From scrappy@hub.org  Sun Dec 24 19:11:08 1995
Received: from hub.org (hub.org [199.166.238.138])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id TAA27641
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 24 Dec 1995 19:10:54 -0800 (PST)
Received: (from root@localhost) by hub.org (8.7.3/8.7.3) id WAA28627; Sun, 24 Dec 1995 22:11:04 -0500 (EST)
Message-Id: <199512250311.WAA28627@hub.org>
Date: Sun, 24 Dec 1995 22:11:04 -0500 (EST)
From: "Marc G. Fournier" <scrappy@hub.org>
Reply-To: scrappy@hub.org
To: FreeBSD-gnats-submit@freebsd.org
Subject: unmount: dangling vnode
X-Send-Pr-Version: 3.2

>Number:         912
>Category:       kern
>Synopsis:       unmount: dangling vnode
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 24 19:20:03 PST 1995
>Closed-Date:    Thu Apr 25 12:07:43 PDT 1996
>Last-Modified:  Thu Apr 25 12:09:27 PDT 1996
>Originator:     Marc G. Fournier
>Release:        FreeBSD 2.1-CURRENT i386
>Organization:
>Environment:

FreeBSD 2.2-CURRENT #6: Sun Dec 24 01:33:38 EST 1995
    scrappy@freebsd.hub.org:/usr/src/sys/compile/freebsd
CPU: i386DX (386-class CPU)
real memory  = 8781824 (8576K bytes)
avail memory = 6889472 (6728K bytes)
DEVFS: ready for devices
Probing for devices on the ISA bus:
vt0 at 0x60-0x6f irq 1 on motherboard
vt0: mda, mono, 8 scr, mf2-kbd, [R3.20-b24]
sio0 not found at 0x3f8
sio1 at 0x2f8-0x2ff irq 3 on isa
sio1: type 16450
lpt0 at 0x3bc-0x3c3 irq 7 on isa
lpt0: Interrupt-driven port
lp0: TCP/IP capable interface
fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
fdc0: NEC 765
fd0: 1.44MB 3.5in
wdc0 at 0x1f0-0x1f7 irq 14 on isa
wdc0: unit 0 (wd0): <Maxtor 7345 AT>
wd0: 329MB (675450 sectors), 790 cyls, 15 heads, 57 S/T, 512 B/S
1 3C5x9 board(s) on ISA found at 0x300
ep0 at 0x300-0x30f irq 10 on isa
ep0: aui/bnc[*BNC*] address 00:a0:24:0a:5a:fe irq 10
npx0 on motherboard
npx0: 387 emulator
devfs ready to run

Script started on Sun Dec 24 22:00:19 1995
freebsd# kgdb kernel.sym.1 vmcore.1
GDB is free software and you are welcome to distribute copies of it
 under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.13 (i386-unknown-freebsd), 
Copyright 1994 Free Software Foundation, Inc...
IdlePTD 214000
current pcb at 1e0098
panic: unmount: dangling vnode
#0  boot (howto=260) at ../../i386/i386/machdep.c:914
914					dumppcb.pcb_ptd = rcr3();
(kgdb) up 10
#10 0xf0129aa8 in dounmount (mp=0xf0624600, flags=0, p=0xf0660f00)
    at ../../kern/vfs_syscalls.c:311
311				panic("unmount: dangling vnode");
(kgdb) list
306			CIRCLEQ_REMOVE(&mountlist, mp, mnt_list);
307			mp->mnt_vnodecovered->v_mountedhere = (struct mount *)0;
308			vfs_unlock(mp);
309			mp->mnt_vfc->vfc_refcount--;
310			if (mp->mnt_vnodelist.lh_first != NULL)
311				panic("unmount: dangling vnode");
312			free((caddr_t)mp, M_MOUNT);
313		}
314		return (error);
315	}
(kgdb) print mp
$1 = (struct mount *) 0xf0624600
(kgdb) print mountlist
$2 = {cqh_first = 0xf05e5a00, cqh_last = 0xf06d8e00}
(kgdb) print mnt_list
No symbol "mnt_list" in current context.
(kgdb) print mp->mnt_vnodecovered->v_mountedhere
There is no member named v_mountedhere.
(kgdb) print  mp->mnt_vfc->vfc_refcount
$3 = 1
(kgdb) print mp->mnt_vnodelist.lh_first
$4 = (struct vnode *) 0xf063ed00
(kgdb) quit
freebsd# exit
exit

Script done on Sun Dec 24 22:03:32 1995


>Description:

	When trying to umount one of two occurances of devfs being
	mounted, the system panic'd.  both occurances were mounted to
	/devfs.  Having previously done this with another directory, that
	was mounted twice, to the same mount-point, it was (falsely?)
	assumed that it would work here.

>How-To-Repeat:

	

>Fix:
	
	

>Release-Note:
>Audit-Trail:

From: Julian Elischer <julian@jhome.DIALix.COM>
To: scrappy@hub.org
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: kern/912: unmount: dangling vnode
Date: Tue, 26 Dec 1995 02:44:21 +0800 (WST)

 This is a problem I have known about with the  devfs..
 
 there are two problems here actually...
 1/ I need to add 'double-mount' protection
 to stop the devfs from mbeing mounted twice on the same location..
 
 2/ the dangling vnode problem happens on quite a few unmountings of the devfs..
 I looked it up but didn't go into it in depth, but my recolection is that some
 vnodes  are strung off the mountpoint or the root of the fs
 (or somewhere) under some circumstances, and on unmount I'm not
 taking them off..
 
 
 > 
 > 
 > 
 > >Number:         912
 > >Category:       kern
 > >Synopsis:       unmount: dangling vnode
 > >Confidential:   no
 > >Severity:       serious
 > >Priority:       medium
 > >Responsible:    freebsd-bugs
 > >State:          open
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Sun Dec 24 19:20:03 PST 1995
 > >Last-Modified:
 > >Originator:     Marc G. Fournier
 > >Organization:
 > >Release:        FreeBSD 2.1-CURRENT i386
 > >Environment:
 > 
 > FreeBSD 2.2-CURRENT #6: Sun Dec 24 01:33:38 EST 1995
 >     scrappy@freebsd.hub.org:/usr/src/sys/compile/freebsd
 > CPU: i386DX (386-class CPU)
 > real memory  = 8781824 (8576K bytes)
 > avail memory = 6889472 (6728K bytes)
 > DEVFS: ready for devices
 > Probing for devices on the ISA bus:
 > vt0 at 0x60-0x6f irq 1 on motherboard
 > vt0: mda, mono, 8 scr, mf2-kbd, [R3.20-b24]
 > sio0 not found at 0x3f8
 > sio1 at 0x2f8-0x2ff irq 3 on isa
 > sio1: type 16450
 > lpt0 at 0x3bc-0x3c3 irq 7 on isa
 > lpt0: Interrupt-driven port
 > lp0: TCP/IP capable interface
 > fdc0 at 0x3f0-0x3f7 irq 6 drq 2 on isa
 > fdc0: NEC 765
 > fd0: 1.44MB 3.5in
 > wdc0 at 0x1f0-0x1f7 irq 14 on isa
 > wdc0: unit 0 (wd0): <Maxtor 7345 AT>
 > wd0: 329MB (675450 sectors), 790 cyls, 15 heads, 57 S/T, 512 B/S
 > 1 3C5x9 board(s) on ISA found at 0x300
 > ep0 at 0x300-0x30f irq 10 on isa
 > ep0: aui/bnc[*BNC*] address 00:a0:24:0a:5a:fe irq 10
 > npx0 on motherboard
 > npx0: 387 emulator
 > devfs ready to run
 > 
 > Script started on Sun Dec 24 22:00:19 1995
 > freebsd# kgdb kernel.sym.1 vmcore.1
 > GDB is free software and you are welcome to distribute copies of it
 >  under certain conditions; type "show copying" to see the conditions.
 > There is absolutely no warranty for GDB; type "show warranty" for details.
 > GDB 4.13 (i386-unknown-freebsd), 
 > Copyright 1994 Free Software Foundation, Inc...
 > IdlePTD 214000
 > current pcb at 1e0098
 > panic: unmount: dangling vnode
 > #0  boot (howto=260) at ../../i386/i386/machdep.c:914
 > 914					dumppcb.pcb_ptd = rcr3();
 > (kgdb) up 10
 > #10 0xf0129aa8 in dounmount (mp=0xf0624600, flags=0, p=0xf0660f00)
 >     at ../../kern/vfs_syscalls.c:311
 > 311				panic("unmount: dangling vnode");
 > (kgdb) list
 > 306			CIRCLEQ_REMOVE(&mountlist, mp, mnt_list);
 > 307			mp->mnt_vnodecovered->v_mountedhere = (struct mount *)0;
 > 308			vfs_unlock(mp);
 > 309			mp->mnt_vfc->vfc_refcount--;
 > 310			if (mp->mnt_vnodelist.lh_first != NULL)
 > 311				panic("unmount: dangling vnode");
 > 312			free((caddr_t)mp, M_MOUNT);
 > 313		}
 > 314		return (error);
 > 315	}
 > (kgdb) print mp
 > $1 = (struct mount *) 0xf0624600
 > (kgdb) print mountlist
 > $2 = {cqh_first = 0xf05e5a00, cqh_last = 0xf06d8e00}
 > (kgdb) print mnt_list
 > No symbol "mnt_list" in current context.
 > (kgdb) print mp->mnt_vnodecovered->v_mountedhere
 > There is no member named v_mountedhere.
 > (kgdb) print  mp->mnt_vfc->vfc_refcount
 > $3 = 1
 > (kgdb) print mp->mnt_vnodelist.lh_first
 > $4 = (struct vnode *) 0xf063ed00
 > (kgdb) quit
 > freebsd# exit
 > exit
 > 
 > Script done on Sun Dec 24 22:03:32 1995
 > 
 > 
 > >Description:
 > 
 > 	When trying to umount one of two occurances of devfs being
 > 	mounted, the system panic'd.  both occurances were mounted to
 > 	/devfs.  Having previously done this with another directory, that
 > 	was mounted twice, to the same mount-point, it was (falsely?)
 > 	assumed that it would work here.
 > 
 > >How-To-Repeat:
 > 
 > 	
 > 
 > >Fix:
 > 	
 > 	
 > 
 > >Audit-Trail:
 > >Unformatted:
 > 
 
State-Changed-From-To: open->closed 
State-Changed-By: scrappy 
State-Changed-When: Thu Apr 25 12:07:43 PDT 1996 
State-Changed-Why:  
Havecn't seen this one but once 
>Unformatted:
