Date: Sun, 6 Jul 2014 17:25:12 +0000 From: Steve Wills <swills@freebsd.org> To: Ryan Stone <rysto32@gmail.com> Cc: virtualization@freebsd.org, FreeBSD Current <current@freebsd.org> Subject: Re: tmpfs panic Message-ID: <20140706172511.GA84461@mouf.net> In-Reply-To: <CAFMmRNzTFOVBSoU%2BCMnnEJ_rUooLC4v742hetMtXWMu_RmPzYw@mail.gmail.com> References: <20140706135333.GA80856@mouf.net> <20140706154621.GA81830@mouf.net> <CAFMmRNzTFOVBSoU%2BCMnnEJ_rUooLC4v742hetMtXWMu_RmPzYw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--OXfL5xGRrasGEqWY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Jul 06, 2014 at 12:28:07PM -0400, Ryan Stone wrote:
> On Sun, Jul 6, 2014 at 11:46 AM, Steve Wills <swills@freebsd.org> wrote:
> > I should have noted this system is running in bhyve. Also I'm told this=
panic
> > may be related to the fact that the system is running in bhyve.
> >
> > Looking at it a little more closely:
> >
> > (kgdb) list *__mtx_lock_sleep+0xb1
> > 0xffffffff809638d1 is in __mtx_lock_sleep (/usr/src/sys/kern/kern_mutex=
=2Ec:431).
> > 426 * owner stops running or the state of the lock=
changes.
> > 427 */
> > 428 v =3D m->mtx_lock;
> > 429 if (v !=3D MTX_UNOWNED) {
> > 430 owner =3D (struct thread *)(v & ~MTX_FL=
AGMASK);
> > 431 if (TD_IS_RUNNING(owner)) {
> > 432 if (LOCK_LOG_TEST(&m->lock_obje=
ct, 0))
> > 433 CTR3(KTR_LOCK,
> > 434 "%s: spinning on %p=
held by %p",
> > 435 __func__, m, owner);
> > (kgdb)
> >
> > I'm told that MTX_CONTESTED was set on the unlocked mtx and that MTX_CO=
NTENDED
> > is spuriously left behind, and to ask how lock prefix is handled in bhy=
ve. Any
> > of that make sense to anyone?
>=20
> The mutex has both MTX_CONTESTED and MTX_UNOWNED set on it? That is a
> special sentinel value that is set on a mutex when it is destroyed
> (see MTX_DESTROYED in sys/mutex.h). If that is the case it looks like
> you've stumbled upon some kind of use-after-free in tmpfs. I doubt
> that bhyve is responsible (other than perhaps changing the timing
> around making the panic more likely to happen).
Given the first thing seen was:
Freed UMA keg (TMPFS node) was not empty (16 items). Lost 1 pages of memor=
y.
this sounds reasonable to me.
What can I do to help find and elliminate the source of the error?
Steve
--OXfL5xGRrasGEqWY
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJTuYZ3AAoJEPXPYrMgexuh06IIAJXfbe7rm1wQYoEz0ZpJU3jL
QJvtyCllWlP/0w2zuGl7HSr0iGIdLqURKUmY7deA0tt+F5gP6IoSsXm5esAOEnFU
5ZTyOoHlkbSC4rMnjyRN/2isfdjmRruOG/NR37wvIXVPtH/8eJPK02utaBHJg3/6
8/PcGDxi3GOUaf0Kf3TURwSmLnG1ddhODBcCjMaC1GW5+OYSxsFN0fj5gAvkqzXY
6yFBZhRrvD9slOVkV1s3SaMDpjhLA6kd6Cipb2DT0HtgGTE5UF0RRc9OJUiTiKkb
GSQEYfOymUdPUETJol1L7aZEk+lczflJAbC7Sn/HsirZgnL3Il72DQprZL6Jqsc=
=+qu/
-----END PGP SIGNATURE-----
--OXfL5xGRrasGEqWY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140706172511.GA84461>