https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=222027
Andriy Gapon <a...@freebsd.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|New |Open
--- Comment #9 from Andriy Gapon <a...@freebsd.org> ---
I devised a scenario for this bug. Running it for 10 minutes reliably
reproduces the crash.
In one shell executed this small script as root:
while true ; do ( sleep 2 ; exec su -c xuser -m root -c ':' ) & sleep 0.001
; done
The idea behind this script is to make a process noticed by vm_daemon so that
its RACCT_RSS gets set and then call setloginclass() hoping to expose the race
described in comment #7.
"xuser" login class is selected because it's not used by anything else, so the
experiment is more pure.
In another shell executed this dtrace command:
dtrace -w -n 'sys_setloginclass:entry { self->t = 1; }
sys_setloginclass:return { self->t = 0; } proc_set_cred:entry /self->t/ {
chill(100000000); }'
The idea is to make proc_set_cred() take much longer than usual while holding
the proc lock, so that vm_daemon has much higher chances of running into that
lock and getting blocked on it. When sys_setloginclass() releases the lock,
vm_daemon gets a chance to run and expose the race.
When stop the test and initiate a graceful reboot, I get a panic about
RACCT_RSS underflow in "root" login class:
panic: racct_adjust_resource: resource 4 usage < 0
cpuid = 2
time = 1523437499
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe002b46d860
vpanic() at vpanic+0x19c/frame 0xfffffe002b46d8e0
kassert_panic() at kassert_panic+0x126/frame 0xfffffe002b46d950
racct_adjust_resource() at racct_adjust_resource+0xd2/frame 0xfffffe002b46d980
racct_set_locked() at racct_set_locked+0x135/frame 0xfffffe002b46d9d0
racct_set() at racct_set+0x51/frame 0xfffffe002b46da00
vmspace_exit() at vmspace_exit+0x147/frame 0xfffffe002b46da40
exit1() at exit1+0x5ad/frame 0xfffffe002b46dab0
sys_sys_exit() at sys_sys_exit+0xd/frame 0xfffffe002b46dac0
amd64_syscall() at amd64_syscall+0x79b/frame 0xfffffe002b46dbf0
fast_syscall_common() at fast_syscall_common+0x105/frame 0xfffffe002b46dbf0
--- syscall (1, FreeBSD ELF64, sys_sys_exit), rip = 0x8008eb77a, rsp =
0x7fffffffe1a8, rbp = 0x7fffffffe1c0 ---
(kgdb) bt
#0 kdb_enter (why=0xffffffff814ee179 "panic", msg=<optimized out>) at
/usr/devel/svn/autoro/sys/kern/subr_kdb.c:479
#1 0xffffffff80ac6549 in vpanic (fmt=<optimized out>, ap=0xfffffe002b46d920)
at /usr/devel/svn/autoro/sys/kern/kern_shutdown.c:826
#2 0xffffffff80ac62f6 in kassert_panic (fmt=0xffffffff814ec548 "%s: resource
%d usage < 0") at /usr/devel/svn/autoro/sys/kern/kern_shutdown.c:723
#3 0xffffffff80ab6ea2 in racct_adjust_resource (racct=0xfffff800074c6dd0,
resource=4, amount=<optimized out>) at
/usr/devel/svn/autoro/sys/kern/kern_racct.c:526
#4 0xffffffff80ab6965 in racct_set_locked (p=<optimized out>, resource=4,
amount=<optimized out>, force=0) at
/usr/devel/svn/autoro/sys/kern/kern_racct.c:618
#5 0xffffffff80ab67d1 in racct_set (p=0xfffff800149f7000, resource=4,
amount=0) at /usr/devel/svn/autoro/sys/kern/kern_racct.c:739
#6 0xffffffff80de9577 in vmspace_container_reset (p=<optimized out>) at
/usr/devel/svn/autoro/sys/vm/vm_map.c:318
#7 vmspace_exit (td=0xfffff8005d353000) at
/usr/devel/svn/autoro/sys/vm/vm_map.c:427
#8 0xffffffff80a8175d in exit1 (td=0xfffff8005d353000, rval=<optimized out>,
signo=0) at /usr/devel/svn/autoro/sys/kern/kern_exit.c:403
#9 0xffffffff80a811ad in sys_sys_exit (td=0xffffffff81d58408 <cnputs_mtx>,
uap=<optimized out>) at /usr/devel/svn/autoro/sys/kern/kern_exit.c:181
#10 0xffffffff80f7df7b in syscallenter (td=0xfffff8005d353000) at
/usr/devel/svn/autoro/sys/amd64/amd64/../../kern/subr_syscall.c:134
#11 amd64_syscall (td=0xfffff8005d353000, traced=0) at
/usr/devel/svn/autoro/sys/amd64/amd64/trap.c:936
(kgdb) fr 3
#3 0xffffffff80ab6ea2 in racct_adjust_resource (racct=0xfffff800074c6dd0,
resource=4, amount=<optimized out>) at
/usr/devel/svn/autoro/sys/kern/kern_racct.c:526
526 KASSERT(RACCT_IS_SLOPPY(resource) ||
RACCT_IS_DECAYING(resource),
(kgdb) p *racct
$1 = {r_resources = {15961661599, 98304, 794624, 0, -1314816, 0, 3, 0,
51683328, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 2817797305501, 132851, 0, 0, 0, 0},
r_rule_links = {lh_first = 0x0}}
(kgdb) p *p->p_ucred->cr_loginclass
$4 = {lc_next = {le_next = 0xfffff800030692c0, le_prev = 0xfffff8000377b380},
lc_name = "root", '\000' <repeats 28 times>, lc_refcount = 6, lc_racct =
0xfffff800074c6dd0}
(kgdb) p *p->p_ucred->cr_loginclass->lc_racct
$5 = {r_resources = {15961661599, 98304, 794624, 0, -1314816, 0, 3, 0,
51683328, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 2817797305501, 132851, 0, 0, 0, 0},
r_rule_links = {lh_first = 0x0}}
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
