[DragonFlyBSD - Bug #2756] Hit kernel panic while running hammer show cmd

bugtracker-admin at leaf.dragonflybsd.org bugtracker-admin at leaf.dragonflybsd.org
Sat Jan 3 16:49:58 PST 2015

Issue #2756 has been updated by tuxillo.

Assignee set to tuxillo


There was some work in master that didn't go to release because the callout API changed and NATA locks were adapted as well.

commit 15bd3c7353c5ce02776849ca16be00d5088d8734
Author: Matthew Dillon <dillon at apollo.backplane.com>
Date:   Tue Nov 25 14:11:42 2014 -0800

    kernel - Fix boot-time panic in NATA revealed by new callout mechanics

Can you please try to reproduce it with latest master?

- Download latest ISO here: http://avalon.dragonflybsd.org/snapshots/x86_64/DragonFly-x86_64-LATEST-ISO.iso.bz2
- Boot your VM with it
- Mount your HAMMER fs from the LiveCD
- Run your show command redirecting the output to a file like you did before.

Let me know the results.

Antonio Huete

Bug #2756: Hit kernel panic while running hammer show cmd

* Author: tkusumi
* Status: New
* Priority: High
* Assignee: tuxillo
* Category: Kernel
* Target version: 4.0.x
Hit kernel panic while running hammer show cmd. All I did was

# uname -r
# hammer -f /dev/serno/xxxxxxxx.s1d show > show.out

where /dev/serno/xxxxxxxx.s1d is a volume for / hammerfs with enough space left. It's running as a virtualbox guest on x86_64. It happens whenever the size of show.out gets around 250MB.

# df -h
Filesystem                           Size   Used  Avail Capacity  Mounted on
ROOT                                  74G   8.2G    66G    11%    /

x/i says it died at movl at dscheck+0x8b (ffffffff80618025)
ffffffff80618025:       44 8b 7b 0c             mov    0xc(%rbx),%r15d
ffffffff80618029:       44 3b 7d b8             cmp    -0x48(%rbp),%r15d
ffffffff8061802d:       77 28                   ja     ffffffff80618057 <dscheck+0xbd>

dscheck() was called as a sequence of btree lookup by hammer show. hammer_vop_strategy_read() -> hammer_ip_first() -> hammer_btree_lookup() -> btree_search() -> hammer_cursor_down() -> hammer_get_node() -> hammer_load_node() -> hammer_get_buffer() -> hammer_load_buffer() -> hammer_io_read() -> hammer_cluster_read() -> ... (failed to catch any further)

I saw disas of /boot/kernel/kernel and this movl seems to be null pointer dereference of *ssp at
if (slice >= ssp->dss_nslices)
of the following.

> struct bio *
> dscheck(cdev_t dev, struct bio *bio, struct diskslices *ssp)
> {
>         struct buf *bp = bio->bio_buf;
>         struct bio *nbio;
>         disklabel_t lp;
>         disklabel_ops_t ops;
>         long nsec;
>         u_int64_t secno;
>         u_int64_t endsecno;
>         u_int64_t slicerel_secno;
>         struct diskslice *sp;
>         u_int32_t part;
>         u_int32_t slice;
>         int shift;
>         int mask;
>         slice = dkslice(dev);
>         part  = dkpart(dev);
>         if (bio->bio_offset < 0) {
>                 kprintf("dscheck(%s): negative bio_offset %lld\n",
>                         devtoname(dev), (long long)bio->bio_offset);
>                 goto bad;
>         }
>         if (slice >= ssp->dss_nslices) {
>                 kprintf("dscheck(%s): slice too large %d/%d\n",
>                         devtoname(dev), slice, ssp->dss_nslices);
>                 goto bad;
>         }

You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account

More information about the Bugs mailing list