netbsd-bugs: kern/8491: Crash: vrele: bad ref count

Subject: kern/8491: Crash: vrele: bad ref count
To: None <gnats-bugs@gnats.netbsd.org>
From: None <berx@wobei.warum.net>
List: netbsd-bugs
Date: 09/24/1999 16:51:21
>Number:         8491
>Category:       kern
>Synopsis:       Crash: vrele: bad ref count
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 24 16:50:01 1999
>Last-Modified:
>Originator:     Berx@wobei.warum.net
>Organization:
Martin Berger  MUD/irc:Berx     /\      Martin.Berger@wobei.warum.net
Rotenmuehlg. 10/4/7         /\ /,,\ \/             Babenbergerstr. 16
1120 Wien                  /``\^^^^\/\  +43-676-4160550     3390 Melk
>Release:        1.4.1
>Environment:
System: NetBSD wobei.warum.net 1.4.1 NetBSD 1.4.1 (WOBEI) #0: Sat Sep 25 00:59:21 CEST 1999 root@wobei.warum.net:/usr/sys/arch/i386/compile/WOBEI i386


>Description:

  One can reliably crash the machine using arpwatch (see below).
The crash is:  

| vrele: bad ref count: type VDIR, usecount -1, writecount 0, refcount 1,
|         tag VT_UFS, ino 3863, on dev 0, 4
| panic: vrele: ref cnt

  Note that inode 3863 is /var/db, where arpwatch creates a file
called "arpwatch".

| # gdb netbsd.gdb
| (gdb) target kcore netbsd.2.core
| panic: vrele: ref cnt
| #0  0xf01417f1 in vput (vp=0xf3093ed0) at ../../../../kern/vfs_subr.c:908
| 908     }
| (gdb) where
| #0  0xf01417f1 in vput (vp=0xf3093ed0) at ../../../../kern/vfs_subr.c:908
| #1  0xf01cada7 in cpu_reboot (howto=256, bootstr=0x0)
|     at ../../../../arch/i386/i386/machdep.c:1350
| #2  0xf012a300 in log (level=-267118607, fmt=0xf01417dc "vrele: bad ref count")
|     at ../../../../kern/subr_prf.c:212
| #3  0xf0141850 in vrele (vp=0xf2fc3924) at ../../../../kern/vfs_subr.c:933
| #4  0xf011aaab in fdfree (p=0xf307c898) at ../../../../kern/kern_descrip.c:803
| #5  0xf011bcbd in exit1 (p=0xf307c898, rv=256)
|     at ../../../../kern/kern_exit.c:183
| #6  0xf011bbb4 in sys_exit (p=0xf307c898, v=0xf3093f88, retval=0xf3093f80)
|     at ../../../../kern/kern_exit.c:138
| #7  0xf01d1955 in syscall (frame={tf_es = 43, tf_ds = 43, tf_edi = 0, 
|       tf_esi = -1, tf_ebp = -272640260, tf_ebx = 1074368608, tf_edx = 0, 
|       tf_ecx = 0, tf_eax = 1, tf_trapno = 3, tf_err = 2, tf_eip = 1074276983, 
|       tf_cs = 35, tf_eflags = 642, tf_esp = -272640284, tf_ss = 43, 
|       tf_vm86_es = 0, tf_vm86_ds = 0, tf_vm86_fs = 0, tf_vm86_gs = 0})
|     at ../../../../arch/i386/i386/trap.c:782

  Crash dump and netbsd.gdb debugging kernel are still available.

>How-To-Repeat:

After a reboot I logged in as user berx from my terminal.

- started screen
- started ircII in screen
- started a 2nd screen-window
- became root by 'su -'
- started arpwatch
- started arpwatch a 2nd time (!!)
- typed ps uax | grep arpwatch to getthe pids 
- typed 'kill <pid_of_arpwatch#1> <pid_of_arpwatch#2>

*crash*

>Fix:
>Audit-Trail:
>Unformatted: