From nobody@FreeBSD.org  Fri Aug 19 22:50:51 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B25EE106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 19 Aug 2011 22:50:51 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id A46D48FC18
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 19 Aug 2011 22:50:51 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p7JMopQ9016357
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 19 Aug 2011 22:50:51 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p7JMopFL016356;
	Fri, 19 Aug 2011 22:50:51 GMT
	(envelope-from nobody)
Message-Id: <201108192250.p7JMopFL016356@red.freebsd.org>
Date: Fri, 19 Aug 2011 22:50:51 GMT
From: Wouter Snels <nospam@ofloo.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: kernel core
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         159930
>Category:       kern
>Synopsis:       [ufs] [panic] kernel core
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-fs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 19 23:00:25 UTC 2011
>Closed-Date:    
>Last-Modified:  Mon Aug 22 16:33:41 UTC 2011
>Originator:     Wouter Snels
>Release:        FreeBSD 8.2
>Organization:
>Environment:
FreeBSD spark.ofloo.net 8.2-RELEASE-p2 FreeBSD 8.2-RELEASE-p2 #0: Wed Jul 13 15:20:57 CEST 2011     ofloo@spark.ofloo.net:/usr/obj/usr/src/sys/OFL  amd64

>Description:
Fatal trap 12: page fault while in kernel mode
cpuid = 2; apic id = 02
fault virtual address   = 0x30
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff805dd943
stack pointer           = 0x28:0xffffff8091e3d6c0
frame pointer           = 0x28:0xffffff8091e3d6f0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 18 (softdepflush)
trap number             = 12
panic: page fault
cpuid = 2
KDB: stack backtrace:
#0 0xffffffff8063300e at kdb_backtrace+0x5e
#1 0xffffffff80602627 at panic+0x187
#2 0xffffffff808fbbe0 at trap_fatal+0x290
#3 0xffffffff808fbfbf at trap_pfault+0x28f
#4 0xffffffff808fc49f at trap+0x3df
#5 0xffffffff808e4644 at calltrap+0x8
#6 0xffffffff805f668a at priv_check_cred+0x3a
#7 0xffffffff8084ebd0 at chkdq+0x310
#8 0xffffffff8082db5d at ffs_truncate+0xfed
#9 0xffffffff8084ac5c at ufs_inactive+0x21c
#10 0xffffffff8068a761 at vinactive+0x71
#11 0xffffffff806904b8 at vputx+0x2d8
#12 0xffffffff80836386 at handle_workitem_remove+0x206
#13 0xffffffff8083675e at process_worklist_item+0x20e
#14 0xffffffff80838893 at softdep_process_worklist+0xe3
#15 0xffffffff80839d3c at softdep_flush+0x17c
#16 0xffffffff805d9f28 at fork_exit+0x118
#17 0xffffffff808e4b0e at fork_trampoline+0xe
Uptime: 2d4h7m56s
Cannot dump. Device not defined or unavailable.
Automatic reboot in 15 seconds - press a key on the console to abort
panic: bufwrite: buffer is not busy???
cpuid = 2
Rebooting...

>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-amd64->freebsd-fs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Aug 20 04:10:35 UTC 2011 
Responsible-Changed-Why:  
attempt to reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=159930 

From: Sergey Kandaurov <pluknet@gmail.com>
To: bug-followup@FreeBSD.org, nospam@ofloo.net
Cc:  
Subject: Re: kern/159930: [ufs] [panic] kernel core
Date: Sat, 20 Aug 2011 10:58:29 +0400

 Do you use "options QUOTA" ?
 How often do you experience this crash?
 Can you show the exact way to reproduce it?
 Can you check if the following patch helps you?
 Thanks.
 
 --- sys/ufs/ffs/ffs_inode.c      2010-06-14 06:09:06.000000000 +0400
 +++ sys/ufs/ffs/ffs_inode.c 2010-12-09 15:25:28.000000000 +0300
 @@ -215,7 +215,7 @@
                         osize = ip->i_din2->di_extsize;
                         ip->i_din2->di_blocks -= extblocks;
  #ifdef QUOTA
 -                       (void) chkdq(ip, -extblocks, NOCRED, 0);
 +                       (void) chkdq(ip, -extblocks, NOCRED, FORCE);
  #endif
                         vinvalbuf(vp, V_ALT, 0, 0);
                         ffs_pages_remove(vp,
 @@ -290,7 +290,7 @@
                         UFS_UNLOCK(ump);
                 } else {
  #ifdef QUOTA
 -                       (void) chkdq(ip, -datablocks, NOCRED, 0);
 +                       (void) chkdq(ip, -datablocks, NOCRED, FORCE);
  #endif
                         softdep_setup_freeblocks(ip, length, needextclean ?
                             IO_EXT | IO_NORMAL : IO_NORMAL);
 @@ -526,7 +526,7 @@
                 DIP_SET(ip, i_blocks, 0);
         ip->i_flag |= IN_CHANGE;
  #ifdef QUOTA
 -       (void) chkdq(ip, -blocksreleased, NOCRED, 0);
 +       (void) chkdq(ip, -blocksreleased, NOCRED, FORCE);
  #endif
         return (allerror);
  }
 
 -- 
 wbr,
 pluknet

From: John Baldwin <jhb@freebsd.org>
To: freebsd-amd64@freebsd.org
Cc: Wouter Snels <nospam@ofloo.net>,
 freebsd-gnats-submit@freebsd.org
Subject: Re: amd64/159930: kernel core
Date: Mon, 22 Aug 2011 08:27:34 -0400

 Hmm, the panic seems to be caused by a null ucred pointer passed to 
 priv_check_cred() in chkdq():
 
         if ((flags & FORCE) == 0 &&
             priv_check_cred(cred, PRIV_VFS_EXCEEDQUOTA, 0))
                 do_check = 1;
         else
                 do_check = 0;
 
 However, ffs_truncate() passes in NOCRED for its credential:
 
         if ((flags & IO_EXT) && extblocks > 0) {
                 ...
 #ifdef QUOTA
                         (void) chkdq(ip, -extblocks, NOCRED, 0);
 #endif
 
 A few other places call chkdq() with NOCRED (but not with the FORCE flag):
 
 ffs/ffs_inode.c:522:    (void) chkdq(ip, -blocksreleased, NOCRED, 0);
 ffs/ffs_softdep.c:6201: (void) chkdq(ip, -datablocks, NOCRED, 0);
 ffs/ffs_softdep.c:6431: (void) chkdq(ip, -datablocks, NOCRED, 0);
 
 Hmm, all these calls should be passing in a negative value though, and 
 reducing usage takes a shorter path at the start of chkdq() that always 
 returns without ever getting to the call to priv_check_cred().  Similarly if 
 the value (e.g. extblocks) was 0.  This implies that extblocks was a negative 
 value which seems very odd.  Especially given the logic in ffs_truncate():
 
         if ((flags & IO_EXT) && extblocks > 0) {
                 ...
                         if ((error = ffs_syncvnode(vp, MNT_WAIT)) != 0)
                                 return (error);
 #ifdef QUOTA
                         (void) chkdq(ip, -extblocks, NOCRED, 0);
 #endif
 
 Nothing changes extblocks in between that check and the call to chkdq().  It 
 would probably be best to get a crashdump if this is reproducible so we can 
 investigate it further.
 
 -- 
 John Baldwin
>Unformatted:
