Date: Wed, 3 Jan 2007 03:21:33 +0700 (KRAT) From: Eugene Grosbein <eugen@grosbein.pp.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/107439: 6.2-PRE repeatable panic: userret: Returning with 1 locks held Message-ID: <200701022021.l02KLXkf001599@grosbein.pp.ru> Resent-Message-ID: <200701022030.l02KUGDQ057965@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 107439 >Category: kern >Synopsis: 6.2-PRE repeatable panic: userret: Returning with 1 locks held >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jan 02 20:30:16 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Eugene Grosbein >Release: FreeBSD 6.2-PRERELEASE i386 >Organization: Svyaz Service JSC >Environment: System: FreeBSD grosbein.pp.ru 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #7: Wed Jan 3 02:16:56 KRAT 2007 eu@grosbein.pp.ru:/mnt/home/obj/usr/local/src/sys/DADV i386 GENERIC kernel plus options INVARIANS/INVARIANT_SUPPORT >Description: An attempt to move file from r/w mounted NTFS to UFS produces deadlock on UFS when a kernel compiled without INVARIANTS or immediate panic with INVARIANTS. >How-To-Repeat: I'll show how to reproduce this with file systems mounted using file-backed md devices; however, this problem exists for "real" file systems too. Feel free to fetch http://www.grosbein.pp.ru/panic/ntfs.img.gz This is compressed (152KB) image of NTFS made (8Mb) with Windows XP Professional Service Pack 2 (or you may use another NTFS if you have one). Then make new UFS to play with. I do not recommend to use with real UFS, it will be locked and clean unmount will be impossible. Again, you may start doing this in single mode without extra FS mounted and processes running. Now do: dd if=/dev/zero of=ufs.img bs=1m count=1 mdufs=/dev/`mdconfig -a -t vnode -f ufs.img` newfs $mdufs mdntfs=/dev/`mdconfig -a -t vnode -f ntfs.img` mkdir -p /mnt/ufs /mnt/ntfs mount $mdufs /mnt/ufs mount_ntfs $mdntfs /mnt/ntfs Now you have NTFS mounted r/w in /mnt/ntfs and UFS mounted r/w in /mnt/ufs. Now do: mv /mnt/ntfs/file /mnt/ufs/ If your kernel was compiled without INVARIANTS, you'll get 'Operation not supported' and the system will continue to run but any process trying to read from /mnt/ufs (including ls -l /mnt/ufs) will lock with uninterruptable disk I/O and will be unkillable even with kill -9. For the kernel with INVARIANTS (including GENERIC plus this option) you'll get kernel panic immediately. Sadly, crashdump always contains corrupted stack, was it compiled with debug info or not. Here is an attempt to get backtrace (I used 'set hw.physmem=33554432' in boot loader prompt or else it does not finish crashdump for all my 1024MB of RAM for unknown reason): panic: userret: Returning with 1 locks held. cpuid = 0 KDB: stack backtrace: kdb_backtrace(c0740077,0,c07214ce,c4b19cbc,c1addc00,...) at 0xc0544a83 = kdb_backtrace+0x2f panic(c07214ce,1,c0596fbf,c1addc00,2d,...) at 0xc0527eb1 = panic+0x129 userret(c1addc00,c4b19d38,1,280bf000,2,...) at 0xc054da0d = userret+0xf5 syscall(3b,3b,3b,bfbfee53,bfbfe8f0,...) at 0xc06e06ea = syscall+0x371 Xint0x80_syscall() at 0xc06ca1ff = Xint0x80_syscall+0x1f --- syscall (45, FreeBSD ELF32, ktrace), eip = 0x280bf94b, esp = 0xbfbfe21c, ebp = 0xbfbfe8a8 --- Uptime: 5m49s Dumping 31 MB (2 chunks) chunk 0: 1MB (159 pages) ... ok chunk 1: 31MB (7936 pages) 16 #0 doadump () at pcpu.h:165 165 __asm __volatile("movl %%fs:0,%0" : "=r" (td)); (kgdb) bt full #0 doadump () at pcpu.h:165 No locals. #1 0xc0527ba0 in boot (howto=260) at /usr/local/src/sys/kern/kern_shutdown.c:409 first_buf_printf = 1 #2 0xc0527f2d in panic ( fmt=0xc07214ce "userret: Returning with %d locks held.") at /usr/local/src/sys/kern/kern_shutdown.c:565 td = (struct thread *) 0xc1addc00 bootopt = 260 newpanic = 1 ap = 0xc4b19cbc "\001" buf = "userret: Returning with 1 locks held.", '\0' <repeats 218 times> #3 0xc054da0d in userret (td=0xc1addc00, frame=0xc4b19d38, oticks=1) at /usr/local/src/sys/kern/subr_trap.c:140 p = (struct proc *) 0xc1adc430 #4 0xc06e06ea in syscall (frame= {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077940653, tf_esi = -1077942032, tf_ebp = -1077942104, tf_isp = -994992796, tf_ebx = -1077940653, tf_edx = -1, tf_ecx = 2, tf_eax = 45, tf_trapno = 12, tf_err = 2, tf_eip = 671873355, tf_cs = 51, tf_eflags = 647, tf_esp = -1077943780, tf_ss = 59}) at /usr/local/src/sys/i386/i386/trap.c:1034 params = 0xbfbfe220 <Address 0xbfbfe220 out of bounds> ---Type <return> to continue, or q <return> to quit--- callp = (struct sysent *) 0xc0756be0 td = (struct thread *) 0xc1addc00 p = (struct proc *) 0xc1adc430 orig_tf_eflags = 646 sticks = 1 error = 45 narg = 2 args = {-1077940653, -1077942032, 654, 671873348, 12, 0, 1, -1045576656} code = 128 #5 0xc06ca1ff in Xint0x80_syscall () at /usr/local/src/sys/i386/i386/exception.s:200 No locals. #6 0x00000033 in ?? () No symbol table info available. Previous frame inner to this frame (corrupt stack?) >Fix: Unknown. The workaround is to always mount NTFS read-only. Eugene Grosbein >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701022021.l02KLXkf001599>