reproducible panic: pfs_add_node() homonymous siblings in sys/fs/pseudofs/pseudofs.c

[dch]

originally submitted upstream in error: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217708

Dump header from device: /dev/gpt/swap
  Architecture: amd64
  Architecture Version: 2
  Dump Length: 1084706816
  Blocksize: 512
  Dumptime: Sat Mar 11 17:47:10 2017
  Hostname: akai.skunkwerks.at
  Magic: FreeBSD Kernel Dump
  Version String: FreeBSD 12.0-CURRENT #4 r314337+3d00b61e5dbd(drm-next): Sat Mar  4 19:50:38 UTC 2017
    root@akai:/usr/obj/usr/src/sys/GENERIC
  Panic String: pfs_add_node(): homonymous siblings
  Dump Parity: 1512531746
  Bounds: 3
  Dump Status: good

This occurs repeatedly:

• under X11 session using i3 window manager
• starting a linux binary successfully
• getting i3 to transfer it to a window that is not active
• system is 3d00b61e5dbd from drm-next branch
• still happening on r315987+c2af518bfd1f(drm-next)

Coredump available on request, I can surely do more debugging when given some directions.

root@akai /u/o/u/s/s/GENERIC#  kgdb kernel.debug /var/crash/vmcore.last 
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
[327] vt_kms_postswitch() at vt_kms_postswitch+0x52/frame 0xfffffe0464f80430
[327] vt_window_switch() at vt_window_switch+0xdb/frame 0xfffffe0464f80470
[327] vtterm_cngrab() at vtterm_cngrab+0x20/frame 0xfffffe0464f80490
[327] cngrab() at cngrab+0x32/frame 0xfffffe0464f804b0
[327] vpanic() at vpanic+0x10a/frame 0xfffffe0464f80530
[327] kassert_panic() at kassert_panic+0x126/frame 0xfffffe0464f805a0
[327] pfs_add_node() at pfs_add_node+0x114/frame 0xfffffe0464f805d0
[327] pfs_create_link() at pfs_create_link+0xc5/frame 0xfffffe0464f80620
[327] linprocfs_dirfill() at linprocfs_dirfill+0x9c/frame 0xfffffe0464f80680
[327] pfs_iterate() at pfs_iterate+0x251/frame 0xfffffe0464f806f0
[327] Dumping 1034 out of 16254 MB: (CTRL-C to abort) ..2%..11%..21%..31%..41%..52%..61%..72%..81%..92%

...
Loaded symbols for /boot/kernel/debugfs.ko
#0  doadump (textdump=0) at pcpu.h:232
232     __asm("movq %%gs:%1,%0" : "=r" (td)

(kgdb) list
227 static __inline __pure2 struct thread *
228 __curthread(void)
229 {
230     struct thread *td;
231 
232     __asm("movq %%gs:%1,%0" : "=r" (td)
233         : "m" (*(char *)OFFSETOF_CURTHREAD));
234     return (td);
235 }
236 #ifdef __clang__
Current language:  auto; currently minimal

up

#1  0xffffffff83ef3697 in vt_kms_postswitch (arg=<value optimized out>) at /usr/src/sys/modules/drm/drm/../../../dev/drm/linux_fb.c:80

• I had to stop here as my source was already pulled for building a new kernel..

• I'll finish that and re-try this very repeatable crash.

• comment from Dmitry:

this does not exist in HEAD, code from drm-next branch.

[327] pfs_create_link() at pfs_create_link+0xc5/frame 0xfffffe0464f80620
[327] linprocfs_dirfill() at linprocfs_dirfill+0x9c/frame 0xfffffe0464f80680
[327] pfs_iterate() at pfs_iterate+0x251/frame 0xfffffe0464f806f0

I think this is an incorrect attempt to make /proc/$pid/fd, I have several versions of this.

[dch]

still recurs reliably, from f7756add6cea1a7e04ce8abf87a90de041c60632 from 2017/04/16.

I have the following linuxy stuff set:

# /etc/rc.conf
kld_list="atp linux64 fuse"

#/etc/fstab
linproc     /compat/linux/proc          linprocfs   rw                  0   0
tmpfs       /compat/linux/dev/shm   tmpfs   rw,mode=1777    0   0

[dch]

Sometime in the last month this issue has gone away - not reproducible as of 2017-07-07 at least.