From owner-freebsd-bugs@FreeBSD.ORG Thu Nov 11 10:10:29 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBDF116A4D1 for ; Thu, 11 Nov 2004 10:10:29 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53E9443D5F for ; Thu, 11 Nov 2004 10:10:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.11/8.12.11) with ESMTP id iABAAMiq052892 for ; Thu, 11 Nov 2004 10:10:22 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id iABAAMbb052890; Thu, 11 Nov 2004 10:10:22 GMT (envelope-from gnats) Resent-Date: Thu, 11 Nov 2004 10:10:22 GMT Resent-Message-Id: <200411111010.iABAAMbb052890@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Douglas Wells Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1B8916A4CE for ; Thu, 11 Nov 2004 10:06:32 +0000 (GMT) Received: from filbert.contek.com (contek.ultranet.com [146.115.254.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4233243D31 for ; Thu, 11 Nov 2004 10:06:31 +0000 (GMT) (envelope-from sysmaint@filbert.contek.com) Received: by filbert.contek.com (Postfix, from userid 10112) id E4CA710730; Wed, 10 Nov 2004 21:54:02 -0500 (EST) Message-Id: <20041111025402.E4CA710730@filbert.contek.com> Date: Wed, 10 Nov 2004 21:54:02 -0500 (EST) From: Douglas Wells To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: Douglas Wells Subject: kern/73807: panic: mutex nfsd_mtx not owned in NFS server X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Douglas Wells List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Nov 2004 10:10:30 -0000 >Number: 73807 >Category: kern >Synopsis: panic: mutex nfsd_mtx not owned in NFS server >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 11 10:10:21 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Douglas Wells >Release: FreeBSD 5.3 >Organization: Connection Technologies >Environment: System: FreeBSD filbert.contek.com 5.2.1-RELEASE-p11 FreeBSD 5.2.1-RELEASE-p11 #2: Wed Nov 10 16:59:00 EST 2004 root@filbert.contek.com:/var/obj/usr/src.5.2.1/sys/FILBERT i386 The problem environment is the same as the system above except that the OS is FreeBSD 5.3 - cvsup updated (RELENG_5_3) November 9 evening. Updated from 5.2.1 via recommended buildworld / buildkernel sequence. >Description: The FreeBSD system panics when I attempt to boot a diskless Sun 3 that mounts all filesystems from the FreeBSD system. The problem began as a NULL pointer dereference when I used a custom SMP kernel. The same NULL pointer deference occurred when I repeated the problem with a stock GENERIC kernel compiled from the same sources. I then ran a variant of GENERIC with the following options: options INVARIANT_SUPPORT options INVARIANTS options KDB_TRACE options KDB options DDB Repeating the bootload of the Sun 3 led to the following panic, which I presume to be due to the same cause as the NULL pointer deference: (This information is retyped.) panic: mutex nfsd_mtx not owned at ... nfs_serv.c:4493 mtx_assert+5c (c08d97c0, 1, c08160f7, 118d) nfsrv_access+28 (c7217420, 80, c2142180, 0, c1a79190) nfsrv_create+84c (c22142100, c1d62d80, c1a79190, d5469c98, c08d97c0) nfssvc_nfsd+3d5 (c1a79190, c08067a3, 12b, c1c360bc, c1c36000) nfssvc+18c (c1a79190, d5469d14, 2, 0, 296) syscall+213 (2f, 2f, 2f, bf??eec4, 4) thread 100051 I repeated the experiment several times and generally the addresses and thread id vary from run to run. The exceptions are the last arg (c08d97c0) to nfsrv_create and the second arg (c08067a3) to nfssvc_nfsd. Analysis: I believe that the problem is due to the system mishandling RPC requests for mounts of regular files (mountd(8) -r): - If I remove the -r option to mountd and attempt to boot the Sun 3, the FreeBSD system does not panic (but of course, the Sun 3 does not boot properly). - If I leave the Sun 3 up from having booted from a 5.2.1 system, the FreeBSD system panics very soon after it starts up system daemons. (Note that the mountd daemon would not be invoked in this case. The NFS request would use information retained from the previous (5.2.1) boot.) Additional notes: - This bootload operationg has previously worked regularly on both 5.1 and 5.2+. - I have modified mountd to support v2 mounts, but I disabled my extensions during at least some of the tests above. These extensions are simple. - Note that the hardware system has 2 AMD Athlon CPUs, but I understand that by not including the SMP kernel option, the OS behaves as though the hardware were uniprocessor. >How-To-Repeat: This happens repeatably whenever I attempt to bootload the Sun 3. I presume that sending the NFS server an I/O request for any regular file that is being treated as a mount point would also trigger this problem. >Fix: None known. >Release-Note: >Audit-Trail: >Unformatted: