netbsd-bugs: kern/32908: fdesc + procfs = kernel panic

Subject: kern/32908: fdesc + procfs = kernel panic
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Johan Veenhuizen <veenhuizen@users.sourceforge.net>
List: netbsd-bugs
Date: 02/22/2006 23:55:00

>Number:         32908
>Category:       kern
>Synopsis:       fdesc + procfs = kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 22 23:55:00 +0000 2006
>Originator:     Johan Veenhuizen
>Release:        NetBSD 3.0
>Organization:
	
>Environment:
	
	
System: NetBSD carola.zapto.org 3.0 NetBSD 3.0 (CAROLA) #0: Tue Feb 21 15:27:43 CET 2006 jpv@carola.zapto.org:/usr/src/sys/arch/i386/compile/CAROLA i386
Architecture: i386
Machine: i386
>Description:
	The file systems fdesc and procfs do not work well together.
	The kernel panics under some circumstances if the "fd/"
	directories are used simultaneously in both file systems.
	The problem occurs both when union-mounting fdesc and when
	mounting it on e.g. /mnt, so the problem is not related
	to the union.
>How-To-Repeat:
	The following procedure will trigger the panic. Also note
	the mysterious value of "total" in the ls(1) listing. It
	is a very even number if you print it in hex. This large
	value could have something to do with the page fault.
	Finally, the kernel panics a second time when sync is called
	for in ddb, this time complaining about a deadlock.

	Btw, the panic is also triggered if I predict the pid
	of ls(1) and list /proc/<pid of ls>/fd instead of using
	the curproc symlink.

	The kernel does not panic unless the -l option is given
	to ls(1). The working directory must be /mnt/fd.

	# mount -t fdesc fdesc /mnt
	# cd /mnt/fd
	# ls -l /proc/curproc/fd
	total 36028797018963967		<--- WOW!!!
	crw-------  1 root  wheel  0,1 Feb 22 17:30 0
	crw-------  1 root  wheel  0,1 Feb 22 17:30 1
	crw-------  1 root  wheel  0,1 Feb 22 17:30 2
	uvm_fault(0xca6a82a0, 0, 0, 1)->0xe
	kernel: page fault trap, code=0
	Stopped in pid 624.1 (ls) at netbsd:fdesc_readdir+0x63:	movl 0xc(%eax), %eax
	db> bt
	fdesc_readdir ...
	VOP_READDIR ...
	getcwd_scandir ...
	getcwd_common ...
	procfs_readlink ...
	VOP_READLINK ...
	sys_readlink ...
	syscall_plain ...
	--- syscall (number 58) ---
	0xbdbc89c3
	db> sync
	syncing disks... done
	unmounting file systems...unmount of /mnt failed with error 10
	panic: lockmgr: draining against myself
	Stopped in pid 624.1 (ls) at netbsd:cpu_Debugger + 0x4	leave
	db>
>Fix:
	Not known.

>Unformatted: