NetBSD Problem Report #41128
From njoly@lanfeust.sis.pasteur.fr Fri Apr 3 13:47:13 2009
Return-Path: <njoly@lanfeust.sis.pasteur.fr>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id C232E63B8C8
for <gnats-bugs@gnats.NetBSD.org>; Fri, 3 Apr 2009 13:47:13 +0000 (UTC)
Message-Id: <20090403134710.B5AA0DC9B9@lanfeust.sis.pasteur.fr>
Date: Fri, 3 Apr 2009 15:47:10 +0200 (CEST)
From: njoly@pasteur.fr
Reply-To: njoly@pasteur.fr
To: gnats-bugs@gnats.NetBSD.org
Subject: tmpfs kernel diagnostic assertion "de->td_node == fnode" failed
X-Send-Pr-Version: 3.95
>Number: 41128
>Category: kern
>Synopsis: tmpfs kernel diagnostic assertion "de->td_node == fnode" failed
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pooka
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Apr 03 13:50:00 +0000 2009
>Closed-Date: Mon Sep 07 19:44:54 +0000 2009
>Last-Modified: Mon Sep 07 19:44:54 +0000 2009
>Originator: Nicolas Joly
>Release: NetBSD 5.99.9
>Organization:
Institut Pasteur
>Environment:
System: NetBSD lanfeust.sis.pasteur.fr 5.99.9 NetBSD 5.99.9 (LANFEUST) #22: Fri Apr 3 11:57:30 CEST 2009 njoly@lanfeust.sis.pasteur.fr:/local/src/NetBSD/obj.amd64/sys/arch/amd64/compile/LANFEUST amd64
Architecture: x86_64
Machine: amd64
>Description:
Concurrent file access from 2 programs/threads on the same file on tmpfs
can triggers a kernel diagnostic assertion.
panic: kernel diagnostic assertion "de->td_node == fnode" failed: file "/local/s
rc/NetBSD/src/sys/fs/tmpfs/tmpfs_vnops.c", line 832
fatal breakpoint trap in supervisor mode
trap type 1 code 0 rip ffffffff80238765 cs 8 rflags 246 cr2 7f7ffddfaf00 cpl 0
rsp ffff800049f04880
The first thread create/remove a file, and the second one try to rename it.
The following testcase (thanks to Antti Kantee for the rump version) triggers
it in less than 10 seconds.
njoly@lanfeust [~]> cat crashtmpfs.c
#include <sys/types.h>
#include <sys/mount.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <rump/rump.h>
#include <rump/rump_syscalls.h>
#include <rump/ukfs.h>
#include <fs/tmpfs/tmpfs_args.h>
void *
w1(void *arg)
{
int fd;
for (;;) {
fd = rump_sys_open("/rename.test1", O_WRONLY|O_CREAT|O_TRUNC, 0666);
rump_sys_unlink("/rename.test1");
rump_sys_close(fd);
}
return NULL;
}
int main() {
struct tmpfs_args args;
struct ukfs *fs;
pthread_t pt;
int fail = 0, succ = 0;
memset(&args, 0, sizeof(args));
args.ta_version = TMPFS_ARGS_VERSION;
args.ta_root_mode = 0777;
ukfs_init();
fs = ukfs_mount(MOUNT_TMPFS, "tmpfs", UKFS_DEFAULTMP, 0, &args, sizeof(args));
if (fs == NULL)
err(1, "ukfs_mount");
pthread_create(&pt, NULL, w1, fs);
while (1) {
int rv;
rv = rump_sys_rename("/rename.test1", "/rename.test2");
if (rv == 0) {
if (succ++ % 10000 == 0)
printf("success\n");
} else {
if (fail++ % 10000 == 0)
printf("fail\n");
}
}
return 0; }
njoly@lanfeust [~]> cc -g -O0 -o crashtmpfs crashtmpfs.c -lukfs -lrumpfs_tmpfs -lrumpvfs -lrump -lrumpuser
njoly@lanfeust [~]> ./crashtmpfs
fail
success
fail
fail
panic: kernel diagnostic assertion "de->td_node == fnode" failed: file "/local/src/NetBSD/src/sys/rump/fs/lib/libtmpfs/../../../../fs/tmpfs/tmpfs_vnops.c", line 832
zsh: abort (core dumped) ./crashtmpfs
njoly@lanfeust [~]> gdb ./crashtmpfs ./crashtmpfs.core
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
[...]
Core was generated by `crashtmpfs'.
Program terminated with signal 6, Aborted.
#0 0x00007f7ffd1e40da in _lwp_kill () from /usr/lib/libc.so.12
(gdb) bt
#0 0x00007f7ffd1e40da in _lwp_kill () from /usr/lib/libc.so.12
#1 0x00007f7ffd1e39d2 in abort ()
at /local/src/NetBSD/src/lib/libc/stdlib/abort.c:74
#2 0x00007f7ffd404229 in rumpuser_panic ()
at /local/src/NetBSD/src/lib/librumpuser/../../sys/rump/librump/rumpuser/rumpuser.c:448
#3 0x00007f7ffd639463 in panic (
fmt=0x7f7ffd657860 "kernel %sassertion \"%s\" failed: file \"%s\", line %d") at /local/src/NetBSD/src/lib/librump/../../sys/rump/../kern/subr_prf.c:294
#4 0x00007f7ffd62ce33 in __kernassert (t=0x6 <Address 0x6 out of bounds>,
f=0x7f7ffd1e40da "r\001ÃH\213\r\024S\022", l=1, e=0x0)
at /local/src/NetBSD/src/lib/librump/../../sys/rump/../lib/libkern/__assert.c:50
#5 0x00007f7ffda08aa9 in tmpfs_rename (v=<value optimized out>)
at /local/src/NetBSD/src/sys/rump/fs/lib/libtmpfs/../../../../fs/tmpfs/tmpfs_vnops.c:832
#6 0x00007f7ffd635fb1 in VOP_RENAME (fdvp=0x7f7ffc5aa1a0, fvp=0x6,
fcnp=<value optimized out>, tdvp=0x7f7ffd1e40da, tvp=0x1, tcnp=0x0)
at /local/src/NetBSD/src/lib/librump/../../sys/rump/../kern/vnode_if.c:998
#7 0x00007f7ffd822288 in do_sys_rename (from=<value optimized out>,
to=0x400e42 "/rename.test2", seg=UIO_USERSPACE, retain=0)
at /local/src/NetBSD/src/lib/librumpvfs/../../sys/rump/../kern/vfs_syscalls.c:3423
#8 0x00007f7ffd65048b in rump_sys_rename (from=<value optimized out>,
to=<value optimized out>)
at /local/src/NetBSD/src/lib/librump/../../sys/rump/librump/rumpkern/rump_syscalls.c:878
#9 0x0000000000400cee in main () at crashtmpfs.c:50
>How-To-Repeat:
Run the above testcase.
>Fix:
Please.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->pooka
Responsible-Changed-By: pooka@NetBSD.org
Responsible-Changed-When: Fri, 03 Apr 2009 16:57:28 +0300
Responsible-Changed-Why:
looking at it
State-Changed-From-To: open->analyzed
State-Changed-By: pooka@NetBSD.org
State-Changed-When: Fri, 03 Apr 2009 16:57:28 +0300
State-Changed-Why:
i got it pretty much fixed, just need to do some further testing
From: Antti Kantee <pooka@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/41128 CVS commit: src/sys/fs/tmpfs
Date: Fri, 3 Apr 2009 14:47:41 +0000
Module Name: src
Committed By: pooka
Date: Fri Apr 3 14:47:41 UTC 2009
Modified Files:
src/sys/fs/tmpfs: tmpfs_vnops.c
Log Message:
Fix yet another recent crashy bug in tmpfs rename: since the source
dirent is no longer cached in lookup and we do the lookup ourselves
in rename, we are most definitely not allowed to assert that it
matches the source vnode passed as an argument. In case the source
node does not exist or has been replaced, punt with ENOENT.
Also, nuke some misleading prehistoric comments which haven't been
valid in over a year.
Fixes PR kern/41128 by Nicolas Joly
To generate a diff of this commit:
cvs rdiff -u -r1.54 -r1.55 src/sys/fs/tmpfs/tmpfs_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/41128 CVS commit: [netbsd-5] src/sys/fs/tmpfs
Date: Wed, 8 Apr 2009 23:08:07 +0000
Module Name: src
Committed By: snj
Date: Wed Apr 8 23:08:07 UTC 2009
Modified Files:
src/sys/fs/tmpfs [netbsd-5]: tmpfs_vnops.c
Log Message:
Pull up following revision(s) (requested by tron in ticket #680):
sys/fs/tmpfs/tmpfs_vnops.c: revision 1.55
Fix yet another recent crashy bug in tmpfs rename: since the source
dirent is no longer cached in lookup and we do the lookup ourselves
in rename, we are most definitely not allowed to assert that it
matches the source vnode passed as an argument. In case the source
node does not exist or has been replaced, punt with ENOENT.
Also, nuke some misleading prehistoric comments which haven't been
valid in over a year.
Fixes PR kern/41128 by Nicolas Joly
To generate a diff of this commit:
cvs rdiff -u -r1.51.6.2 -r1.51.6.3 src/sys/fs/tmpfs/tmpfs_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: analyzed->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 07 Sep 2009 19:44:54 +0000
State-Changed-Why:
fixed by pooka back in april.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home