NetBSD Problem Report #43240
From njoly@lanfeust.sis.pasteur.fr Mon May 3 13:47:02 2010
Return-Path: <njoly@lanfeust.sis.pasteur.fr>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id A227663BA59
for <gnats-bugs@gnats.NetBSD.org>; Mon, 3 May 2010 13:47:02 +0000 (UTC)
Message-Id: <20100503134659.51B7ADC9B9@lanfeust.sis.pasteur.fr>
Date: Mon, 3 May 2010 15:46:59 +0200 (CEST)
From: njoly@pasteur.fr
Reply-To: njoly@pasteur.fr
To: gnats-bugs@gnats.NetBSD.org
Subject: KASSERT umap->refcount != 0 failed (sys/uvm/uvm_bio.c:248)
X-Send-Pr-Version: 3.95
>Number: 43240
>Category: kern
>Synopsis: KASSERT umap->refcount != 0 failed (sys/uvm/uvm_bio.c:248)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: chs
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon May 03 13:50:00 +0000 2010
>Closed-Date: Mon Jul 09 04:42:29 +0000 2012
>Last-Modified: Thu Jul 12 17:15:02 +0000 2012
>Originator: Nicolas Joly
>Release: NetBSD 5.99.29
>Organization:
Institut Pasteur
>Environment:
System: NetBSD kiri-001.cluster.pasteur.fr 5.99.29 NetBSD 5.99.29 (KIRI001) #0: Mon May 3 12:10:56 CEST 2010 njoly@lanfeust.sis.pasteur.fr:/local/src/NetBSD/obj.amd64/sys/arch/amd64/compile/KIRI001 amd64
Architecture: x86_64
Machine: amd64
>Description:
While stress testing the network interfaces on a new -current
NetBSD/amd64 server which has 64GB of ram, the following KASSERT
fired:
panic: kernel diagnostic assertion "umap->refcount != 0" failed: file "/local/src/NetBSD/src/sys/uvm/uvm_bio.c", line 248
fatal breakpoint trap in supervisor mode
trap type 1 code 0 rip ffffffff80229d35 cs 8 rflags 246 cr2 ffff8000d1c27000 cpl 0 rsp ffff8000d2ccb430
Stopped in pid 20774.1 (dd) at netbsd:breakpoint+0x5: leave
db{3}> bt
breakpoint() at netbsd:breakpoint+0x5
panic() at netbsd:panic+0x2ba
kern_assert() at netbsd:kern_assert+0x2d
ubc_fault() at netbsd:ubc_fault+0x4c9
uvm_fault_internal() at netbsd:uvm_fault_internal+0x469
trap() at netbsd:trap+0x702
--- trap (number 0) ---
0:
This is highly reproductible when running the following command from a
remote host (running Linux, but that should not matters ....) on the
same subnet.
cat /dev/zero | rsh kiri-001.cluster.pasteur.fr dd of=/dev/null bs=2g
It does not panic for block size values below 2GB, or when running the
same commands locally `cat /dev/zero | dd of=/dev/null bs=2g' ...
Same result with both UP and SMP kernels.
>How-To-Repeat:
Run the previous command to a NetBSD amd64 host with a DIAGNOSTIC kernel.
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->chs
Responsible-Changed-By: chs@NetBSD.org
Responsible-Changed-When: Sun, 18 Mar 2012 02:08:02 +0000
Responsible-Changed-Why:
I'm looking at this.
State-Changed-From-To: open->feedback
State-Changed-By: chs@NetBSD.org
State-Changed-When: Sun, 18 Mar 2012 02:08:02 +0000
State-Changed-Why:
I tried this to a netbsd/amd64 box running 6.0_BETA but it didn't crash:
$ cat /dev/zero | rsh nbsd-amd64 dd of=/dev/null bs=2g
dd: stdin: Bad address
0+0 records in
0+0 records out
0 bytes transferred in 0.021 secs (0 bytes/sec)
$
does it still crash for you?
From: Nicolas Joly <njoly@pasteur.fr>
To: gnats-bugs@NetBSD.org
Cc: chs@NetBSD.org, kern-bug-people@netbsd.org, netbsd-bugs@netbsd.org,
gnats-admin@netbsd.org, njoly@pasteur.fr
Subject: Re: kern/43240 (KASSERT umap->refcount != 0 failed (sys/uvm/uvm_bio.c:248))
Date: Mon, 19 Mar 2012 17:02:04 +0100
On Sun, Mar 18, 2012 at 02:08:04AM +0000, chs@NetBSD.org wrote:
> Synopsis: KASSERT umap->refcount != 0 failed (sys/uvm/uvm_bio.c:248)
>
> Responsible-Changed-From-To: kern-bug-people->chs
> Responsible-Changed-By: chs@NetBSD.org
> Responsible-Changed-When: Sun, 18 Mar 2012 02:08:02 +0000
> Responsible-Changed-Why:
> I'm looking at this.
>
>
> State-Changed-From-To: open->feedback
> State-Changed-By: chs@NetBSD.org
> State-Changed-When: Sun, 18 Mar 2012 02:08:02 +0000
> State-Changed-Why:
> I tried this to a netbsd/amd64 box running 6.0_BETA but it didn't crash:
>
> $ cat /dev/zero | rsh nbsd-amd64 dd of=/dev/null bs=2g
> dd: stdin: Bad address
> 0+0 records in
> 0+0 records out
> 0 bytes transferred in 0.021 secs (0 bytes/sec)
> $
>
> does it still crash for you?
I cant test on the original machine anymore (it has gone under
production running Linux with only 48GB ram). So itried to reproduce
it on a smaller and64 machine with only 8GB ram ...
I can't make it crash, as i can't make any network trafic ;)
njoly@lanfeust [~]> cat /dev/zero | rsh localhost dd of=/dev/null bs=2g
dd: stdin: Bad address
0+0 records in
0+0 records out
0 bytes transferred in 114.770 secs (0 bytes/sec)
It doesn't return as fast as your test, the dd process cannot be
killed during that time (even with kill -9), it eats memory and may
make the system unresponsive.
I then checked a few other bs values for the same command line. No
problem with 1024m, 1536m, 2047m ... all other upper values fails. So
there's still something weird with bs >= 2g when piping to rsh. Just
for the record, every value i tested again worked just fine without
rsh after pipe (= locally).
But no crash.
--
Nicolas Joly
Projects and Developments in Bioinformatics
Institut Pasteur, Paris.
From: "Chuck Silvers" <chs@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/43240 CVS commit: src/sys/kern
Date: Mon, 9 Jul 2012 04:35:14 +0000
Module Name: src
Committed By: chs
Date: Mon Jul 9 04:35:14 UTC 2012
Modified Files:
src/sys/kern: uipc_socket.c
Log Message:
in soreceive(), handle uios larger than 31 bits.
fixes the remaining problem in PR 43240.
To generate a diff of this commit:
cvs rdiff -u -r1.210 -r1.211 src/sys/kern/uipc_socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: feedback->closed
State-Changed-By: chs@NetBSD.org
State-Changed-When: Mon, 09 Jul 2012 04:42:29 +0000
State-Changed-Why:
fixed
From: "Jeff Rizzo" <riz@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/43240 CVS commit: [netbsd-6] src/sys/kern
Date: Thu, 12 Jul 2012 17:11:17 +0000
Module Name: src
Committed By: riz
Date: Thu Jul 12 17:11:17 UTC 2012
Modified Files:
src/sys/kern [netbsd-6]: uipc_socket.c
Log Message:
Pull up following revision(s) (requested by chs in ticket #408):
sys/kern/uipc_socket.c: revision 1.211
in soreceive(), handle uios larger than 31 bits.
fixes the remaining problem in PR 43240.
To generate a diff of this commit:
cvs rdiff -u -r1.209 -r1.209.2.1 src/sys/kern/uipc_socket.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.