From nobody@FreeBSD.org  Mon Dec 10 12:30:43 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 83010FB5
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Dec 2012 12:30:43 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 600E28FC15
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Dec 2012 12:30:43 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id qBACUfVd081280
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 10 Dec 2012 12:30:41 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id qBACUe0u081279;
	Mon, 10 Dec 2012 12:30:40 GMT
	(envelope-from nobody)
Message-Id: <201212101230.qBACUe0u081279@red.freebsd.org>
Date: Mon, 10 Dec 2012 12:30:40 GMT
From: Petr Lampa <lampa@fit.vutbr.cz>
To: freebsd-gnats-submit@FreeBSD.org
Subject: syncer quota panic
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         174324
>Category:       kern
>Synopsis:       syncer quota panic
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kib
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 10 12:40:00 UTC 2012
>Closed-Date:    Mon Jan 28 16:48:04 UTC 2013
>Last-Modified:  Mon Jan 28 16:48:04 UTC 2013
>Originator:     Petr Lampa
>Release:        9.1-PRERELEASE
>Organization:
BUT FIT
>Environment:
FreeBSD xxx 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #7: Mon Dec 10 10:55:10 CET 2012     root@xxxxxx:/usr/src/sys/i386/compile/GATE  i386

>Description:
Kernel panic with quota enabled in qsync():

Fatal trap 12: page fault while in kernel mode
fault virtual address = 0x0

Stopped at    __mnt_vnode_markerfree_all+0x78:   movl  %eax,0(%edx)

where
#12 0xc06f3bc8 in __mnt_vnode_markerfree_all (mvp=0xec05bb70, mp=0xc60c0ce4)
    at /usr/src/sys/kern/vfs_subr.c:4723
#13 0xc07e39ae in qsync (mp=0xc60c0ce4)
    at /usr/src/sys/ufs/ufs/ufs_quota.c:1055
#14 0xc07d3a2f in ffs_sync (mp=0xc60c0ce4, waitfor=3)
    at /usr/src/sys/ufs/ffs/ffs_vfsops.c:1469
#15 0xc06fc6d2 in sync_fsync (ap=0xec05bc4c)
    at /usr/src/sys/kern/vfs_subr.c:3692
#16 0xc087d7d2 in VOP_FSYNC_APV (vop=0xc0928820, a=0xec05bc4c)
    at vnode_if.c:1267
#17 0xc06fa3ce in sync_vnode (slp=Variable "slp" is not available.
) at vnode_if.h:549
#18 0xc06fa7c2 in sched_sync () at /usr/src/sys/kern/vfs_subr.c:1914
#19 0xc062f166 in fork_exit (callout=0xc06fa500 <sched_sync>, arg=0x0,
    frame=0xec05bd08) at /usr/src/sys/kern/kern_fork.c:992
#20 0xc0845454 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:276

(kgdb) p **mvp
$2 = {v_type = VMARKER, v_tag = 0x0, v_op = 0x0, v_data = 0x0,
  v_mount = 0xc60c0ce4, v_nmntvnodes = {tqe_next = 0x0, tqe_prev = 0x0},
  v_un = {vu_mount = 0x0, vu_socket = 0x0, vu_cdev = 0x0, vu_fifoinfo = 0x0},
  v_hashlist = {le_next = 0x0, le_prev = 0x0}, v_hash = 0, v_cache_src = {
    lh_first = 0x0}, v_cache_dst = {tqh_first = 0x0, tqh_last = 0x0},
  v_cache_dd = 0x0, v_cstart = 0, v_lasta = 0, v_lastw = 0, v_clen = 0,
  v_lock = {lock_object = {lo_name = 0x0, lo_flags = 0, lo_data = 0,
      lo_witness = 0x0}, lk_lock = 0, lk_exslpfail = 0, lk_timo = 0,
    lk_pri = 0}, v_interlock = {lock_object = {lo_name = 0x0, lo_flags = 0,
      lo_data = 0, lo_witness = 0x0}, mtx_lock = 0}, v_vnlock = 0x0,
  v_holdcnt = 0, v_usecount = 0, v_iflag = 0, v_vflag = 0, v_writecount = 0,
  v_actfreelist = {tqe_next = 0xc76407c4, tqe_prev = 0xc7643f10}, v_bufobj = {
    bo_mtx = {lock_object = {lo_name = 0x0, lo_flags = 0, lo_data = 0,
        lo_witness = 0x0}, mtx_lock = 0}, bo_clean = {bv_hd = {
        tqh_first = 0x0, tqh_last = 0x0}, bv_root = 0x0, bv_cnt = 0},
    bo_dirty = {bv_hd = {tqh_first = 0x0, tqh_last = 0x0}, bv_root = 0x0,
      bv_cnt = 0}, bo_numoutput = 0, bo_flag = 0, bo_ops = 0x0, bo_bsize = 0,
    bo_object = 0x0, bo_synclist = {le_next = 0x0, le_prev = 0x0},
    bo_private = 0x0, __bo_vnode = 0x0}, v_pollinfo = 0x0, v_label = 0x0,
  v_lockf = 0x0, v_rl = {rl_waiters = {tqh_first = 0x0, tqh_last = 0x0},
    rl_currdep = 0x0}}


It looks that qsync() in ufs_quota.c tries to free VNODE_MARKER for active list using MNT_VNODE_FOREACH_ALL_ABORT() which frees VNODE_MARKER for inactive list!


>How-To-Repeat:

>Fix:
Change MNT_VNODE_FOREACH_ALL_ABORT() to MNT_VNODE_FOREACH_ACTIVE_ABORT()?

>Release-Note:
>Audit-Trail:

From: Petr Lampa <lampa@fit.vutbr.cz>
To: bug-followup@FreeBSD.org, lampa@fit.vutbr.cz
Cc:  
Subject: Re: kern/174324: syncer quota panic
Date: Sat, 15 Dec 2012 09:39:46 +0100

 Fixed in HEAD in
 http://svnweb.freebsd.org/base?view=revision&revision=244239
 
 It can be closed after MFC.
 
 Petr Lampa
 
 -- 
 Computer Centre                             E-mail: lampa@fit.vutbr.cz
 Faculty of Information Technology           Web: http://www.fit.vutbr.cz/
 Brno University of Technology               Fax:  +420 54114-1270
 Bozetechova 2, 612 66 Brno, Czech Republic  Phone: +420 54114-1225
State-Changed-From-To: open->patched 
State-Changed-By: eadler 
State-Changed-When: Sat Dec 15 16:44:21 UTC 2012 
State-Changed-Why:  
over to committer 


Responsible-Changed-From-To: freebsd-bugs->kib 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Sat Dec 15 16:44:21 UTC 2012 
Responsible-Changed-Why:  
over to committer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=174324 
State-Changed-From-To: patched->closed 
State-Changed-By: kib 
State-Changed-When: Mon Jan 28 16:47:14 UTC 2013 
State-Changed-Why:  
All MFCs were made. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=174324 
>Unformatted:
