NetBSD Problem Report #50467
From www@NetBSD.org Tue Nov 24 21:04:15 2015
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id B0E48A64EF
for <gnats-bugs@gnats.NetBSD.org>; Tue, 24 Nov 2015 21:04:15 +0000 (UTC)
Message-Id: <20151124210413.96BA9A6562@mollari.NetBSD.org>
Date: Tue, 24 Nov 2015 21:04:13 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: Panic from disconnecting phone while reading its contents
X-Send-Pr-Version: www-1.0
>Number: 50467
>Category: kern
>Synopsis: Panic from disconnecting phone while reading its contents
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: hannken
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Nov 24 21:05:00 +0000 2015
>Closed-Date: Fri May 13 09:41:32 +0000 2016
>Last-Modified: Fri May 13 09:41:32 +0000 2016
>Originator: coypu
>Release: NetBSD-current
>Organization:
>Environment:
NetBSD 7.99.21 NetBSD 7.99.21 (GENERIC.201511162220Z) #0: Mon Nov 16 23:08:55 UTC 2015 martin@b45.netbsd.org:/home/builds/ab/HEAD/amd64/201511162220Z-obj/home/source/ab/HEAD/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
Connected smartphone via USB, mounted as msdos, copied files from it, disconnected cable (physically) in the middle, kernel panics.
smartphone is a Samsung S2 (I9100) running CyanogenMod 11 (Android ver 4.4.4)
Savecore available here:
http://coypu.sdf.org/netbsd.3.core.gz
http://coypu.sdf.org/netbsd.3.gz
>How-To-Repeat:
Connect smartphone by USB, mount -t msdos, cp files from it to local directory, disconnect cable mid copying.
>Fix:
>Release-Note:
>Audit-Trail:
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/50467: Panic from disconnecting phone while reading its
contents
Date: Mon, 15 Feb 2016 11:29:52 +0000
Not sent to gnats.
------
From: Christos Zoulas <christos@astron.com>
To: netbsd-bugs@netbsd.org
Subject: Re: kern/50467: Panic from disconnecting phone while reading its
contents
Date: Fri, 27 Nov 2015 18:24:11 +0000 (UTC)
This dies in spec_strategy:
KASSERT(vp == vp->v_specnode->sn_dev->sd_bdevvp);
presumably because the vnode does not match after the device unmounted.
Instead of KASSERT() you can check for the condition and return EIO...
Does the kernel go further if you do that?
christos
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/50467: Panic from disconnecting phone while reading its
contents
Date: Sun, 20 Mar 2016 05:06:51 +0000
On Mon, Feb 15, 2016 at 11:30:01AM +0000, David Holland wrote:
> This dies in spec_strategy:
>
> KASSERT(vp == vp->v_specnode->sn_dev->sd_bdevvp);
>
> presumably because the vnode does not match after the device unmounted.
> Instead of KASSERT() you can check for the condition and return EIO...
> Does the kernel go further if you do that?
I'm not sure that's sufficient. Admittedly I don't entirely understand
how specfs is supposed to work; but spec_vnops.c is full of this
assertion and it says it's enforced to prevent the buffer cache from
accumulating multiple inconsistent buffers attached to different
vnodes all linked to the same underlying device.
If sd_bdevvp has become null it's probably ok to fail with EIO, but if
it's some other vnode I think you're in the soup... and once it
becomes null there's AFAIK nothing stopping getting a different vnode
in there if you reinsert and reopen the device.
So I think this condition needs to be blocked earlier. You can't (and
shouldn't) prevent the device from detaching, but you can mark the
vnode dead and/or revoke it and then further attempts to use it won't
get as far as spec_strategy.
But I'm not sure what happens at this level when a device is
detached... it looks like it must be calling spec_close, as there are
only three places sd_bdevvp is set to null in the entire kernel and
two of them are irrelevant. But I don't see how; this requires getting
the open vnode from somewhere (spec_close also enforces the cited
invariant) and there isn't any reasonable way to do that from the
device level. Or so I'd think. Also, theoretically after closing the
open vnode on the block device it shouldn't be possible to use it for
further I/O. Obviously there's something going on here that I'm
missing.
--
David A. Holland
dholland@netbsd.org
From: "J. Hannken-Illjes" <hannken@eis.cs.tu-bs.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: kern/50467: Panic from disconnecting phone while reading its contents
Date: Sun, 20 Mar 2016 14:32:08 +0100
The two interesting threads are:
0.58 (usb1) is detaching the umass device, its trace is
scsipi_execute_xs() at scsipi_execute_xs+0x1d2
sd_flush() at sd_flush+0x88
sdlastclose() at sdlastclose+0x75
sdclose() at sdclose+0x75
bdev_close() at bdev_close+0x86
spec_close() at spec_close+0x274
VOP_CLOSE() at VOP_CLOSE+0x33
spec_node_revoke() at spec_node_revoke+0x9a
vclean() at vclean+0x2e8
vgone() at vgone+0x56
vrevoke() at vrevoke+0x8f
genfs_revoke() at genfs_revoke+0x13
VOP_REVOKE() at VOP_REVOKE+0x32
vdevgone() at vdevgone+0x4f
sddetach() at sddetach+0xb4
config_detach() at config_detach+0xf8
scsipi_target_detach() at scsipi_target_detach+0xbc
scsibusdetach() at scsibusdetach+0x36
config_detach() at config_detach+0xf8
umass_detach() at umass_detach+0xa0
config_detach() at config_detach+0xf8
usb_disconnect_port() at usb_disconnect_port+0xae
uhub_explore() at uhub_explore+0x180
uhub_explore() at uhub_explore+0x9b
usb_discover.isra.2() at usb_discover.isra.2+0x4e
usb_event_thread() at usb_event_thread+0x74
483.1 (cp) writing to the file system on umass device
kern_assert() at kern_assert+0x4f
spec_strategy() at spec_strategy+0x91
VOP_STRATEGY() at VOP_STRATEGY+0x33
bio_doread() at bio_doread+0x90
bread() at bread+0x1a
pcbmap() at pcbmap+0x181
msdosfs_bmap() at msdosfs_bmap+0xe7
VOP_BMAP() at VOP_BMAP+0x61
genfs_getpages() at genfs_getpages+0x104c
VOP_GETPAGES() at VOP_GETPAGES+0x71
ra_startio() at ra_startio+0x72
uvm_ra_request() at uvm_ra_request+0x1a3
uvn_get() at uvn_get+0xeb
uvm_fault_internal() at uvm_fault_internal+0x11de
trap() at trap+0x32a
--- trap (number 6) ---
copyin() at copyin+0x34
uiomove() at uiomove+0xe4
ubc_uiomove() at ubc_uiomove+0xf7
ffs_write() at ffs_write+0x2d6
VOP_WRITE() at VOP_WRITE+0x37
vn_write() at vn_write+0xec
dofilewrite() at dofilewrite+0x97
sys_write() at sys_write+0x5f
syscall() at syscall+0x9c
--- syscall (number 4) =E2=80=94
At this point sd_bdevvp is NULL while the vnode is becoming dead.
Its op vector is still valid, not deadfs so it is ok for spec_strategy
to be called here.
We could change the assertion to
KASSERT(vp->v_specnode->sn_dev->sd_bdevvp =3D=3D NULL ||
vp =3D=3D vp->v_specnode->sn_dev->sd_bdevvp)
or check for dead (or becoming dead) vnodes first
mutex_enter(vp->v_interlock);
error =3D vdead_check(vp, VDEAD_NOWAIT);
mutex_exit(vp->v_interlock);
if (error) {
bp->b_error =3D EIO;
--
J. Hannken-Illjes - hannken@eis.cs.tu-bs.de - TU Braunschweig (Germany)
From: "Juergen Hannken-Illjes" <hannken@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50467 CVS commit: src/sys/miscfs/specfs
Date: Sat, 26 Mar 2016 14:58:13 +0000
Module Name: src
Committed By: hannken
Date: Sat Mar 26 14:58:13 UTC 2016
Modified Files:
src/sys/miscfs/specfs: spec_vnops.c
Log Message:
Whhen spec_strategy() extracts v_rdev take care to avoid a
race with spec_revoke.
Fixes PR kern/50467 Panic from disconnecting phone while reading its contents
To generate a diff of this commit:
cvs rdiff -u -r1.160 -r1.161 src/sys/miscfs/specfs/spec_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: coypu@SDF.ORG
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/50467: Panic from disconnecting phone while reading its
contents
Date: Sun, 27 Mar 2016 06:24:34 +0000
Confirming that the fix works for me.
Thank you! :)
From: "Juergen Hannken-Illjes" <hannken@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50467 CVS commit: src/sys/miscfs/specfs
Date: Mon, 4 Apr 2016 08:03:54 +0000
Module Name: src
Committed By: hannken
Date: Mon Apr 4 08:03:54 UTC 2016
Modified Files:
src/sys/miscfs/specfs: spec_vnops.c
Log Message:
Avoid a race with spec_revoke for the assertion too.
Final fix for PR kern/50467 Panic from disconnecting phone while reading
its contents
To generate a diff of this commit:
cvs rdiff -u -r1.161 -r1.162 src/sys/miscfs/specfs/spec_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Responsible-Changed-From-To: kern-bug-people->hannken
Responsible-Changed-By: hannken@NetBSD.org
Responsible-Changed-When: Mon, 04 Apr 2016 08:05:58 +0000
Responsible-Changed-Why:
Take.
State-Changed-From-To: open->analyzed
State-Changed-By: hannken@NetBSD.org
State-Changed-When: Mon, 04 Apr 2016 08:05:58 +0000
State-Changed-Why:
Fixed in tree.
State-Changed-From-To: analyzed->pending-pullups
State-Changed-By: hannken@NetBSD.org
State-Changed-When: Tue, 05 Apr 2016 08:55:31 +0000
State-Changed-Why:
Pullups requested.
Ticket #1376 for NetBSD-6
Ticket #1154 for NetBSD-7
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50467 CVS commit: [netbsd-7] src/sys/miscfs/specfs
Date: Fri, 29 Apr 2016 19:07:21 +0000
Module Name: src
Committed By: snj
Date: Fri Apr 29 19:07:21 UTC 2016
Modified Files:
src/sys/miscfs/specfs [netbsd-7]: spec_vnops.c
Log Message:
Pull up following revision(s) (requested by hannken in ticket #1154):
sys/miscfs/specfs/spec_vnops.c: revisions 1.161, 1.162
Whhen spec_strategy() extracts v_rdev take care to avoid a
race with spec_revoke.
Fixes PR kern/50467 Panic from disconnecting phone while reading its contents
--
Avoid a race with spec_revoke for the assertion too.
Final fix for PR kern/50467 Panic from disconnecting phone while reading
its contents
To generate a diff of this commit:
cvs rdiff -u -r1.145 -r1.145.2.1 src/sys/miscfs/specfs/spec_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50467 CVS commit: [netbsd-7-0] src/sys/miscfs/specfs
Date: Fri, 29 Apr 2016 19:09:32 +0000
Module Name: src
Committed By: snj
Date: Fri Apr 29 19:09:32 UTC 2016
Modified Files:
src/sys/miscfs/specfs [netbsd-7-0]: spec_vnops.c
Log Message:
Pull up following revision(s) (requested by hannken in ticket #1154):
sys/miscfs/specfs/spec_vnops.c: revision 1.161, 1.162
Whhen spec_strategy() extracts v_rdev take care to avoid a
race with spec_revoke.
Fixes PR kern/50467 Panic from disconnecting phone while reading its contents
--
Avoid a race with spec_revoke for the assertion too.
Final fix for PR kern/50467 Panic from disconnecting phone while reading
its contents
To generate a diff of this commit:
cvs rdiff -u -r1.145 -r1.145.6.1 src/sys/miscfs/specfs/spec_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50467 CVS commit: [netbsd-6] src/sys/miscfs/specfs
Date: Tue, 10 May 2016 23:14:32 +0000
Module Name: src
Committed By: snj
Date: Tue May 10 23:14:32 UTC 2016
Modified Files:
src/sys/miscfs/specfs [netbsd-6]: spec_vnops.c
Log Message:
Pull up following revision(s) (requested by hannken in ticket #1376):
sys/miscfs/specfs/spec_vnops.c: revisions 1.161, 1.162 via patch
Whhen spec_strategy() extracts v_rdev take care to avoid a
race with spec_revoke.
Fixes PR kern/50467 Panic from disconnecting phone while reading its contents
--
Avoid a race with spec_revoke for the assertion too.
Final fix for PR kern/50467 Panic from disconnecting phone while reading
its contents
To generate a diff of this commit:
cvs rdiff -u -r1.134.8.1 -r1.134.8.2 src/sys/miscfs/specfs/spec_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50467 CVS commit: [netbsd-6-1] src/sys/miscfs/specfs
Date: Tue, 10 May 2016 23:14:45 +0000
Module Name: src
Committed By: snj
Date: Tue May 10 23:14:45 UTC 2016
Modified Files:
src/sys/miscfs/specfs [netbsd-6-1]: spec_vnops.c
Log Message:
Pull up following revision(s) (requested by hannken in ticket #1376):
sys/miscfs/specfs/spec_vnops.c: revisions 1.161, 1.162 via patch
Whhen spec_strategy() extracts v_rdev take care to avoid a
race with spec_revoke.
Fixes PR kern/50467 Panic from disconnecting phone while reading its contents
--
Avoid a race with spec_revoke for the assertion too.
Final fix for PR kern/50467 Panic from disconnecting phone while reading
its contents
To generate a diff of this commit:
cvs rdiff -u -r1.134.8.1 -r1.134.8.1.6.1 src/sys/miscfs/specfs/spec_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Soren Jacobsen" <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/50467 CVS commit: [netbsd-6-0] src/sys/miscfs/specfs
Date: Tue, 10 May 2016 23:15:05 +0000
Module Name: src
Committed By: snj
Date: Tue May 10 23:15:05 UTC 2016
Modified Files:
src/sys/miscfs/specfs [netbsd-6-0]: spec_vnops.c
Log Message:
Pull up following revision(s) (requested by hannken in ticket #1376):
sys/miscfs/specfs/spec_vnops.c: revisions 1.161, 1.162 via patch
Whhen spec_strategy() extracts v_rdev take care to avoid a
race with spec_revoke.
Fixes PR kern/50467 Panic from disconnecting phone while reading its contents
--
Avoid a race with spec_revoke for the assertion too.
Final fix for PR kern/50467 Panic from disconnecting phone while reading
its contents
To generate a diff of this commit:
cvs rdiff -u -r1.134.8.1 -r1.134.8.1.4.1 src/sys/miscfs/specfs/spec_vnops.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: pending-pullups->closed
State-Changed-By: hannken@NetBSD.org
State-Changed-When: Fri, 13 May 2016 09:41:32 +0000
State-Changed-Why:
Pullups complete.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home