On Mon, Dec 02, 2024 at 05:22:23PM +0100, Alexander Bluhm wrote:
> panic: Data modified on freelist: word 11 of object 0xd7632800 size 0x270
> previous type mount (0xdead410f != 0xdead4110)
It looks like the struct mount mnt_lock rwl_readers was derecemented
after free. rwl_readers = 3735896335 = 0xdead410f
This happens in vfs_busy() with RW_READ. New rw_do_enter_read()
function added call to rw_dec(&rwl->rwl_readers) there.
I have the impression that the reimplementation of rw-lock makes
the problem visible. Accessing struct mount after sleep is
questionalble. Does anything prevent a file system unount while
sleeping in vfs_busy()?
bluhm
ddb{0}> show struct mount 0xd7632800
struct mount at 0xd7632800 (624 bytes) {mnt_list = {tqe_next = (struct mount
*)0xdead4110, tqe_prev = 0xdead4110}, mnt_dounmount = {sle_next = (struct mount
*)0xdead4110}, mnt_op = (const vfsops *)0xdead4110, mnt_vfc = (struct vfsconf
*)0xdead4110, mnt_vnodecovered = (struct vnode *)0xdead4110, mnt_syncer =
(struct vnode *)0xdead4110, mnt_vnodelist = {tqh_first = (struct vnode
*)0xdead4110, tqh_last = 0xdead4110}, mnt_lock = {rwl_owner = 3735896336,
rwl_waiters =735896336, rwl_readers = 3735896335, rwl_name = (const char
*)0xdead4110}, mnt_flag = -559070960, mnt_stat = {f_flags = 3735896336, f_bsize
= 3735896336, f_iosize = 16384, f_blocks = 504711, f_bfree = 504710, f_bavail =
479475, f_files = 155518, f_ffree = 155517, f_favail = 155517, f_syncwrites =
66, f_syncreads = 7262, f_asyncwrites = 2403, f_asyncreads = 0, f_fsid = {val =
[3584,-539189856]}, f_namemax = 255, f_owner = 0, f_ctime = 1733155970,
f_fstypename = [102,102,115,0,0,0,0,0,0,0,0,0,0,0,0,0], f_mntonname =
[47,109,110,116,47,114,101,103,114,101,115,115,45,109,111,117,110,116,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
f_mntfromname =
[47,100,101,118,47,118,110,100,48,97,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
f_mntfromspec =
[47,100,101,118,47,118,110,100,48,97,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
mount_info = {ufs_args = {fspec = (char *)0xcf7c412e, export_info = {ex_flags
= 0, ex_root = 4294967294, ex_anon = {cr_uid = 0, cr_gid = 0, cr_ngroups =
-12305, cr_groups =
[0,0,354339725,0,4096,3,354339848,1983602688,4096,1,891120276,4096,0,0,891094272,3481026492]},
ex_addr = (struct sockaddr *)0x151ecc60, ex_addrlen = 354341792, ex_mask =
(struct sockaddr *)0x0, ex_masklen = 0}}, mfs_args = {fspec = (char
*)0xcf7c412e, export_info = {ex_flags = 0, ex_root = 4294967294, ex_anon =
{cr_uid = 0, cr_gid = 0, cr_ngroups = -12305, cr_groups =
[0,0,354339725,0,4096,3,354339848,1983602688,4096,1,891120276,4096,0,0,891094272,3481026492]},
ex_addr = (struct sockaddr *)0x151ecc60, ex_addrlen = 354341792, ex_mask =
(struct sockaddr *)0x0, ex_masklen = 0}, base = (char *)0x0, size = 0},
nfs_args = {version = -813940434, addr = (struct sockaddr *)0x0, addrlen = -2,
sotype = 0, proto = 0, fh = (u_char *)0x151ecfef, fhsize = 0, flags = 0, wsize
= 354339725, rsize = 0, readdirsize = 4096, timeo = 3, retrans = 354339848,
maxgrouplist = 1983602688, readahead = 4096, leaseterm = 1, deadthresh =
891120276, hostname = (char *)0x1000, acregmin = 0, acregmax = 0, acdirmin =
891094272, acdirmax = -813940804}, iso_args = {fspec = (char *)0xcf7c412e,
export_info = {ex_flags = 0, ex_root = 4294967294, ex_anon = {cr_uid = 0,
cr_gid = 0, cr_ngroups = -12305, cr_groups =
[0,0,354339725,0,4096,3,354339848,1983602688,4096,1,891120276,4096,0,0,891094272,3481026492]},
ex_addr = (struct sockaddr *)0x151ecc60, ex_addrlen = 354341792, ex_mask =
(struct sockaddr *)0x0, ex_masklen = 0}, flags = 0, sess = 0}, msdosfs_args =
{fspec = (char *)0xcf7c412e, export_info = {ex_flags = 0, ex_root = 4294967294,
ex_anon = {cr_uid = 0, cr_gid = 0, cr_ngroups = -12305, cr_groups =
[0,0,354339725,0,4096,3,354339848,1983602688,4096,1,891120276,4096,0,0,891094272,3481026492]},
ex_addr = (struct sockaddr *)0x151ecc60, ex_addrlen = 354341792, ex_mask =
(struct sockaddr *)0x0, ex_masklen = 0}, uid = 0, gid = 0, mask = 0, flags =
0}, ntfs_args = {fspec = (char *)0xcf7c412e, export_info = {ex_flags = 0,
ex_root = 4294967294, ex_anon = {cr_uid = 0, cr_gid = 0, cr_ngroups = -12305,
cr_groups =
[0,0,354339725,0,4096,3,354339848,1983602688,4096,1,891120276,4096,0,0,891094272,3481026492]},
ex_addr = (struct sockaddr *)0x151ecc60, ex_addrlen = 354341792, ex_mask =
(struct sockaddr *)0x0, ex_masklen = 0}, uid = 0, gid = 0, mode = 0, flag = 0},
tmpfs_args = {ta_version = -813940434, ta_nodes_max = 18446744065119617024,
ta_size_max = 0, ta_root_uid = 354340847, ta_root_gid = 0, ta_root_mode = 0},
__align =
[46,65,124,-49,0,0,0,0,-2,-1,-1,-1,0,0,0,0,0,0,0,0,-17,-49,30,21,0,0,0,0,0,0,0,0,-115,-53,30,21,0,0,0,0,0,16,0,0,3,0,0,0,8,-52,30,21,0,96,59,118,0,16,0,0,1,0,0,0,-108,106,29,53,0,16,0,0,0,0,0,0,0,0,0,0,0,5,29,53,-68,63,124,-49,96,-52,30,21,-96,-45,30,21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]}},
mnt_data = (void *)0x0}
ddb{0}> x/x 0xd7632800,0t78
0xd7632800: dead4110
0xd7632804: dead4110
0xd7632808: dead4110
0xd763280c: dead4110
0xd7632810: dead4110
0xd7632814: dead4110
0xd7632818: dead4110
0xd763281c: dead4110
0xd7632820: dead4110
0xd7632824: dead4110
0xd7632828: dead4110
0xd763282c: dead410f
0xd7632830: dead4110
0xd7632834: dead4110
0xd7632838: dead4110
0xd763283c: dead4110
0xd7632840: 4000
0xd7632844: 7b387
0xd7632848: 0
0xd763284c: 7b386
0xd7632850: 0
0xd7632854: 750f3
0xd7632858: 0
0xd763285c: 25f7e
0xd7632860: 0
0xd7632864: 25f7d
0xd7632868: 0
0xd763286c: 25f7d
0xd7632870: 0
0xd7632874: 42
0xd7632878: 0
0xd763287c: 1c5e
0xd7632880: 0
0xd7632884: 963
0xd7632888: 0
0xd763288c: 0
0xd7632890: 0
0xd7632894: e00
0xd7632898: dfdc9da0
0xd763289c: ff
0xd76328a0: 0
0xd76328a4: 674ddc82
0xd76328a8: 0
0xd76328ac: 736666
0xd76328b0: 0
0xd76328b4: 0
0xd76328b8: 0
0xd76328bc: 746e6d2f
0xd76328c0: 6765722f
0xd76328c4: 73736572
0xd76328c8: 756f6d2d
0xd76328cc: 746e
0xd76328d0: 0
0xd76328d4: 0
0xd76328d8: 0
0xd76328dc: 0
0xd76328e0: 0
0xd76328e4: 0
0xd76328e8: 0
0xd76328ec: 0
0xd76328f0: 0
0xd76328f4: 0
0xd76328f8: 0
0xd76328fc: 0
0xd7632900: 0
0xd7632904: 0
0xd7632908: 0
0xd763290c: 0
0xd7632910: 0
0xd7632914: 642f0000
0xd7632918: 762f7665
0xd763291c: 6130646e
0xd7632920: 0
0xd7632924: 0
0xd7632928: 0
0xd763292c: 0
0xd7632930: 0
0xd7632934: 0
