netbsd-bugs: kern/32923: incomplete vfs_shutdown() LWP change makes a panic while DDB reboot

Subject: kern/32923: incomplete vfs_shutdown() LWP change makes a panic while DDB reboot
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <nisimura@netbsd.org>
List: netbsd-bugs
Date: 02/24/2006 06:45:01

>Number:         32923
>Category:       kern
>Synopsis:       incomplete vfs_shutdown() LWP change makes a panic while DDB reboot
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Feb 24 06:45:01 +0000 2006
>Originator:     Toru Nishimura
>Release:        NetBSD-current 20060215
>Organization:
ALKYL Technology
>Environment:
NetBSD mesa81 3.99.15 NetBSD 3.99.15 (SIP) #1: Fri Feb 24 12:11:54 JST 2006  nisimura@paq12.local:/u0/060215/src/sys/arch/mesa/compile/SIP mesa
(local ARM9 port)
>Description:
LWP change made at 2005-12-11 against vfs_shutdown() of vfs_subr.c 1.255 may allow to pass NULL lwp pointer to vfs_unmountall() call which eventually triggers a kernel panic inside dounmountall() routine. The following excerpt is DDB session initiated while single user mode by sending BREAK;

mesa81# ~Stopped at      netbsd:cpu_Debugger+0x4:        mov     r15, r14
db> reboot
boot: howto=00000000 curproc=0x0
syncing disks... done
unmounting file systems...Fatal kernel mode data abort: 'External Non-Linefetch Abort (S)'
trapframe: 0xc2e418a4
FSR=000000f8, FAR=e59ff11c, spsr=20000013
r0 =c0206368, r1 =c2e418d4, r2 =c2e76fdc, r3 =e59ff114
r4 =00000000, r5 =c1131000, r6 =00000001, r7 =00000000
r8 =00080000, r9 =00000000, r10=c017ae6c, r11=c2e4191c
r12=c2e418d0, ssp=c2e418f0, slr=c1133000, pc =c014caec

Stopped at      netbsd:dounmount+0x2b8: ldr     r1, [r3, #0x008]
db> trace
netbsd:dounmount+0x10
        scp=0xc014c844 rlv=0xc014ae60 (netbsd:vfs_unmountall+0xa8)
        rsp=0xc2e41920 rfp=0xc2e41944
        r8=0x00000000 r7=0x00000000
        r6=0xc01e1eb4 r5=0xc1131000 r4=0xc1133000
netbsd:vfs_unmountall+0x10
        scp=0xc014adc8 rlv=0xc01895d8 (netbsd:cpu_reboot+0xe8)
        rsp=0xc2e41948 rfp=0xc2e4195c
        r8=0xe7ffffff r7=0x00000000
        r6=0xc01dd080 r5=0xc2e41980 r4=0x00000000
netbsd:cpu_reboot+0x10
        scp=0xc0189500 rlv=0xc00596bc (netbsd:db_reboot_cmd+0x48)
        rsp=0xc2e41960 rfp=0xc2e41974
        r4=0xc01dd100
netbsd:db_reboot_cmd+0x10
        scp=0xc0059684 rlv=0xc00591f8 (netbsd:db_command+0x8c)
        rsp=0xc2e41978 rfp=0xc2e41a1c
...

sys_sync() happens to be protected from NULL lwp and has no trouble.
>How-To-Repeat:
Try DDB reboot while curlwp == NULL condition.
>Fix:
back out vfs_unmountall() LWP change or add more code in vfs_shutdown().