NetBSD Problem Report #41147

From Manuel.Bouyer@lip6.fr  Sun Apr  5 13:40:00 2009
Return-Path: <Manuel.Bouyer@lip6.fr>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 9F95063B8A5
	for <gnats-bugs@gnats.NetBSD.org>; Sun,  5 Apr 2009 13:40:00 +0000 (UTC)
Message-Id: <200904051339.n35DdtQV001031@horn.soc.lip6.fr>
Date: Sun, 5 Apr 2009 15:39:55 +0200 (MEST)
From: Manuel Bouyer <Manuel.Bouyer@lip6.fr>
Reply-To: Manuel.Bouyer@lip6.fr
To: gnats-bugs@gnats.NetBSD.org
Subject: race between nfsd and local rm
X-Send-Pr-Version: 3.95

>Number:         41147
>Category:       kern
>Synopsis:       race between nfsd and local rm
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bouyer
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 05 13:45:00 +0000 2009
>Closed-Date:    Mon Sep 28 21:04:26 +0000 2009
>Last-Modified:  Mon Sep 28 21:04:26 +0000 2009
>Originator:     Manuel Bouyer
>Release:        NetBSD 5.0_RC3
>Organization:
>Environment:
System: NetBSD horn 5.0_RC3 NetBSD 5.0_RC3 (DISCODEBUG) #29: Sun Apr 5 15:11:32 MEST 2009 bouyer@disco:/home/bouyer/src-5/src/sys/arch/i386/compile/DISCODEBUG i386
Architecture: i386
Machine: i386
>Description:
	A bonnie++ was running on a remote client, writing to the filesystem
	(it was in the "Writing with putc()..." phase). At the same time
	I did a 'rm *' in bonnie's working directory on the server, and got:
uvm_fault(0xce4998f4, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c02d8439 cs 8 eflags 10246 cr2 80 ilevel 0
kernel: supervisor trap page fault, code=0
Stopped in pid 251.1 (nfsd) at  netbsd:ufs_fhtovp+0x59: cmpw    $0,0x80(%eax)
db{0}> tr
ufs_fhtovp(ce5bd914,ce81d918,ce81db40,c3b6f427,50435851,c,314c9,14afbca0,ce5bd914,0) at netbsd:ufs_fhtovp+0x59
ffs_fhtovp(ce5bd914,ce81dae0,ce81db40,ce81dad8,ce81dad8,0,ce81d98c,c026fb38,ce5bd914,ce81dae0) at netbsd:ffs_fhtovp+0x65
VFS_FHTOVP(ce5bd914,ce81dae0,ce81db40,ce81d974,ce81d978,c2e7e6f0,0,25a80,100,cbf86cc0) at netbsd:VFS_FHTOVP+0x2c
nfsrv_fhtovp(ce81dad4,1,ce81db40,cec746c0,ce6ffd88,c3b6f400,ce81db4c,0,0,ffffffff) at netbsd:nfsrv_fhtovp+0x98
nfsrv_write(ceb76708,ce6ffd88,ce9f22c0,ce81dbd0,cd137b40,c0716e18,0,c2d0b918,c0716e18,0) at netbsd:nfsrv_write+0x278
nfssvc_nfsd(ce81dc38,804a2e0,ce9f22c0,0,0,0,0,0,0,ffffffff) at netbsd:nfssvc_nfsd+0x2f0
sys_nfssvc(ce9f22c0,ce81dd00,ce81dd28,bfbff000,ce4998f4,ce4998f4,2,4,804a2e0,bfbfee94) at netbsd:sys_nfssvc+0x359
syscall(ce81dd48,b3,ab,bfbf001f,bbbd001f,d,1,bfbfee94,0,bfbffff0) at netbsd:syscall+0xc8

>How-To-Repeat:
	See above. The remove NFS client is a 2.6.18 linux kernel, maybe
	it's important.
>Fix:
	unknown

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->bouyer
Responsible-Changed-By: bouyer@NetBSD.org
Responsible-Changed-When: Sun, 20 Sep 2009 14:02:36 +0000
Responsible-Changed-Why:
I commited a fix


State-Changed-From-To: open->pending-pullups
State-Changed-By: bouyer@NetBSD.org
State-Changed-When: Sun, 20 Sep 2009 14:02:36 +0000
State-Changed-Why:
I commited a fix, will request pullups to netbsd-5


From: Manuel Bouyer <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/41147 CVS commit: src/sys/ufs/ufs
Date: Sun, 20 Sep 2009 14:00:24 +0000

 Module Name:	src
 Committed By:	bouyer
 Date:		Sun Sep 20 14:00:24 UTC 2009

 Modified Files:
 	src/sys/ufs/ufs: ufs_ihash.c

 Log Message:
 PR kern/41147: race between nfsd and local rm
 Note that the race also exists between 2 nfs client, one of them doing the rm.
 In ufs_ihashget(), vget() can return a vnode that has been vclean'ed because
 vget() can sleep. After vget returns, check that vp is still connected with
 ip, and that ip still points to the inode we want. This fix the NULL
 pointer dereference in ufs_fhtovp() I've been seeing on a NFS server.

 XXX I have no idea why using vput() instead of
 vlockmgr(vp->v_vnlock, LK_RELEASE); vrele(vp); does not work.


 To generate a diff of this commit:
 cvs rdiff -u -r1.26 -r1.27 src/sys/ufs/ufs/ufs_ihash.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: Soren Jacobsen <snj@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/41147 CVS commit: [netbsd-5] src/sys/ufs/ufs
Date: Mon, 28 Sep 2009 01:43:02 +0000

 Module Name:	src
 Committed By:	snj
 Date:		Mon Sep 28 01:43:02 UTC 2009

 Modified Files:
 	src/sys/ufs/ufs [netbsd-5]: ufs_ihash.c

 Log Message:
 Pull up following revision(s) (requested by bouyer in ticket #1029):
 	sys/ufs/ufs/ufs_ihash.c: revision 1.27
 PR kern/41147: race between nfsd and local rm
 Note that the race also exists between 2 nfs client, one of them doing the rm.
 In ufs_ihashget(), vget() can return a vnode that has been vclean'ed because
 vget() can sleep. After vget returns, check that vp is still connected with
 ip, and that ip still points to the inode we want. This fix the NULL
 pointer dereference in ufs_fhtovp() I've been seeing on a NFS server.
 XXX I have no idea why using vput() instead of
 vlockmgr(vp->v_vnlock, LK_RELEASE); vrele(vp); does not work.


 To generate a diff of this commit:
 cvs rdiff -u -r1.26 -r1.26.10.1 src/sys/ufs/ufs/ufs_ihash.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: pending-pullups->closed
State-Changed-By: bouyer@NetBSD.org
State-Changed-When: Mon, 28 Sep 2009 21:04:26 +0000
State-Changed-Why:
Fix pulled up


>Unformatted:

Home	PR Database Search