From elsukov@rdu.kirov.ru  Wed Nov 16 05:48:38 2005
Return-Path: <elsukov@rdu.kirov.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3D29716A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Nov 2005 05:48:38 +0000 (GMT)
	(envelope-from elsukov@rdu.kirov.ru)
Received: from mail.rdu.kirov.ru (ns.rdu.kirov.ru [217.9.151.217])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5C09943D46
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Nov 2005 05:48:35 +0000 (GMT)
	(envelope-from elsukov@rdu.kirov.ru)
Received: from rdu.kirov.ru (localhost [127.0.0.1])
	by mail.rdu.kirov.ru (Postfix) with ESMTP id 8A798FE45
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 16 Nov 2005 08:48:33 +0300 (MSK)
Received: (from elsukov@localhost)
	by rdu.kirov.ru (8.12.10/8.12.9/Submit) id jAG5mWeV068475;
	Wed, 16 Nov 2005 08:48:32 +0300 (MSK)
Message-Id: <200511160548.jAG5mWeV068475@rdu.kirov.ru>
Date: Wed, 16 Nov 2005 08:48:32 +0300 (MSK)
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
Reply-To: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [geom_vfs] panic when forced unmount FS from unplugged device
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         89102
>Category:       kern
>Synopsis:       [geom] [panic] panic when forced unmount FS from unplugged device
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    trasz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 16 05:50:17 GMT 2005
>Closed-Date:    Sun Jul 19 14:15:16 UTC 2009
>Last-Modified:  Sun Jul 19 14:15:16 UTC 2009
>Originator:     Andrey V. Elsukov
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
	7.0-CURRENT
>Description:
System panic when i try forced unmount file system from 
an unplugged flash device.
>How-To-Repeat:
always.
>Fix:

--- umount_detached_device.txt begins here ---
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".

Unread portion of the kernel message buffer:
g_vfs_done():da0s1[WRITE(offset=17408, length=4096)]error = 6
g_vfs_done():da0s1[WRITE(offset=17408, length=4096)]error = 6
fsync: giving up on dirty
0xc1815aa0: tag devfs, type VCHR
    usecount 1, writecount 0, refcount 126 mountedhere 0xc1802800
    flags ()
    v_object 0xc1813ce4 ref 0 pages 123
    
	dev da0s1
(da0:

Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address	= 0xdeadc0de
fault code		= supervisor read, page not present
instruction pointer	= 0x20:0xc069aef8
stack pointer	        = 0x28:0xccad1740
frame pointer	        = 0x28:0xccad1740
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, def32 1, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= 513 (umount)
panic: from debugger
cpuid = 0
Uptime: 2m44s
Dumping 127 MB (2 chunks)
  chunk 0: 1MB (159 pages) ... ok
  chunk 1: 127MB (32512 pages) 112 96 80 64 48 32 16

#0  doadump () at pcpu.h:165
	in pcpu.h
(kgdb) bt
#0  doadump () at pcpu.h:165
#1  0xc06389c0 in boot (howto=260)
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/kern_shutdown.c:399
#2  0xc0638cd5 in panic (fmt=0xc082fec8 "from debugger")
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/kern_shutdown.c:555
#3  0xc04697b1 in db_panic (addr=-1066815752, have_addr=0, count=-1, 
    modif=0xccad1510 "")
    at /usr/home/butcher/freebsd/HEAD/src/sys/ddb/db_command.c:434
#4  0xc0469748 in db_command (last_cmdp=0xc09185e4, cmd_table=0x0, 
    aux_cmd_tablep=0xc08942ac, aux_cmd_tablep_end=0xc08942c8)
    at /usr/home/butcher/freebsd/HEAD/src/sys/ddb/db_command.c:403
#5  0xc0469810 in db_command_loop ()
    at /usr/home/butcher/freebsd/HEAD/src/sys/ddb/db_command.c:454
#6  0xc046b429 in db_trap (type=12, code=0)
    at /usr/home/butcher/freebsd/HEAD/src/sys/ddb/db_main.c:221
#7  0xc0651464 in kdb_trap (type=12, code=0, tf=0xccad1700)
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/subr_kdb.c:473
#8  0xc07fb768 in trap_fatal (frame=0xccad1700, eva=3735929054)
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/trap.c:846
#9  0xc07fb4af in trap_pfault (frame=0xccad1700, usermode=0, eva=3735929054)
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/trap.c:766
#10 0xc07fb0c9 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = -1048655744, tf_ebp = -861071552, tf_isp = -861071572, tf_ebx = -1065181642, tf_edx = -559038242, tf_ecx = 0, tf_eax = -559038242, tf_trapno = 12, tf_err = 0, tf_eip = -1066815752, tf_cs = 32, tf_eflags = 66118, tf_esp = -861071352, tf_ss = -1067108740}) at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/trap.c:451
#11 0xc07e89da in calltrap ()
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/exception.s:139
#12 0xc069aef8 in strlen (str=0xdeadc0de <Address 0xdeadc0de out of bounds>)
    at /usr/home/butcher/freebsd/HEAD/src/sys/libkern/strlen.c:41
#13 0xc065367c in kvprintf (fmt=0xc0829e36 "%d:%d:", 
    func=0xc0652e00 <putchar>, arg=0xccad1824, radix=10, 
    ap=0xccad1848 "")
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/subr_prf.c:679
#14 0xc0652d7b in printf (fmt=0xc0829e34 "%s%d:%d:")
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/subr_prf.c:296
#15 0xc044fba6 in xpt_print_path (path=0xc14e7350)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/cam_xpt.c:4208
#16 0xc045a43f in dacleanup (periph=0xc17ec880)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/scsi/scsi_da.c:815
#17 0xc044b289 in camperiphfree (periph=0xc17ec880)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/cam_periph.c:457
#18 0xc044afd7 in cam_periph_release (periph=0xdeadc0de)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/cam_periph.c:294
#19 0xc045a054 in daclose (dp=0xdeadc0de)
    at /usr/home/butcher/freebsd/HEAD/src/sys/cam/scsi/scsi_da.c:568
#20 0xc060130c in g_disk_access (pp=0xc17ec180, r=0, w=0, e=0)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_disk.c:152
#21 0xc060722e in g_access (cp=0xc1818e00, dcr=-1, dcw=-1, dce=-2)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_subr.c:730
#22 0xc0605761 in g_slice_access (pp=0xc17ebc80, dr=-1, dw=-1, de=-2)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_slice.c:130
#23 0xc060722e in g_access (cp=0xc1818780, dcr=-1, dcw=-1, dce=-1)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_subr.c:730
#24 0xc0606868 in g_wither_geom_close (gp=0xc17eb880, error=6)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_subr.c:333
#25 0xc06077df in g_vfs_close (cp=0xdeadc0de, td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_vfs.c:172
#26 0xc05f83c8 in msdosfs_unmount (mp=0xc146f800, mntflags=134742016, 
    td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/fs/msdosfs/msdosfs_vfsops.c:789
#27 0xc06898ec in dounmount (mp=0xc146f800, flags=134742016, td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/vfs_mount.c:963
#28 0xc06896c2 in unmount (td=0xc17fd320, uap=0xccad1d04)
    at /usr/home/butcher/freebsd/HEAD/src/sys/kern/vfs_mount.c:895
#29 0xc07fbaa6 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134521957, tf_esi = 134535761, tf_ebp = -1077942936, tf_isp = -861069980, tf_ebx = -1077943024, tf_edx = 10, tf_ecx = 0, tf_eax = 22, tf_trapno = 12, tf_err = 2, tf_eip = 671838363, tf_cs = 51, tf_eflags = 518, tf_esp = -1077943108, tf_ss = 59})
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/trap.c:1001
#30 0xc07e8a2f in Xint0x80_syscall ()
    at /usr/home/butcher/freebsd/HEAD/src/sys/i386/i386/exception.s:200
#31 0x00000033 in ?? ()
(kgdb) f 26
#26 0xc05f83c8 in msdosfs_unmount (mp=0xc146f800, mntflags=134742016, 
    td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/fs/msdosfs/msdosfs_vfsops.c:789
789		g_vfs_close(pmp->pm_cp, td);
(kgdb) l
784			VI_UNLOCK(vp);
785		}
786	#endif
787		DROP_GIANT();
788		g_topology_lock();
789		g_vfs_close(pmp->pm_cp, td);
790		g_topology_unlock();
791		PICKUP_GIANT();
792		vrele(pmp->pm_devvp);
793		free(pmp->pm_inusemap, M_MSDOSFSFAT);
(kgdb) set output-radix 16
Output radix now set to decimal 16, hex 10, octal 20.
(kgdb) p mntflags 
$1 = 0x8080000
(kgdb) p *mp
$2 = {mnt_list = {tqe_next = 0x0, tqe_prev = 0xc15a2800}, 
  mnt_op = 0xc08c76e0, mnt_vfc = 0xc08c7720, mnt_vnodecovered = 0xc1815990, 
  mnt_syncer = 0x0, mnt_nvnodelist = {tqh_first = 0x0, 
    tqh_last = 0xc146f818}, mnt_lock = {lk_interlock = 0xc09313ec, 
    lk_flags = 0x140000, lk_sharecount = 0x0, lk_waitcount = 0x0, 
    lk_exclusivecount = 0x1, lk_prio = 0x50, lk_wmesg = 0xc0870059 "vfslock", 
    lk_timo = 0x0, lk_lockholder = 0xc17fd320, lk_newlock = 0x0}, mnt_mtx = {
    mtx_object = {lo_class = 0xc08ce424, 
      lo_name = 0xc0870048 "struct mount mtx", 
      lo_type = 0xc0870048 "struct mount mtx", lo_flags = 0x30000, lo_list = {
        tqe_next = 0xc1788aa8, tqe_prev = 0xc18157fc}, 
      lo_witness = 0xc0940f80}, mtx_lock = 0x4, mtx_recurse = 0x0}, 
  mnt_writeopcount = 0x1, mnt_flag = 0x1000, mnt_opt = 0xc1435a50, 
  mnt_optnew = 0x0, mnt_kern_flag = 0x1000001, mnt_maxsymlinklen = 0x0, 
  mnt_stat = {f_version = 0x20030518, f_type = 0x2, f_flags = 0x1000, 
    f_bsize = 0x1000, f_iosize = 0x1000, f_blocks = 0x1e55a, 
    f_bfree = 0x2fdf, f_bavail = 0x2fdf, f_files = 0x0, f_ffree = 0x0, 
    f_syncwrites = 0x0, f_asyncwrites = 0x0, f_syncreads = 0x0, 
    f_asyncreads = 0x0, f_spare = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
      0x0, 0x0}, f_namemax = 0xff, f_owner = 0x0, f_fsid = {val = {0x73, 
        0x2}}, f_charspare = '\0' <repeats 79 times>, 
    f_fstypename = "msdosfs\000\000\000\000\000\000\000\000", 
    f_mntfromname = "/dev/da0s1", '\0' <repeats 77 times>, 
    f_mntonname = "/mnt", '\0' <repeats 83 times>}, mnt_cred = 0xc17ebc00, 
  mnt_data = 0xc1802300, mnt_time = 0x0, mnt_iosize_max = 0x10000, 
  mnt_export = 0x0, mnt_mntlabel = 0x0, mnt_fslabel = 0x0, 
  mnt_nvnodelistsize = 0x0, mnt_hashseed = 0x205ad3}
(kgdb) p *pmp
$3 = {pm_mountp = 0xc146f800, pm_cp = 0xc1818780, pm_bo = 0xc1815b60, 
  pm_uid = 0x0, pm_gid = 0x0, pm_mask = 0x1ed, pm_dirmask = 0x1ed, 
  pm_devvp = 0xc1815aa0, pm_bpb = {bpbBytesPerSec = 0x200, 
    bpbSecPerClust = 0x0, bpbResSectors = 0x22, bpbFATs = 0x2, 
    bpbRootDirEnts = 0x0, bpbSectors = 0x0, bpbMedia = 0xf8, 
    bpbFATsecs = 0x0, bpbSecPerTrack = 0x3f, bpbHeads = 0xff, 
    bpbHiddenSecs = 0x3f, bpbHugeSectors = 0xf327f}, pm_BlkPerSec = 0x1, 
  pm_FATsecs = 0x3cb, pm_fatblk = 0x22, pm_rootdirblk = 0x2, 
  pm_rootdirsize = 0x0, pm_firstcluster = 0x7b8, pm_maxcluster = 0x1e559, 
  pm_freeclustercount = 0x2fdf, pm_cnshift = 0xc, pm_crbomask = 0xfff, 
  pm_bnshift = 0x9, pm_bpcluster = 0x1000, pm_fmod = 0x1, 
  pm_fatblocksize = 0x1000, pm_fatblocksec = 0x8, pm_fatsize = 0x79600, 
  pm_fatmask = 0xfffffff, pm_fsinfo = 0x1, pm_nxtfree = 0x19b, 
  pm_fatmult = 0x4, pm_fatdiv = 0x1, pm_curfat = 0x0, 
  pm_inusemap = 0xc181c000, pm_flags = 0x20000002, pm_u2w = 0x0, 
  pm_w2u = 0x0, pm_u2d = 0x0, pm_d2u = 0x0, pm_nfileno = 0x0, pm_filenos = {
    rbh_root = 0x0}}
(kgdb) p *pmp->pm_cp
$4 = {geom = 0xc17eb880, consumer = {le_next = 0x0, le_prev = 0xc17eb890}, 
  provider = 0xc17ebc80, consumers = {le_next = 0xc1818c00, 
    le_prev = 0xc17ebc90}, acr = 0x1, acw = 0x1, ace = 0x1, spoiled = 0x0, 
  stat = 0xc1561b40, nstart = 0x80, nend = 0x80, private = 0x0, index = 0x0}
(kgdb) p *pmp->pm_cp->geom
$5 = {name = 0xc1587320 "msdos.da0s1", class = 0xc08c8620, geom = {
    le_next = 0xc15f1480, le_prev = 0xc08c8660}, consumer = {
    lh_first = 0xc1818780}, provider = {lh_first = 0x0}, geoms = {
    tqe_next = 0x0, tqe_prev = 0xc17eb918}, rank = 0x3, start = 0, 
  spoiled = 0, dumpconf = 0, access = 0, orphan = 0xc06076c4 <g_vfs_orphan>, 
  ioctl = 0, softc = 0xc1815b60, flags = 0x0}
(kgdb) f 25
#25 0xc06077df in g_vfs_close (cp=0xdeadc0de, td=0xc17fd320)
    at /usr/home/butcher/freebsd/HEAD/src/sys/geom/geom_vfs.c:172
172		g_wither_geom_close(gp, ENXIO);
(kgdb) p l
167		g_topology_assert();
168	
169		gp = cp->geom;
170		bo = gp->softc;
171		bufobj_invalbuf(bo, V_SAVE, td, 0, 0);
172		g_wither_geom_close(gp, ENXIO);
173	}
(kgdb) p gp
$6 = (struct g_geom *) 0xc17eb880
(kgdb) p cp
$7 = (struct g_consumer *) 0xdeadc0de
(kgdb) 
--- umount_detached_device.txt ends here ---


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-geom 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Nov 16 06:17:26 GMT 2005 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89102 

From: clemens fischer <ino-news@spotteswoode.dnsalias.org>
To: bug-followup@FreeBSD.org, bu7cher@yandex.ru
Cc:  
Subject: Re: kern/89102:[geom_vfs] [panic] panic when forced unmount FS from unplugged device
Date: Fri, 15 Sep 2006 20:53:59 +0200

 i had a crash related to this topic, but at another location.  it
 happened after using umount(8) on a card-reader, but this time _without_
 using the `-f' flag.  the messages "(CTRL-C to abort)" were not shown on
 the screen, instead the machine just rebooted.  here's the backtrace:
 
 --- start of dump ---
 /usr/obj/usr/src/sys/spott
 0  # kgdb kernel.debug /var/crash/vmcore.2
 kgdb: kvm_nlist(_stopped_cpus):
 kgdb: kvm_nlist(_stoppcbs):
 [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
 GNU gdb 6.1.1 [FreeBSD]
 This GDB was configured as "i386-marcel-freebsd".
 
 Unread portion of the kernel message buffer:
 panic: vinvalbuf: dirty bufs
 Uptime: 1h12m4s
 (da0:dead_sim0:0:0:0): Synchronize cache failed, status == 0x8, scsi status == 0x0
 Dumping 383 MB (2 chunks)
   chunk 0: 1MB (159 pages) ... ok
   chunk 1: 383MB (98048 pages) 368 352 336 320 304 288 272 (CTRL-C to abort)  256 (CTRL-C to abort)  240 (CTRL-C to abort)  224 208 192 176 160 144 128 112 96 80 64 48 32 (CTRL-C to abort)  16 (CTRL-C to abort)
 
 #0  doadump () at pcpu.h:165
 165             __asm __volatile("movl %%fs:0,%0" : "=r" (td));
 (kgdb) bt full
 #0  doadump () at pcpu.h:165
 No locals.
 #1  0xc052d27c in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
         first_buf_printf = 1
 #2  0xc052d589 in panic (fmt=0xc06cc79b "vinvalbuf: dirty bufs") at /usr/src/sys/kern/kern_shutdown.c:565
         td = (struct thread *) 0xc2b8bd80
         bootopt = 260
         newpanic = 0
         ap = 0xc2b8bd80 "\f\022@�\200�x�"
         buf = "vinvalbuf: dirty bufs", '\0' <repeats 234 times>
 #3  0xc05984a0 in bufobj_invalbuf (bo=0xc3213e90, flags=1, td=0x0, slpflag=0, slptimeo=0)
     at /usr/src/sys/kern/vfs_subr.c:1015
         error = 0
 #4  0xc0598802 in vinvalbuf (vp=0xc3213dd0, flags=0, td=0x0, slpflag=0, slptimeo=0)
     at /usr/src/sys/kern/vfs_subr.c:1082
 No locals.
 #5  0xc059baf4 in vgonel (vp=0xc3213dd0) at /usr/src/sys/kern/vfs_subr.c:2436
         td = (struct thread *) 0xc2b8bd80
         oweinact = 0
         active = 1
         mp = (struct mount *) 0xc270f400
 #6  0xc059b9c8 in vgone (vp=0xc3213dd0) at /usr/src/sys/kern/vfs_subr.c:2391
 No locals.
 #7  0xc04da8b6 in devfs_delete (dm=0xc27a4880, de=0xc32afb80) at /usr/src/sys/fs/devfs/devfs_devs.c:244
 No locals.
 #8  0xc04dab2a in devfs_populate_loop (dm=0xc27a4880, cleanup=0) at /usr/src/sys/fs/devfs/devfs_devs.c:352
         cdp = (struct cdev_priv *) 0xc2b8e600
         de = (struct devfs_dirent *) 0xc32afb80
         dd = (struct devfs_dirent *) 0x0
         pdev = (struct cdev *) 0xc27aa000
         j = 0
         q = 0x0
         s = 0xc27aa000 "\002"
 #9  0xc04dadd5 in devfs_populate (dm=0xc27a4880) at /usr/src/sys/fs/devfs/devfs_devs.c:448
 No locals.
 #10 0xc04dd02f in devfs_lookupx (ap=0x0) at /usr/src/sys/fs/devfs/devfs_vnops.c:512
         cnp = (struct componentname *) 0xd5d19be8
         dvp = (struct vnode *) 0xc27aa000
         vpp = (struct vnode **) 0xd5d19bd4
         td = (struct thread *) 0xc2b8bd80
         de = (struct devfs_dirent *) 0x2002
         dd = (struct devfs_dirent *) 0xc27a4600
         dde = (struct devfs_dirent **) 0x0
         dmp = (struct devfs_mount *) 0xc27a4880
         cdev = (struct cdev *) 0xc05ab1ac
         error = -1032173424
         flags = 18923588
         nameiop = 0
         specname = "$\231��\000\000\000\000�\230��\"�X�\b\234z�\006\000\000\000,\234z�\200����\230�հ\233z��\230��إY�\233z°\233z�@\231��\016�Y�"
         pname = 0xc27ab805 "tty"
 #11 0xc04dd1ce in devfs_lookup (ap=0xd5d19998) at /usr/src/sys/fs/devfs/devfs_vnops.c:576
         j = -707683944
         dmp = (struct devfs_mount *) 0xc27a4890
 #12 0xc06a7194 in VOP_LOOKUP_APV (vop=0xc06efbe0, a=0xd5d19998) at vnode_if.c:99
         rc = -1066468384
 #13 0xc05911fb in lookup (ndp=0xd5d19bc0) at vnode_if.h:56
         cp = 0xc27ab808 ""
         dp = (struct vnode *) 0xc27aa000
         tdp = (struct vnode *) 0xc27aa000
         mp = (struct mount *) 0x0
         docache = 32
         wantparent = 0
         rdonly = 0
         trailing_slash = 0
         error = 0
         dpunlocked = 0
         cnp = (struct componentname *) 0xd5d19be8
         td = (struct thread *) 0xc2b8bd80
         vfslocked = 0
         dvfslocked = 0
         tvfslocked = 0
 #14 0xc0590968 in namei (ndp=0xd5d19bc0) at /usr/src/sys/kern/vfs_lookup.c:203
         fdp = (struct filedesc *) 0xc32b1500
         cp = 0xc32b1500 ""
         dp = (struct vnode *) 0xc27a9bb0
         aiov = {iov_base = 0x0, iov_len = 0}
         auio = {uio_iov = 0xc01e0, uio_iovcnt = 0, uio_offset = 16384, uio_resid = 0, uio_segflg = 3273065636,
   uio_rw = UIO_READ, uio_td = 0x0}
         error = -1032152144
         linklen = -1032152144
         cnp = (struct componentname *) 0xd5d19be8
         td = (struct thread *) 0xc2b8bd80
         p = (struct proc *) 0x0
         vfslocked = 0
 #15 0xc05a9cd7 in vn_open_cred (ndp=0xd5d19bc0, flagp=0xd5d19cc0, cmode=2504, cred=0xc2bad780, fdidx=3)
     at /usr/src/sys/kern/vfs_vnops.c:182
         vp = (struct vnode *) 0x0
         mp = (struct mount *) 0x2
         td = (struct thread *) 0xc2b8bd80
         vat = {va_type = 3266887040, va_mode = 0, va_nlink = 0, va_uid = 3587283628, va_gid = 3226451657,
   va_fsid = 4294967280, va_fileid = 0, va_size = 15407266001175183363, va_blocksize = -1068515300, va_atime = {
     tv_sec = -1020586752, tv_nsec = 3}, va_mtime = {tv_sec = 256, tv_nsec = 3}, va_ctime = {
     tv_sec = -1020586752, tv_nsec = -1019211252}, va_birthtime = {tv_sec = -707683592, tv_nsec = -1068500313},
   va_gen = 3274380544, va_flags = 3, va_rdev = 256, va_bytes = 3587283724, va_filerev = 17179874663,
   va_vaflags = 3275756044, va_spare = -1029671664}
         mode = -707683720
         fmode = 1
         error = -707683068
         vfslocked = 0
 #16 0xc05a99b3 in vn_open (ndp=0x0, flagp=0x0, cmode=0, fdidx=0) at /usr/src/sys/kern/vfs_vnops.c:91
         td = (struct thread *) 0x0
 #17 0xc05a05e8 in kern_open (td=0xc2b8bd80, path=0x0, pathseg=UIO_USERSPACE, flags=1, mode=-1077945896)
     at /usr/src/sys/kern/vfs_syscalls.c:1002
         p = (struct proc *) 0x0
         fdp = (struct filedesc *) 0xc32b1500
         fp = (struct file *) 0xc2a07510
         vp = (struct vnode *) 0xc2713800
         vat = {va_type = 3275756044, va_mode = 40008, va_nlink = -10799, va_uid = 3226741305,
   va_gid = 3228675648, va_fsid = 3261295572, va_fileid = 0, va_size = 13858750082021694556, va_blocksize = 0,
   va_atime = {tv_sec = 0, tv_nsec = -1028080256}, va_mtime = {tv_sec = 6, tv_nsec = -1068226384}, va_ctime = {
     tv_sec = -1028080256, tv_nsec = -1033672064}, va_birthtime = {tv_sec = -1066434944, tv_nsec = 60211073},
   va_gen = 3275756212, va_flags = 3275756044, va_rdev = 3587284176, va_bytes = 14031172999752930889,
   va_filerev = 8589934592, va_vaflags = 3119171692, va_spare = -134132641}
         mp = (struct mount *) 0xc31a9aa0
         cmode = 0
         nfp = (struct file *) 0xc2a07510
         type = 0
         indx = 3
         error = -707683068
         lf = {l_start = -4415571073916420396, l_len = -3039476491986403325, l_pid = -1068226135,
   l_type = -17024, l_whence = -15688}
         nd = {ni_dirp = 0x806120a <Address 0x806120a out of bounds>, ni_segflg = UIO_USERSPACE,
   ni_startdir = 0x0, ni_rootdir = 0xc27a9bb0, ni_topdir = 0x0, ni_vp = 0x0, ni_dvp = 0xc27aa000,
   ni_pathlen = 1, ni_next = 0xc27ab808 "", ni_loopcnt = 0, ni_cnd = {cn_nameiop = 0, cn_flags = 18923588,
     cn_thread = 0xc2b8bd80, cn_cred = 0xc2bad780, cn_lkflags = 2, cn_pnbuf = 0xc27ab800 "/dev/tty",
     cn_nameptr = 0xc27ab805 "tty", cn_namelen = 3, cn_consume = 0}}
         vfslocked = -1028080256
 #18 0xc05a04d6 in open (td=0x0, uap=0xd5d19d04) at /usr/src/sys/kern/vfs_syscalls.c:968
         error = -1028080256
 #19 0xc0692c30 in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 134599286, tf_esi = 134668416, tf_ebp = -1077945944, tf_isp = -707682972, tf_ebx = -1077945836, tf_edx = 53, tf_ecx = 134668416, tf_eax = 5, tf_trapno = 0, tf_err = 2, tf_eip = 672773295, tf_cs = 51, tf_eflags = 646, tf_esp = -1077945956, tf_ss = 59})
     at /usr/src/sys/i386/i386/trap.c:981
         params = 0xbfbfd9a0 <Address 0xbfbfd9a0 out of bounds>
         callp = (struct sysent *) 0xc06f1b9c
         td = (struct thread *) 0xc2b8bd80
         p = (struct proc *) 0xc340120c
         orig_tf_eflags = 646
         sticks = 1
         error = 0
         narg = 3
         args = {134615562, 0, -1077945896, -707683028, -1066837953, -1066330208, -707683020, 134629856}
         code = 5
 #20 0xc067e03f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
 No locals.
 #21 0x00000033 in ?? ()
 No symbol table info available.
 Previous frame inner to this frame (corrupt stack?)
 (kgdb) l
 layout  list    load
 (kgdb) l
 200             call    syscall
 201             MEXITCOUNT
 202             jmp     doreti
 203
 204     ENTRY(fork_trampoline)
 205             pushl   %esp                    /* trapframe pointer */
 206             pushl   %ebx                    /* arg1 */
 207             pushl   %esi                    /* function */
 208             call    fork_exit
 209             addl    $12,%esp
 --- end of dump ---
 
 i have two questions regarding this backtrace:
 
   [GDB will not be able to debug user-mode threads:
   /usr/lib/libthread_db.so: Undefined symbol "ps_pglobal_lookup"]
 
 what does this mean?
 
 also:
 
   #20 0xc067e03f in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:200
   No locals.
   #21 0x00000033 in ?? ()
   No symbol table info available.
   Previous frame inner to this frame (corrupt stack?)
 
 you guys always post such beautiful kgdb usages with complete
 backtraces, why do i have a funny frame 21 (IP = 0x33)?
 
 regards, clemens

Manually adding to audit trail by bugmeister:
 
 See also kern/84336.
State-Changed-From-To: open->suspended 
State-Changed-By: linimon 
State-Changed-When: Sat Jan 26 00:34:41 UTC 2008 
State-Changed-Why:  
This is a well-known error: there are underlying structures in the kernel 
that haven't been made to understand that drives can go away.  This 
assumption has been false for years.  However, the work required is going 
to be quite detailed; no quick workarounds are available (they've been 
discussed and rejected).  So, mark this one as suspended for now. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89102 
Responsible-Changed-From-To: freebsd-geom->trasz 
Responsible-Changed-By: trasz 
Responsible-Changed-When: Wed Jul 8 12:28:24 UTC 2009 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89102 
State-Changed-From-To: suspended->feedback 
State-Changed-By: trasz 
State-Changed-When: Wed Jul 8 12:28:36 UTC 2009 
State-Changed-Why:  
Andrey, can you still reproduce it with FreeBSD 7.2?  It should already 
be fixed. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=89102 
State-Changed-From-To: feedback->closed 
State-Changed-By: trasz 
State-Changed-When: Sun Jul 19 14:15:15 UTC 2009 
State-Changed-Why:  
Seems to be fixed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89102 
>Unformatted:
