xc04a098e.
#1  0xc04a105e in boot (howto=0x104) at ../../../kern/kern_shutdown.c:411
#2  0xc04a0bad in panic (fmt=0xc05c5bbf "relpbuf with vp") at ../../../kern/kern_shutdown.c:567
#3  0xc056b21a in relpbuf (bp=0xcceaed30, pfreecnt=0xc05f0f0c) at ../../../vm/vm_pager.c:397
#4  0xc054bd1e in ffs_rawread_main (vp=0xc325dc90, uio=0xd6aaec68) at ../../../ufs/ffs/ffs_rawread.c:417
#5  0xc054c2e1 in ffs_rawread (vp=0xc325dc90, uio=0xd6aaec68, workdone=0xd6aaeb58)
    at ../../../ufs/ffs/ffs_rawread.c:476
#6  0xc0549cc3 in ffs_read (ap=0xd6aaeba0) at ../../../ufs/ffs/ffs_vnops.c:432
#7  0xc0599394 in VOP_READ_APV (vop=0x0, a=0xd6aaeba0) at vnode_if.c:637
#8  0xc04faf73 in vn_read (fp=0xc3c3e3a8, uio=0xd6aaec68, active_cred=0xc2fbe400, flags=0x0, td=0xc5014bd0)
    at vnode_if.h:343
#9  0xc04c579e in dofileread (td=0xc5014bd0, fd=0x4, fp=0xc3c3e3a8, auio=0xd6aaec68, offset=Unhandled dwarf expression opcode 0x93
) at file.h:242
#10 0xc04c593c in kern_readv (td=0xc5014bd0, fd=0x4, auio=0xd6aaec68) at ../../../kern/sys_generic.c:192
#11 0xc04c59da in read (td=0xc5014bd0, uap=0x0) at ../../../kern/sys_generic.c:116
#12 0xc058f87d in syscall (frame=0xd6aaed38) at ../../../i386/i386/trap.c:1008
#13 0xc05811f0 in Xint0x80_syscall () at ../../../i386/i386/exception.s:196
#14 0x281100e8 in ?? ()
Previous frame inner to this frame (corrupt stack?)
(kgdb) up 3
#3  0xc056b21a in relpbuf (bp=0xcceaed30, pfreecnt=0xc05f0f0c) at ../../../vm/vm_pager.c:397
397             KASSERT(bp->b_bufobj == NULL, ("relpbuf with bufobj"));
(kgdb) list
392                     crfree(bp->b_wcred);
393                     bp->b_wcred = NOCRED;
394             }
395
396             KASSERT(bp->b_vp == NULL, ("relpbuf with vp"));
397             KASSERT(bp->b_bufobj == NULL, ("relpbuf with bufobj"));
398
399             BUF_UNLOCK(bp);
400
401             mtx_lock(&pbuf_mtx);
(kgdb) print bp
$1 = (struct buf *) 0xcceaed30
(kgdb) print *bp
$2 = {
  b_bufobj = 0x0, 
  b_bcount = 0x2000, 
  b_caller1 = 0x0, 
  b_data = 0x804f000 <Address 0x804f000 out of bounds>, 
  b_error = 0x0, 
  b_iocmd = 0x1, 
  b_ioflags = 0x2, 
  b_iooffset = 0x44feb8000, 
  b_resid = 0x0, 
  b_iodone = 0, 
  b_blkno = 0x227f5c0, 
  b_offset = 0x44feb8000, 
  b_bobufs = {
    tqe_next = 0x0, 
    tqe_prev = 0x0
  }, 
  b_left = 0x0, 
  b_right = 0x0, 
  b_vflags = 0x0, 
  b_freelist = {
    tqe_next = 0xcceb2dd0, 
    tqe_prev = 0xc062caf8
  }, 
  b_qindex = 0x0, 
  b_flags = 0x200, 
  b_xflags = 0x0, 
  b_lock = {
    lk_object = {
      lo_name = 0xc05b7ad2 "bufwait", 
      lo_type = 0x0, 
      lo_flags = 0x40000, 
      lo_witness_data = {
        lod_list = {
          stqe_next = 0x0
        }, 
        lod_witness = 0x0
      }
    }, 
    lk_interlock = 0xc0614340, 
    lk_sharecount = 0x0, 
    lk_waitcount = 0x0, 
    lk_exclusivecount = 0x1, 
    lk_prio = 0x50, 
    lk_timo = 0x0, 
    lk_lockholder = 0xc5014bd0, 
    lk_newlock = 0x0
  }, 
  b_bufsize = 0x2000, 
  b_runningbufspace = 0x0, 
  b_kvabase = 0xd22bc000 <Address 0xd22bc000 out of bounds>, 
  b_kvasize = 0x20000, 
  b_lblkno = 0x0, 
  b_vp = 0xc325dc90, 
  b_dirtyoff = 0x0, 
  b_dirtyend = 0x1c000, 
  b_rcred = 0x0, 
  b_wcred = 0x0, 
  b_saveaddr = 0x804f000, 
  b_pager = {
    pg_reqpage = 0x0
  }, 
  b_cluster = {
    cluster_head = {
      tqh_first = 0xccede2d0, 
      tqh_last = 0xccef3e10
    }, 
    cluster_entry = {
      tqe_next = 0xccede2d0, 
      tqe_prev = 0xccef3e10
    }
  }, 
  b_pages = {0xc137e548, 0xc1344570, 0xc16ac9a0, 0xc1366ab8, 0xc1463058, 0xc1249650, 0xc13548c0, 0xc11ce1e8, 
    0xc13671c0, 0xc17ca6c0, 0xc1302900, 0xc1371180, 0xc18a2630, 0xc1186ff8, 0xc12bb6c8, 0xc1139dd8, 0xc16a6ec8, 
    0xc13b99f0, 0xc1305b10, 0xc10e01c8, 0xc136e3f0, 0xc1386540, 0xc188b770, 0xc18704a0, 0xc1552308, 0xc11f12b8, 
    0xc1207098, 0xc1271598, 0xc13e9d68, 0xc1594b48, 0xc1433748, 0xc134a798}, 
  b_npages = 0x2, 
  b_dep = {
    lh_first = 0x0
  }, 
  b_fsprivate1 = 0x0, 
  b_fsprivate2 = 0x0, 
  b_fsprivate3 = 0x0, 
  b_pin_count = 0x0
}



>How-To-Repeat:


Running the fsx filesystem test in the linuxulator (linux test project
version of fsx). This succeeded a lot of times before. The panic started
to appear at the start of this year (already reported to current). I just
need to run the entire LTP test (see http://wiki.freebsd.org/linux-kernel
for more) and at some point it panics.


>Fix:





>Release-Note:
>Audit-Trail:

From: Tor Egge <Tor.Egge@cvsup.no.freebsd.org>
To: netchild@freebsd.org
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/108151: panic: relpbuf with vp
Date: Sun, 21 Jan 2007 01:23:52 +0000 (UTC)

 ffs_rawread_main() should call pbgetvp()/pbrelvp() instead of just setting
 b_vp directly.  A suggested fix is enclosed.
 
 - Tor Egge
 
 Index: sys/ufs/ffs/ffs_rawread.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/ufs/ffs/ffs_rawread.c,v
 retrieving revision 1.28
 diff -u -r1.28 ffs_rawread.c
 --- sys/ufs/ffs/ffs_rawread.c	5 May 2006 21:27:31 -0000	1.28
 +++ sys/ufs/ffs/ffs_rawread.c	21 Jan 2007 00:05:47 -0000
 @@ -310,7 +310,7 @@
  			/* XXX: Leave some bufs for swap */
  			bp = getpbuf(&ffsrawbufcnt);
  			sa = bp->b_data;
 -			bp->b_vp = vp; 
 +			pbgetvp(vp, bp);
  			error = ffs_rawread_readahead(vp, udata, offset,
  						     resid, td, bp, sa);
  			if (error != 0)
 @@ -324,7 +324,7 @@
  					nbp = NULL;
  				if (nbp != NULL) {
  					nsa = nbp->b_data;
 -					nbp->b_vp = vp;
 +					pbgetvp(vp, nbp);
  					
  					nerror = ffs_rawread_readahead(vp, 
  								       udata +
 @@ -337,6 +337,7 @@
  								       nbp,
  								       nsa);
  					if (nerror) {
 +						pbrelvp(nbp);
  						relpbuf(nbp, &ffsrawbufcnt);
  						nbp = NULL;
  					}
 @@ -385,6 +386,7 @@
  			nsa = tsa;
  			
  			if (resid <= bp->b_bufsize) { /* No more readaheads */
 +				pbrelvp(nbp);
  				relpbuf(nbp, &ffsrawbufcnt);
  				nbp = NULL;
  			} else { /* Setup next readahead */
 @@ -399,6 +401,7 @@
  							       nbp,
  							       nsa);
  				if (nerror != 0) {
 +					pbrelvp(nbp);
  					relpbuf(nbp, &ffsrawbufcnt);
  					nbp = NULL;
  				}
 @@ -413,13 +416,16 @@
  		}
  	}
  	
 -	if (bp != NULL)
 +	if (bp != NULL) {
 +		pbrelvp(bp);
  		relpbuf(bp, &ffsrawbufcnt);
 +	}
  	if (nbp != NULL) {			/* Run down readahead buffer */
  		spl = splbio();
  		bwait(nbp, PRIBIO, "rawrd");
  		splx(spl);
  		vunmapbuf(nbp);
 +		pbrelvp(nbp);
  		relpbuf(nbp, &ffsrawbufcnt);
  	}
  	
 
From: Alexander Leidinger <netchild@FreeBSD.org>
To: Tor Egge <Tor.Egge@cvsup.no.freebsd.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/108151: panic: relpbuf with vp
Date: Sun, 21 Jan 2007 16:11:26 +0100

 Works like a charm. A full LTP run without a panic.
 
 Thanks!
 
 Bye,
 Alexander.
 
 -- 
       ...and that is how we know the Earth to be banana-shaped.
 http://www.Leidinger.net  Alexander @ Leidinger.net: PGP ID = B0063FE7
 http://www.FreeBSD.org     netchild @ FreeBSD.org  : PGP ID = 72077137
Responsible-Changed-From-To: freebsd-bugs->tegge 
Responsible-Changed-By: netchild 
Responsible-Changed-When: Mon Jan 29 20:06:44 UTC 2007 
Responsible-Changed-Why:  
Assign to tegge, he provided the fix (works without a problem so far). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108151 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/108151: commit references a PR
Date: Sun,  4 Feb 2007 23:42:15 +0000 (UTC)

 tegge       2007-02-04 23:42:02 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/ufs/ffs          ffs_rawread.c 
   Log:
   Call pbgetvp() and pbrelvp() instead of setting b_vp directly.
   
   PR:             kern/108151
   
   Revision  Changes    Path
   1.29      +9 -3      src/sys/ufs/ffs/ffs_rawread.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: linimon 
State-Changed-When: Tue Apr 24 09:40:29 UTC 2007 
State-Changed-Why:  
This was committed.  To tegge: has this been MFCed? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108151 
State-Changed-From-To: patched->closed 
State-Changed-By: linimon 
State-Changed-When: Fri Apr 25 10:11:38 UTC 2008 
State-Changed-Why:  
Merged to RELENG_6 as 1.25.2.4. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=108151 
>Unformatted:
