Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 6 Jul 2014 12:28:07 -0400
From:      Ryan Stone <rysto32@gmail.com>
To:        Steve Wills <swills@freebsd.org>
Cc:        virtualization@freebsd.org, FreeBSD Current <current@freebsd.org>
Subject:   Re: tmpfs panic
Message-ID:  <CAFMmRNzTFOVBSoU%2BCMnnEJ_rUooLC4v742hetMtXWMu_RmPzYw@mail.gmail.com>
In-Reply-To: <20140706154621.GA81830@mouf.net>
References:  <20140706135333.GA80856@mouf.net> <20140706154621.GA81830@mouf.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Jul 6, 2014 at 11:46 AM, Steve Wills <swills@freebsd.org> wrote:
> I should have noted this system is running in bhyve. Also I'm told this panic
> may be related to the fact that the system is running in bhyve.
>
> Looking at it a little more closely:
>
> (kgdb) list *__mtx_lock_sleep+0xb1
> 0xffffffff809638d1 is in __mtx_lock_sleep (/usr/src/sys/kern/kern_mutex.c:431).
> 426                      * owner stops running or the state of the lock changes.
> 427                      */
> 428                     v = m->mtx_lock;
> 429                     if (v != MTX_UNOWNED) {
> 430                             owner = (struct thread *)(v & ~MTX_FLAGMASK);
> 431                             if (TD_IS_RUNNING(owner)) {
> 432                                     if (LOCK_LOG_TEST(&m->lock_object, 0))
> 433                                             CTR3(KTR_LOCK,
> 434                                                 "%s: spinning on %p held by %p",
> 435                                                 __func__, m, owner);
> (kgdb)
>
> I'm told that MTX_CONTESTED was set on the unlocked mtx and that MTX_CONTENDED
> is spuriously left behind, and to ask how lock prefix is handled in bhyve. Any
> of that make sense to anyone?

The mutex has both MTX_CONTESTED and MTX_UNOWNED set on it?  That is a
special sentinel value that is set on a mutex when it is destroyed
(see MTX_DESTROYED in sys/mutex.h).  If that is the case it looks like
you've stumbled upon some kind of use-after-free in tmpfs.  I doubt
that bhyve is responsible (other than perhaps changing the timing
around making the panic more likely to happen).



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFMmRNzTFOVBSoU%2BCMnnEJ_rUooLC4v742hetMtXWMu_RmPzYw>