From root@hest.borderworlds.dk  Mon Jun  5 16:18:31 2006
Return-Path: <root@hest.borderworlds.dk>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CAB6B16BB44
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  5 Jun 2006 16:18:31 +0000 (UTC)
	(envelope-from root@hest.borderworlds.dk)
Received: from ferengi.borderworlds.dk (ferengi.borderworlds.dk [80.166.152.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 636F743D46
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  5 Jun 2006 16:18:30 +0000 (GMT)
	(envelope-from root@hest.borderworlds.dk)
Received: from hest.borderworlds.dk (unknown [10.1.0.32])
	by ferengi.borderworlds.dk (Postfix) with ESMTP id 4F3BAB98E
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  5 Jun 2006 17:17:59 +0200 (CEST)
Received: from hest.borderworlds.dk (localhost [127.0.0.1])
	by hest.borderworlds.dk (8.13.6/8.13.6) with ESMTP id k55HMAi7000942
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 5 Jun 2006 19:22:10 +0200 (CEST)
	(envelope-from root@hest.borderworlds.dk)
Received: (from root@localhost)
	by hest.borderworlds.dk (8.13.6/8.13.6/Submit) id k55HMAkk000941;
	Mon, 5 Jun 2006 19:22:10 +0200 (CEST)
	(envelope-from root)
Message-Id: <200606051722.k55HMAkk000941@hest.borderworlds.dk>
Date: Mon, 5 Jun 2006 19:22:10 +0200 (CEST)
From: Christian Laursen <xi@borderworlds.dk>
Reply-To: Christian Laursen <xi@borderworlds.dk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Kernel panic on ggate destroy 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         98538
>Category:       kern
>Synopsis:       [geom] Kernel panic on ggate destroy
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    pjd
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 05 16:20:17 GMT 2006
>Closed-Date:    Tue Sep 05 22:05:30 GMT 2006
>Last-Modified:  Tue Sep 05 22:05:30 GMT 2006
>Originator:     Christian Laursen
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
The Border Worlds 
>Environment:
System: FreeBSD hest.borderworlds.dk 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Mon Jun 5 17:48:41 CEST 2006 root@hest.borderworlds.dk:/usr/obj/usr/src/sys/HEST i386


	
>Description:
When destroying two ggate providers after each other the kernel panics.

The backtrace looks like this:
#0  doadump () at pcpu.h:166
#1  0xc06984a4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
#2  0xc06987b9 in panic (fmt=0xc08da3ee "%s")
    at /usr/src/sys/kern/kern_shutdown.c:565
#3  0xc0892f12 in trap_fatal (frame=0xc8506a54, eva=3735929054)
    at /usr/src/sys/i386/i386/trap.c:870
#4  0xc0892c1b in trap_pfault (frame=0xc8506a54, usermode=0, eva=3735929054)
    at /usr/src/sys/i386/i386/trap.c:778
#5  0xc0892839 in trap (frame=
      {tf_fs = 8, tf_es = 40, tf_ds = 40, tf_edi = 0, tf_esi = 1, tf_ebp = -934253932, tf_isp = -934253952, tf_ebx = -1064209282, tf_edx = -559038242, tf_ecx = 0, tf_eax = -559038242, tf_trapno = 12, tf_err = 0, tf_eip = -1066392268, tf_cs = 32, tf_eflags = 66118, tf_esp = -934253728, tf_ss = -1066705864})
    at /usr/src/sys/i386/i386/trap.c:463
#6  0xc087d9aa in calltrap () at /usr/src/sys/i386/i386/exception.s:138
#7  0xc0702534 in strlen (str=0xdeadc0de <Address 0xdeadc0de out of bounds>)
    at /usr/src/sys/libkern/strlen.c:41
#8  0xc06b5c38 in kvprintf (fmt=0xc091747e " @ %s:%d", 
    func=0xc06b5540 <snprintf_func>, arg=0xc8506b7c, radix=10, 
    ap=0xc8506bc4 ".#\233\035\002") at /usr/src/sys/kern/subr_prf.c:681
#9  0xc06b54dd in vsnprintf (
    str=0xdeadc0de <Address 0xdeadc0de out of bounds>, size=3735929054, 
    format=0xc0917463 "mtx_lock() of spin mutex %s @ %s:%d", 
    ap=0xc8506bc0 ".#\233\035\002") at /usr/src/sys/kern/subr_prf.c:414
#10 0xc06986f6 in panic (fmt=0xc0917463 "mtx_lock() of spin mutex %s @ %s:%d")
    at /usr/src/sys/kern/kern_shutdown.c:532
#11 0xc068fd0a in _mtx_lock_flags (m=0xc1980038, opts=0, 
    file=0xc19b232e "/usr/src/sys/modules/geom/geom_gate/../../../geom/gate/g_gate.c", line=541) at /usr/src/sys/kern/kern_mutex.c:279
#12 0xc19b17aa in ?? ()
#13 0xc1980038 in ?? ()
#14 0x00000000 in ?? ()
#15 0xc19b232e in ?? ()
#16 0x0000021d in ?? ()
#17 0xc1980010 in ?? ()
#18 0x00000000 in ?? ()
#19 0xc0913fef in ?? ()
#20 0x00000044 in ?? ()
#21 0xc8506c10 in ?? ()
#22 0xc0671d72 in dev_refthread (dev=0xc1980000)
    at /usr/src/sys/kern/kern_conf.c:124
#23 0xc064c43f in devfs_ioctl_f (fp=0xc1980038, com=3245738024, 
    data=0xc172f940, cred=0xc18c3680, td=0xc178fd80)
    at /usr/src/sys/fs/devfs/devfs_vnops.c:401
#24 0xc06c0d8c in ioctl (td=0xc178fd80, uap=0xc8506d04) at file.h:265
#25 0xc0893216 in syscall (frame=
      {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = 0, tf_esi = 0, tf_ebp = -1078074552, tf_isp = -934253212, tf_ebx = 0, tf_edx = -1077943392, tf_ecx = 0, tf_eax = 54, tf_trapno = 22, tf_err = 2, tf_eip = 672789399, tf_cs = 51, tf_eflags = 662, tf_esp = -1078074580, tf_ss = 59}) at /usr/src/sys/i386/i386/trap.c:1016
#26 0xc087d9ff in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:191
#27 0x00000033 in ?? ()


	
>How-To-Repeat:
I have reproduced this on both 7.0-CURRENT and 6.1-RELEASE.

The following sequence of commands triggers the panic every time I try:

# ggatec create -o rw 10.1.0.2 /tmp/fil1.img
ggate0
# ggatec create -o rw 10.1.0.2 /tmp/fil1.img
ggate1
# ggatec destroy -u 0; ggatec destroy -u 1

	
>Fix:

	


>Release-Note:
>Audit-Trail:

From: Christian Laursen <xi@borderworlds.dk>
To: bug-followup@FreeBSD.org,xi@borderworlds.dk
Cc:  
Subject: Re: kern/98538: Kernel panic on ggate destroy
Date: Tue, 06 Jun 2006 09:20:48 +0200

 The path in the second create command should of course have pointed to
 /tmp/fil2.img.
 
 -- 
 Christian Laursen
Responsible-Changed-From-To: freebsd-bugs->freebsd-geom 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Jun 15 03:54:50 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98538 

From: mglaum@sdf.lonestar.org
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/98538: [geom] Kernel panic on ggate destroy
Date: Tue, 15 Aug 2006 13:08:07 -0000 (UTC)

    A quick glance at /usr/src/sys/geom/gate/g_gate.c, I suspect the problem
    is that in the g_gate_ioctl() switch case G_GATE_CMD_DESTROY, there's a
    mtx_lock() but no subsequent mtx_unlock().
 
    I've got a patch devised, below, but do not have the time or resources
    to try it. Would someone be willing to review this, try a patch and run
    a test? The Makefile is in /usr/src/sys/modules/geom/geom_gate. Again,
    I'm not sure about the positioning of the mtx_unlock().
 
 Michael Glaum
 KVH Industries
 mglaum@kvh.com
 
 [patch for /usr/src/sys/geom/gate/g_gate.c]
 --- g_gate.c    Tue Aug  1 16:00:34 2006
 +++ g_gate.c.orig       Tue Aug  1 16:00:02 2006
 @@ -487,7 +487,6 @@
                 error = g_gate_destroy(sc, ggio->gctl_force);
                 if (error == 0)
                         g_gate_wither(sc);
 -               mtx_unlock(&g_gate_list_mtx);
                 g_topology_unlock();
                 g_gate_release(sc);
                 return (error);
Responsible-Changed-From-To: freebsd-geom->pjd 
Responsible-Changed-By: pjd 
Responsible-Changed-When: Tue Sep 5 22:02:56 UTC 2006 
Responsible-Changed-Why:  
This one is mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98538 
State-Changed-From-To: open->closed 
State-Changed-By: pjd 
State-Changed-When: Tue Sep 5 22:03:27 UTC 2006 
State-Changed-Why:  
The patch is wrong I'm afraid - g_gate_destroy() should release 
the g_gate_list_mtx lock. 
I fixed the problem with destroy (and also forcible destroy) in 
HEAD. I'll MFC those fixes before 6.2-RELEASE. 

Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=98538 
>Unformatted:
