freebsd stable - Sep 2005 - 6.0BETA4: panic: unrhdr has 9 allocations

Hi,

on

FreeBSD 6.0-BETA4 #10: Sun Sep  4 22:19:26 CEST 2005 /usr/obj/usr/src/sys/RENE 

I saw this panic after the following:

# mount_procfs procfs /proc
  (loads procfs.ko and pseudofs.ko)
<play with truss>
# umount /proc
# kldunload procfs

I'll leave the dump around for a while.

#0  doadump () at pcpu.h:165
165	pcpu.h: No such file or directory.
	in pcpu.h
(kgdb) bt f
#0  doadump () at pcpu.h:165
No locals.
#1  0xc044c9a6 in db_fncall (dummy1=0, dummy2=0, dummy3=1999, 
    dummy4=0xcf174a3c " ?u?") at /usr/src/sys/ddb/db_command.c:489
	fn_addr = -1068248576
	args = {0, -820557304, -1066944787, -1065639616, 28, -820557304, 
  -1069226763, 32, -1066234688, 2}
	nargs = 0
	retval = 544973344
	t = 0
#2  0xc044c722 in db_command (last_cmdp=0xc075d624, cmd_table=0x0, 
    aux_cmd_tablep=0xc07235f0, aux_cmd_tablep_end=0xc07235f4)
    at /usr/src/sys/ddb/db_command.c:349
	cmd = (struct command *) 0xc0728e40
	t = 0
	modif = "
?u?\000\000\000\000XJ\027?\r\000\000\000??|?\r\000\000\000\001\000\000\000xJ\027???i?@?{?\aK\000
$?|??\037{? ?u?x\000\000\000
?u?\000\000\000\000\234J\027???D??\005p?p?D?\000\000\000\000\020\000\000\000\000\000\000\000
?u?\206?D? ?u???u?x\000\000\000\000K\027?"
	addr = 0
	count = 1999
	have_addr = 0
	result = 0
#3  0xc044c835 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455
No locals.
#4  0xc044e9a5 in db_trap (type=3, code=0) at /usr/src/sys/ddb/db_main.c:221
	jb = {{_jb = {-820557056, -820557084, -820557004, -1042394752, 0, 
      -1069225658, 0, 0, 0, 0, -820557004, -1068123920}}}
	prev_jb = (void *) 0x0
	bkpt = 0
#5  0xc055b977 in kdb_trap (type=0, code=0, tf=0xcf174b94)
    at /usr/src/sys/kern/subr_kdb.c:473
	handled = -820556908
#6  0xc06be108 in trap (frame      {tf_fs = -1066401784, tf_es = 40, tf_ds =
-820576216, tf_edi = 1, tf_esi = -1066387444, tf_ebp = -820556836, tf_isp =
-820556864, tf_ebx = -820556780, tf_edx = 0, tf_ecx = -1056878592, tf_eax = 18,
tf_trapno = 3, tf_err = 0, tf_eip = -1068124560, tf_cs = 32, tf_eflags = 642,
tf_esp = -1066392053, tf_ss = -1066400620}) at /usr/src/sys/i386/i386/trap.c:601
	td = (struct thread *) 0xc1de5180
	p = (struct proc *) 0xc16d520c
	sticks = 3229006976
	i = 0
	ucode = 0
	type = 3
	code = 0
	eva = 0
#7  0xc06ab72a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
No locals.
#8  0xc0700008 in ?? ()
No symbol table info available.
#9  0x00000028 in ?? ()
No symbol table info available.
#10 0xcf170028 in ?? ()
No symbol table info available.
#11 0x00000001 in ?? ()
No symbol table info available.
#12 0xc070380c in ?? ()
No symbol table info available.
#13 0xcf174bdc in ?? ()
No symbol table info available.
#14 0xcf174bc0 in ?? ()
No symbol table info available.
#15 0xcf174c14 in ?? ()
No symbol table info available.
#16 0x00000000 in ?? ()
No symbol table info available.
#17 0xc1015000 in ?? ()
No symbol table info available.
#18 0x00000012 in ?? ()
No symbol table info available.
#19 0x00000003 in ?? ()
No symbol table info available.
#20 0x00000000 in ?? ()
No symbol table info available.
#21 0xc055b670 in kdb_enter (msg=0x0) at cpufunc.h:60
No locals.
#22 0xc053dab5 in panic (fmt=0xc070380c "unrhdr has %u allocations")
    at /usr/src/sys/kern/kern_shutdown.c:537
	td = (struct thread *) 0xc1de5180
	bootopt = 256
	newpanic = 1
	ap = 0xcf174c14 "\t"
	buf = "unrhdr has 9 allocations", '\0' <repeats 231
times>
#23 0xc0565e62 in delete_unrhdr (uh=0x0) at /usr/src/sys/kern/subr_unit.c:321
No locals.
#24 0xc271f54a in ?? ()
No symbol table info available.
#25 0xc21dfa80 in ?? ()
No symbol table info available.
#26 0xc07659dc in lockbuilder_pool ()
No symbol table info available.
#27 0xc26457a0 in ?? ()
No symbol table info available.
#28 0xc26457a0 in ?? ()
No symbol table info available.
#29 0xcf174c40 in ?? ()
No symbol table info available.
#30 0xc2644089 in ?? ()
No symbol table info available.
#31 0xc2645840 in ?? ()
No symbol table info available.
#32 0xc26457a0 in ?? ()
No symbol table info available.
#33 0xcf174c54 in ?? ()
No symbol table info available.
#34 0xc059dbab in vfs_unregister (vfc=0xc26457a0)
    at /usr/src/sys/kern/vfs_init.c:265
	vfsp = (struct vfsconf *) 0xc2645840
	error = 0
	maxtypenum = 0
Previous frame inner to this frame (corrupt stack?)
(kgdb) q
-- 
GPG fingerprint = 5FFA 3959 3377 C697 8428  24D0 BF3E F4A9 AE33 5DCC

"It won't fit on the line."
		-- me, 2001
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050912/89b56f56/attachment.bin

Some kgdb'ing :

On Mon, Sep 12, 2005 at 02:40:40PM +0200, Rene Ladan
wrote:
> 
> FreeBSD 6.0-BETA4 #10: Sun Sep  4 22:19:26 CEST 2005
/usr/obj/usr/src/sys/RENE
> 
[snip instructions]

[snip trap stuff/missing symbols]
> #22 0xc053dab5 in panic (fmt=0xc070380c "unrhdr has %u
allocations")
>     at /usr/src/sys/kern/kern_shutdown.c:537
> 	td = (struct thread *) 0xc1de5180
> 	bootopt = 256
> 	newpanic = 1
> 	ap = 0xcf174c14 "\t"
> 	buf = "unrhdr has 9 allocations", '\0' <repeats 231
times>
> #23 0xc0565e62 in delete_unrhdr (uh=0x0) at
/usr/src/sys/kern/subr_unit.c:321
(kgdb) frame 23
#23 0xc0565e62 in delete_unrhdr (uh=0x0) at /usr/src/sys/kern/subr_unit.c:321
321		KASSERT(uh->busy == 0, ("unrhdr has %u allocations",
uh->busy));
(kgdb) l *0xc0565e62
0xc0565e62 is in delete_unrhdr (/usr/src/sys/kern/subr_unit.c:322).
317	delete_unrhdr(struct unrhdr *uh)
318	{
319	
320		check_unrhdr(uh, __LINE__);
321		KASSERT(uh->busy == 0, ("unrhdr has %u allocations",
uh->busy));
322		KASSERT(uh->alloc == 0, ("UNR memory leak in delete_unrhdr"));
323		Free(uh);
324	}
325	
326	static __inline int
(kgdb) print uh
$1 = (struct unrhdr *) 0x0

NULL pointer derefence !  Which means that the value '9' in the panic
messge has no meaning.

[snip missing symbols]
> #34 0xc059dbab in vfs_unregister (vfc=0xc26457a0)
>     at /usr/src/sys/kern/vfs_init.c:265
> 	vfsp = (struct vfsconf *) 0xc2645840
> 	error = 0
> 	maxtypenum = 0
(kgdb) frame 34
#34 0xc059dbab in vfs_unregister (vfc=0xc26457a0)
    at /usr/src/sys/kern/vfs_init.c:265
265			error = (*vfc->vfc_vfsops->vfs_uninit)(vfsp);
(kgdb) l *0xc059dbab
0xc059dbab is in vfs_unregister (/usr/src/sys/kern/vfs_init.c:267).
262		if (vfsp->vfc_refcount)
263			return EBUSY;
264		if (vfc->vfc_vfsops->vfs_uninit != NULL) {
265			error = (*vfc->vfc_vfsops->vfs_uninit)(vfsp);
266			if (error)
267				return (error);
268		}
269		TAILQ_REMOVE(&vfsconf, vfsp, vfc_list);
270		maxtypenum = VFS_GENERIC;
271		TAILQ_FOREACH(vfsp, &vfsconf, vfc_list)
(kgdb) print vfc
$2 = (struct vfsconf *) 0xc26457a0
(kgdb) print *vfc
$3 = {vfc_version = 426115360, 
  vfc_name = "procfs\000\000\000\000\000\000\000\000\000", 
  vfc_vfsops = 0xc26457e0, vfc_typenum = 5, vfc_refcount = 0, 
  vfc_flags = 524288, vfc_opts = 0x0, vfc_list = {tqe_next = 0x0, 
    tqe_prev = 0xc07373c8}}
(kgdb) print vfc->vfc_vfsops
$4 = (struct vfsops *) 0xc26457e0
(kgdb) print *vfc->vfc_vfsops
$5 = {vfs_mount = 0xc2644020, vfs_cmount = 0, vfs_unmount = 0xc271f3b0, 
  vfs_root = 0xc271f3f0, vfs_quotactl = 0xc059c7f0 <vfs_stdquotactl>, 
  vfs_statfs = 0xc271f420, vfs_sync = 0xc059ca00 <vfs_stdnosync>, 
  vfs_vget = 0xc059ca10 <vfs_stdvget>, 
  vfs_fhtovp = 0xc059ca20 <vfs_stdfhtovp>, 
  vfs_checkexp = 0xc059d270 <vfs_stdcheckexp>, 
  vfs_vptofh = 0xc059c7e0 <vfs_stdvptofh>, vfs_init = 0xc2644050, 
  vfs_uninit = 0xc2644070, vfs_extattrctl = 0xc059ca50
<vfs_stdextattrctl>,
  vfs_sysctl = 0xc059ca90 <vfs_stdsysctl>}
(kgdb) print *vfc->vfc_vfsops->vfs_uninit
$6 = {int (struct vfsconf *)} 0xc2644070
(kgdb) print *vfsp->vfc_vfsops->vfs_uninit
$10 = {vfc_version = 1668248176, 
  vfc_name = "fs", '\0' <repeats 11 times>,
"=d?", vfc_vfsops = 0xc2644010,
  vfc_typenum = -1038294528, vfc_refcount = -1066149436, 
  vfc_flags = -1032710148, vfc_opts = 0xc27217fc, vfc_list = {
    tqe_next = 0x30000, tqe_prev = 0xc19f16dc}}
(kgdb) print *vfsp->vfc_vfsops
$11 = {vfs_mount = 0x89c03155, vfs_cmount = 0x89c35de5, 
  vfs_unmount = 0x27bc8df6, vfs_root = 0, vfs_quotactl = 0x83e58955, 
  vfs_statfs = 0x4c70cec, vfs_sync = 0x64584024, vfs_vget = 0xc458bc2, 
  vfs_fhtovp = 0x8244489, vfs_checkexp = 0x8908458b, vfs_vptofh = 0xe8042444, 
  vfs_init = 0xdb2a0, vfs_uninit = 0xb48dc3c9, vfs_extattrctl = 0x26, 
  vfs_sysctl = 0x27bc8d00}
(kgdb) print *vfsp->vfc_vfsops->vfs_uninit
Cannot access memory at address 0xb48dc3c9

Huh?  Something has gone out of kernel memory?

Regards,
Rene
-- 
GPG fingerprint = 5FFA 3959 3377 C697 8428  24D0 BF3E F4A9 AE33 5DCC

"It won't fit on the line."
		-- me, 2001
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :
http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050912/7788fa36/attachment.bin

On Mon, 12 Sep 2005, Rene Ladan wrote:
> Hi,
>
> on
Could you file a PR on this?  It sounds like a bug in one of three places: 
the unit allocation routines, procfs, or vfs.  If I had to guess, procfs 
or VFS, but you never know.

Thanks,

Robert N M Watson
>
> FreeBSD 6.0-BETA4 #10: Sun Sep  4 22:19:26 CEST 2005
/usr/obj/usr/src/sys/RENE
>
> I saw this panic after the following:
>
> # mount_procfs procfs /proc
>  (loads procfs.ko and pseudofs.ko)
> <play with truss>
> # umount /proc
> # kldunload procfs
>
> I'll leave the dump around for a while.
>
> #0  doadump () at pcpu.h:165
> 165	pcpu.h: No such file or directory.
> 	in pcpu.h
> (kgdb) bt f
> #0  doadump () at pcpu.h:165
> No locals.
> #1  0xc044c9a6 in db_fncall (dummy1=0, dummy2=0, dummy3=1999,
>    dummy4=0xcf174a3c " ?u?") at /usr/src/sys/ddb/db_command.c:489
> 	fn_addr = -1068248576
> 	args = {0, -820557304, -1066944787, -1065639616, 28, -820557304,
>  -1069226763, 32, -1066234688, 2}
> 	nargs = 0
> 	retval = 544973344
> 	t = 0
> #2  0xc044c722 in db_command (last_cmdp=0xc075d624, cmd_table=0x0,
>    aux_cmd_tablep=0xc07235f0, aux_cmd_tablep_end=0xc07235f4)
>    at /usr/src/sys/ddb/db_command.c:349
> 	cmd = (struct command *) 0xc0728e40
> 	t = 0
> 	modif = "
?u?\000\000\000\000XJ\027?\r\000\000\000??|?\r\000\000\000\001\000\000\000xJ\027???i?@?{?\aK\000
$?|??\037{? ?u?x\000\000\000
?u?\000\000\000\000\234J\027???D??\005p?p?D?\000\000\000\000\020\000\000\000\000\000\000\000
?u?\206?D? ?u???u?x\000\000\000\000K\027?"
> 	addr = 0
> 	count = 1999
> 	have_addr = 0
> 	result = 0
> #3  0xc044c835 in db_command_loop () at /usr/src/sys/ddb/db_command.c:455
> No locals.
> #4  0xc044e9a5 in db_trap (type=3, code=0) at
/usr/src/sys/ddb/db_main.c:221
> 	jb = {{_jb = {-820557056, -820557084, -820557004, -1042394752, 0,
>      -1069225658, 0, 0, 0, 0, -820557004, -1068123920}}}
> 	prev_jb = (void *) 0x0
> 	bkpt = 0
> #5  0xc055b977 in kdb_trap (type=0, code=0, tf=0xcf174b94)
>    at /usr/src/sys/kern/subr_kdb.c:473
> 	handled = -820556908
> #6  0xc06be108 in trap (frame>      {tf_fs = -1066401784, tf_es = 40,
tf_ds = -820576216, tf_edi = 1, tf_esi = -1066387444, tf_ebp = -820556836,
tf_isp = -820556864, tf_ebx = -820556780, tf_edx = 0, tf_ecx = -1056878592,
tf_eax = 18, tf_trapno = 3, tf_err = 0, tf_eip = -1068124560, tf_cs = 32,
tf_eflags = 642, tf_esp = -1066392053, tf_ss = -1066400620}) at
/usr/src/sys/i386/i386/trap.c:601
> 	td = (struct thread *) 0xc1de5180
> 	p = (struct proc *) 0xc16d520c
> 	sticks = 3229006976
> 	i = 0
> 	ucode = 0
> 	type = 3
> 	code = 0
> 	eva = 0
> #7  0xc06ab72a in calltrap () at /usr/src/sys/i386/i386/exception.s:139
> No locals.
> #8  0xc0700008 in ?? ()
> No symbol table info available.
> #9  0x00000028 in ?? ()
> No symbol table info available.
> #10 0xcf170028 in ?? ()
> No symbol table info available.
> #11 0x00000001 in ?? ()
> No symbol table info available.
> #12 0xc070380c in ?? ()
> No symbol table info available.
> #13 0xcf174bdc in ?? ()
> No symbol table info available.
> #14 0xcf174bc0 in ?? ()
> No symbol table info available.
> #15 0xcf174c14 in ?? ()
> No symbol table info available.
> #16 0x00000000 in ?? ()
> No symbol table info available.
> #17 0xc1015000 in ?? ()
> No symbol table info available.
> #18 0x00000012 in ?? ()
> No symbol table info available.
> #19 0x00000003 in ?? ()
> No symbol table info available.
> #20 0x00000000 in ?? ()
> No symbol table info available.
> #21 0xc055b670 in kdb_enter (msg=0x0) at cpufunc.h:60
> No locals.
> #22 0xc053dab5 in panic (fmt=0xc070380c "unrhdr has %u
allocations")
>    at /usr/src/sys/kern/kern_shutdown.c:537
> 	td = (struct thread *) 0xc1de5180
> 	bootopt = 256
> 	newpanic = 1
> 	ap = 0xcf174c14 "\t"
> 	buf = "unrhdr has 9 allocations", '\0' <repeats 231
times>
> #23 0xc0565e62 in delete_unrhdr (uh=0x0) at
/usr/src/sys/kern/subr_unit.c:321
> No locals.
> #24 0xc271f54a in ?? ()
> No symbol table info available.
> #25 0xc21dfa80 in ?? ()
> No symbol table info available.
> #26 0xc07659dc in lockbuilder_pool ()
> No symbol table info available.
> #27 0xc26457a0 in ?? ()
> No symbol table info available.
> #28 0xc26457a0 in ?? ()
> No symbol table info available.
> #29 0xcf174c40 in ?? ()
> No symbol table info available.
> #30 0xc2644089 in ?? ()
> No symbol table info available.
> #31 0xc2645840 in ?? ()
> No symbol table info available.
> #32 0xc26457a0 in ?? ()
> No symbol table info available.
> #33 0xcf174c54 in ?? ()
> No symbol table info available.
> #34 0xc059dbab in vfs_unregister (vfc=0xc26457a0)
>    at /usr/src/sys/kern/vfs_init.c:265
> 	vfsp = (struct vfsconf *) 0xc2645840
> 	error = 0
> 	maxtypenum = 0
> Previous frame inner to this frame (corrupt stack?)
> (kgdb) q
> -- 
> GPG fingerprint = 5FFA 3959 3377 C697 8428  24D0 BF3E F4A9 AE33 5DCC
>
> "It won't fit on the line."
> 		-- me, 2001
>