From owner-freebsd-stable@FreeBSD.ORG  Thu Jun  6 13:54:45 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id D6C34470;
 Thu,  6 Jun 2013 13:54:45 +0000 (UTC) (envelope-from avg@FreeBSD.org)
Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140])
 by mx1.freebsd.org (Postfix) with ESMTP id D0BE012E2;
 Thu,  6 Jun 2013 13:54:44 +0000 (UTC)
Received: from odyssey.starpoint.kiev.ua (alpha-e.starpoint.kiev.ua
 [212.40.38.101])
 by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id QAA04628;
 Thu, 06 Jun 2013 16:54:35 +0300 (EEST)
 (envelope-from avg@FreeBSD.org)
Message-ID: <51B0949B.1050606@FreeBSD.org>
Date: Thu, 06 Jun 2013 16:54:35 +0300
From: Andriy Gapon <avg@FreeBSD.org>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/20130517 Thunderbird/17.0.6
MIME-Version: 1.0
To: Julian Stecklina <jsteckli@os.inf.tu-dresden.de>
Subject: Re: Reproducable Infiniband panic
References: <51B07705.207@os.inf.tu-dresden.de>
In-Reply-To: <51B07705.207@os.inf.tu-dresden.de>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: freebsd-stable@FreeBSD.org
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2013 13:54:45 -0000

on 06/06/2013 14:48 Julian Stecklina said the following:
> #7  0xffffffff807a3d83 in linux_file_dtor (cdp=0xfffffe000aeabb80) at
> /usr/home/julian/src/freebsd/sys/ofed/include/linux/linux_compat.c:214
> 	filp = (struct linux_file *) 0xfffffe000aeabb80
> #8  0xffffffff80513c39 in devfs_destroy_cdevpriv (p=0xfffffe0005772980)
> at /usr/home/julian/src/freebsd/sys/fs/devfs/devfs_vnops.c:159
> No locals.
> #9  0xffffffff80513e47 in devfs_close_f (fp=0xfffffe000b0e9aa0,
> td=<value optimized out>)
>     at /usr/home/julian/src/freebsd/sys/fs/devfs/devfs_vnops.c:619
> 	error = 0
> 	fpop = (struct file *) 0x0

The problem seems to be in incorrect interaction between devfs_close_f and
linux_file_dtor.  The latter expects curthread->td_fpop to have a valid reasonable
value.  But the former sets curthread->td_fpop to fp only around vnops.fo_close()
call and then restores it back to some (what?) previous value before calling
devfs_fpdrop->devfs_destroy_cdevpriv.  In this case the previous value is NULL.

-- 
Andriy Gapon