NetBSD Problem Report #43240

From njoly@lanfeust.sis.pasteur.fr  Mon May  3 13:47:02 2010
Return-Path: <njoly@lanfeust.sis.pasteur.fr>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id A227663BA59
	for <gnats-bugs@gnats.NetBSD.org>; Mon,  3 May 2010 13:47:02 +0000 (UTC)
Message-Id: <20100503134659.51B7ADC9B9@lanfeust.sis.pasteur.fr>
Date: Mon,  3 May 2010 15:46:59 +0200 (CEST)
From: njoly@pasteur.fr
Reply-To: njoly@pasteur.fr
To: gnats-bugs@gnats.NetBSD.org
Subject: KASSERT umap->refcount != 0 failed (sys/uvm/uvm_bio.c:248)
X-Send-Pr-Version: 3.95

>Number:         43240
>Category:       kern
>Synopsis:       KASSERT umap->refcount != 0 failed (sys/uvm/uvm_bio.c:248)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    chs
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon May 03 13:50:00 +0000 2010
>Closed-Date:    Mon Jul 09 04:42:29 +0000 2012
>Last-Modified:  Thu Jul 12 17:15:02 +0000 2012
>Originator:     Nicolas Joly
>Release:        NetBSD 5.99.29
>Organization:
Institut Pasteur
>Environment:
System: NetBSD kiri-001.cluster.pasteur.fr 5.99.29 NetBSD 5.99.29 (KIRI001) #0: Mon May  3 12:10:56 CEST 2010  njoly@lanfeust.sis.pasteur.fr:/local/src/NetBSD/obj.amd64/sys/arch/amd64/compile/KIRI001 amd64
Architecture: x86_64
Machine: amd64
>Description:
While stress testing the network interfaces on a new -current
NetBSD/amd64 server which has 64GB of ram, the following KASSERT
fired:

panic: kernel diagnostic assertion "umap->refcount != 0" failed: file "/local/src/NetBSD/src/sys/uvm/uvm_bio.c", line 248
fatal breakpoint trap in supervisor mode
trap type 1 code 0 rip ffffffff80229d35 cs 8 rflags 246 cr2  ffff8000d1c27000 cpl 0 rsp ffff8000d2ccb430
Stopped in pid 20774.1 (dd) at  netbsd:breakpoint+0x5:  leave
db{3}> bt
breakpoint() at netbsd:breakpoint+0x5
panic() at netbsd:panic+0x2ba
kern_assert() at netbsd:kern_assert+0x2d
ubc_fault() at netbsd:ubc_fault+0x4c9
uvm_fault_internal() at netbsd:uvm_fault_internal+0x469
trap() at netbsd:trap+0x702
--- trap (number 0) ---
0:

This is highly reproductible when running the following command from a
remote host (running Linux, but that should not matters ....) on the
same subnet.

  cat /dev/zero | rsh kiri-001.cluster.pasteur.fr dd of=/dev/null bs=2g

It does not panic for block size values below 2GB, or when running the
same commands locally `cat /dev/zero | dd of=/dev/null bs=2g' ...

Same result with both UP and SMP kernels.

>How-To-Repeat:
Run the previous command to a NetBSD amd64 host with a DIAGNOSTIC kernel.
>Fix:

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->chs
Responsible-Changed-By: chs@NetBSD.org
Responsible-Changed-When: Sun, 18 Mar 2012 02:08:02 +0000
Responsible-Changed-Why:
I'm looking at this.


State-Changed-From-To: open->feedback
State-Changed-By: chs@NetBSD.org
State-Changed-When: Sun, 18 Mar 2012 02:08:02 +0000
State-Changed-Why:
I tried this to a netbsd/amd64 box running 6.0_BETA but it didn't crash:

$ cat /dev/zero | rsh nbsd-amd64 dd of=/dev/null bs=2g
dd: stdin: Bad address
0+0 records in
0+0 records out
0 bytes transferred in 0.021 secs (0 bytes/sec)
$

does it still crash for you?


From: Nicolas Joly <njoly@pasteur.fr>
To: gnats-bugs@NetBSD.org
Cc: chs@NetBSD.org, kern-bug-people@netbsd.org, netbsd-bugs@netbsd.org,
	gnats-admin@netbsd.org, njoly@pasteur.fr
Subject: Re: kern/43240 (KASSERT umap->refcount != 0 failed (sys/uvm/uvm_bio.c:248))
Date: Mon, 19 Mar 2012 17:02:04 +0100

 On Sun, Mar 18, 2012 at 02:08:04AM +0000, chs@NetBSD.org wrote:
 > Synopsis: KASSERT umap->refcount != 0 failed (sys/uvm/uvm_bio.c:248)
 > 
 > Responsible-Changed-From-To: kern-bug-people->chs
 > Responsible-Changed-By: chs@NetBSD.org
 > Responsible-Changed-When: Sun, 18 Mar 2012 02:08:02 +0000
 > Responsible-Changed-Why:
 > I'm looking at this.
 > 
 > 
 > State-Changed-From-To: open->feedback
 > State-Changed-By: chs@NetBSD.org
 > State-Changed-When: Sun, 18 Mar 2012 02:08:02 +0000
 > State-Changed-Why:
 > I tried this to a netbsd/amd64 box running 6.0_BETA but it didn't crash:
 > 
 > $ cat /dev/zero | rsh nbsd-amd64 dd of=/dev/null bs=2g
 > dd: stdin: Bad address
 > 0+0 records in
 > 0+0 records out
 > 0 bytes transferred in 0.021 secs (0 bytes/sec)
 > $
 > 
 > does it still crash for you?

 I cant test on the original machine anymore (it has gone under
 production running Linux with only 48GB ram). So itried to reproduce
 it on a smaller and64 machine with only 8GB ram ...

 I can't make it crash, as i can't make any network trafic ;)

 njoly@lanfeust [~]> cat /dev/zero | rsh localhost dd of=/dev/null bs=2g
 dd: stdin: Bad address
 0+0 records in
 0+0 records out
 0 bytes transferred in 114.770 secs (0 bytes/sec)

 It doesn't return as fast as your test, the dd process cannot be
 killed during that time (even with kill -9), it eats memory and may
 make the system unresponsive.

 I then checked a few other bs values for the same command line. No
 problem with 1024m, 1536m, 2047m ... all other upper values fails. So
 there's still something weird with bs >= 2g when piping to rsh. Just
 for the record, every value i tested again worked just fine without
 rsh after pipe (= locally).

 But no crash.

 -- 
 Nicolas Joly

 Projects and Developments in Bioinformatics
 Institut Pasteur, Paris.

From: "Chuck Silvers" <chs@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/43240 CVS commit: src/sys/kern
Date: Mon, 9 Jul 2012 04:35:14 +0000

 Module Name:	src
 Committed By:	chs
 Date:		Mon Jul  9 04:35:14 UTC 2012

 Modified Files:
 	src/sys/kern: uipc_socket.c

 Log Message:
 in soreceive(), handle uios larger than 31 bits.
 fixes the remaining problem in PR 43240.


 To generate a diff of this commit:
 cvs rdiff -u -r1.210 -r1.211 src/sys/kern/uipc_socket.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: feedback->closed
State-Changed-By: chs@NetBSD.org
State-Changed-When: Mon, 09 Jul 2012 04:42:29 +0000
State-Changed-Why:
fixed


From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/43240 CVS commit: [netbsd-6] src/sys/kern
Date: Thu, 12 Jul 2012 17:11:17 +0000

 Module Name:	src
 Committed By:	riz
 Date:		Thu Jul 12 17:11:17 UTC 2012

 Modified Files:
 	src/sys/kern [netbsd-6]: uipc_socket.c

 Log Message:
 Pull up following revision(s) (requested by chs in ticket #408):
 	sys/kern/uipc_socket.c: revision 1.211
 in soreceive(), handle uios larger than 31 bits.
 fixes the remaining problem in PR 43240.


 To generate a diff of this commit:
 cvs rdiff -u -r1.209 -r1.209.2.1 src/sys/kern/uipc_socket.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.