unmount bug: PANIC: vm_page_fault: unhandled page fault in kernel

[thorn]

Haiku r24635

how to repeat:

* mount bfs volume from tracker (for example /work) * in terminal - cd /work * in tracker - unmount volume and press 'cancel' * in tracker - unmount volume again * in terminal - ls

vm_soft_fault: va 0xdeadbef3 not covered by area in address space
vm_page_fault: vm_soft_fault returned error 'Bad address' on fault at 0xdeadbef3, ip 0x80047d37, write 0, user 0, thread 0x86
PANIC: vm_page_fault: unhandled page fault in kernel space at 0xdeadbef3, ip 0x80047d37

Welcome to Kernel Debugging Land...
Running on CPU 0
kdebug> bt
stack trace for thread 134 "sh"
    kernel stack: 0x92720000 to 0x92724000
      user stack: 0x7efe7000 to 0x7ffe7000
frame            caller     <image>:function + offset
92723a18 (+  52) 800843f3   <kernel>:invoke_debugger_command + 0x00cf
92723a4c (+  64) 80085194   <kernel>:_ParseCommand__16ExpressionParserRi + 0x01f8
92723a8c (+  48) 80084b86   <kernel>:EvaluateCommand__16ExpressionParserPCcRi + 0x01de
92723abc (+ 228) 800862a8   <kernel>:evaluate_debug_command + 0x0088
92723ba0 (+  64) 80082f36   <kernel>:kernel_debugger_loop__Fv + 0x017a
92723be0 (+  48) 80083be1   <kernel>:kernel_debugger + 0x010d
92723c10 (+ 192) 80083ac9   <kernel>:panic + 0x0029
92723cd0 (+  64) 8005ca63   <kernel>:vm_page_fault + 0x00ab
92723d10 (+  64) 80090a85   <kernel>:page_fault_exception + 0x00b1
92723d50 (+  12) 8009418d   <kernel>:int_bottom + 0x001d (nearest)
iframe at 0x92723d5c (end = 0x92723db4)
 eax 0xdeadbeef     ebx 0x90a24c00      ecx 0x800c7e7b   edx 0x2e
 esi 0x90a24c01     edi 0x90b44880      ebp 0x92723df4   esp 0x92723d90
 eip 0x80047d37  eflags 0x10206    
 vector: 0xe, error code: 0x0
92723d5c (+ 152) 80047d37   <kernel>:vnode_path_to_vnode__FP5vnodePcbiPP5vnodePxPi + 0x0103
92723df4 (+  64) 800480ee   <kernel>:path_to_vnode__FPcbPP5vnodePxT1 + 0x00de
92723e34 (+  64) 800488c9   <kernel>:fd_and_path_to_vnode__FiPcbPP5vnodePxT2 + 0x0061
92723e74 (+  64) 8004ccd5   <kernel>:common_path_read_stat__FiPcbP4statT2 + 0x0031
92723eb4 (+ 144) 8005198b   <kernel>:_user_read_stat + 0x00eb
92723f44 (+ 100) 80094302   <kernel>:pre_syscall_debug_done + 0x0002 (nearest)
iframe at 0x92723fa8 (end = 0x92724000)
 eax 0x72           ebx 0x33459c        ecx 0x7ffe6c10   edx 0xffff0104
 esi 0x0            edi 0x1800ce13      ebp 0x7ffe6c4c   esp 0x92723fdc
 eip 0xffff0104  eflags 0x207      
 vector: 0x63, error code: 0x0
92723fa8 (+   0) ffff0104
7ffe6c4c (+  48) 00310499   <libroot.so>:stat + 0x0025
7ffe6c7c (+ 128) 00244f57   <_APP_>:user_command_matches + 0x04cb (nearest)
7ffe6cfc (+  48) 00244882   <_APP_>:find_path_file + 0x009a (nearest)
7ffe6d2c (+  48) 002448af   <_APP_>:find_path_file + 0x00c7 (nearest)
7ffe6d5c (+  48) 002447e1   <_APP_>:find_user_command + 0x0021
7ffe6d8c (+  48) 00244a50   <_APP_>:search_for_command + 0x0138
7ffe6dbc (+  48) 00227bcc   <_APP_>:setup_async_signals + 0x00dc (nearest)
7ffe6dec (+ 112) 002271c1   <_APP_>:execute_command_internal + 0x344d (nearest)
7ffe6e5c (+  96) 00224232   <_APP_>:execute_command_internal + 0x04be
7ffe6ebc (+  80) 00223bbd   <_APP_>:execute_command + 0x0065
7ffe6f0c (+  48) 0021f879   <_APP_>:reader_loop + 0x01d1
7ffe6f3c (+  64) 0021dab6   <_APP_>:main + 0x07b2
7ffe6f7c (+  48) 00216773   <_APP_>:_start + 0x005b
7ffe6fac (+  48) 0010078e   1358:runtime_loader_seg0ro@0x00100000 + 0x78e
7ffe6fdc (+   0) 7ffe6fec   1357:sh_main_stack@0x7efe7000 + 0xffffec
kdebug> 

[axeld]

Perfectly reproducible here.

[kvark]

Experimentally proved: each time the fs_unmount is called for a busy volume, the volume's refcount is decreased by one. Seems like some excess release call there.

[kvark]

vfs.cpp fix

[kvark]

/src/system/kernel/fs/vfs.cpp

Line 6607 is not needed. At that point the root node seems like already released in the line 6542.

[anevilyak]

Fixed in r26586.