From nobody@FreeBSD.org  Fri Aug 30 21:05:09 2002
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E09A337B400
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
Received: from www.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 87ACB43E65
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.4/8.12.4) with ESMTP id g7V459OT098071
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.4/8.12.4/Submit) id g7V459QY098070;
	Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
Message-Id: <200208310405.g7V459QY098070@www.freebsd.org>
Date: Fri, 30 Aug 2002 21:05:09 -0700 (PDT)
From: Kip Macy <kmacy@fsmware.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: system panics with "worklist_remove: item not on list" when mapping user memory into kernel
X-Send-Pr-Version: www-1.0

>Number:         42235
>Category:       kern
>Synopsis:       system panics with "worklist_remove: item not on list" when mapping user memory into kernel
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 30 21:10:01 PDT 2002
>Closed-Date:    Sat Apr 24 01:06:17 PDT 2004
>Last-Modified:  Sat Apr 24 01:06:17 PDT 2004
>Originator:     Kip Macy
>Release:        4.5-RELEASE,4.6-STABLE
>Organization:
>Environment:
FreeBSD serendipity.fsmware.com 4.5-RELEASE FreeBSD 4.5-RELEASE #6: Mon Aug 26 19:52:23 PDT 2002     kmacy@serendipity.fsmware.com:/usr/src/sys/compile/MACHINE  i386
>Description:
I have a kernel module that maps two 64k chunks of user memory into the kernel
using the same set of steps that cam_periph_mapmem uses. However, I inevitably
get the following panic after running the code for a bit:

Aug 30 14:55:26 testhost /kernel: panic: worklist_remove: not on list
Aug 30 14:55:26 testhost /kernel: 
Aug 30 14:55:26 testhost /kernel: syncing disks... 8 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 
Aug 30 14:55:26 testhost /kernel: giving up on 1 buffers

This is a panic in ffs_softdep.c, it implies to me that either the FFS code
isn't recognizing that not all buffers belong to it or getpbuf isn't doing all
the needed accounting. 

Also worthy of note is that my kernel module has a lot of printfs which
obviously translate to a lot of synchronous writes by syslog, presumably 
putting memory pressure on the file system.

The interesting portion of the backtrace is:

panic
worklist_remove
softdep_update_inodeblock
ffs_update
ffs_fsync
fsync

The code at the panic is:
	if ((item->wk_state & ONWORKLIST) == 0) {
		FREE_LOCK(&lk);
		panic("worklist_remove: not on list");
	}

in softdep_update_inodeblock the call to worklist_remove is:

	while ((wk = LIST_FIRST(&inodedep->id_inowait)) != NULL) {
		WORKLIST_REMOVE(wk);
		WORKLIST_INSERT(&inodedep->id_bufwait, wk);
	}

which indicates that either it was put on inowait without 
ONWORKLIST being set or ONWORKLIST was unset without it being
removed from the list
>How-To-Repeat:
Get a buffer, map it, and then generate a lot of synchronous file system
traffic via syslog. 
I can write a test program if it will help. However, I think it is pretty
clear what is going on.
>Fix:
      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: kris 
State-Changed-When: Sat Oct 11 01:07:55 PDT 2003 
State-Changed-Why:  
Please provide a test program so this bug can be easily evaluated. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42235 
State-Changed-From-To: feedback->closed 
State-Changed-By: kris 
State-Changed-When: Sat Apr 24 01:06:09 PDT 2004 
State-Changed-Why:  
Feedback timeout 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42235 
>Unformatted:
