NetBSD Problem Report #46592

From Manuel.Bouyer@lip6.fr  Tue Jun 12 10:04:36 2012
Return-Path: <Manuel.Bouyer@lip6.fr>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	by www.NetBSD.org (Postfix) with ESMTP id 8FBB563B882
	for <gnats-bugs@gnats.NetBSD.org>; Tue, 12 Jun 2012 10:04:36 +0000 (UTC)
Message-Id: <20120612100431.AA90834B12@armandeche.soc.lip6.fr>
Date: Tue, 12 Jun 2012 12:04:31 +0200 (MEST)
From: bouyer@antioche.eu.org
Reply-To: bouyer@antioche.eu.org
To: gnats-bugs@gnats.NetBSD.org
Subject: lib/libc/sys/t_mmap cause kernel panic
X-Send-Pr-Version: 3.95

>Number:         46592
>Category:       kern
>Synopsis:       lib/libc/sys/t_mmap cause kernel panic
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 12 10:05:00 +0000 2012
>Last-Modified:  Fri Jun 15 08:55:01 +0000 2012
>Originator:     Manuel Bouyer
>Release:        NetBSD 6.99.7
>Organization:
>Environment:
System: NetBSD anita 6.99.7 NetBSD 6.99.7 (XEN3PAE_DOMU) #0: Sat Jun  9 23:29:25 UTC 2012 builds@b7.netbsd.org:/home/builds/ab/HEAD/amd64/201206092140Z-obj/home/builds/ab/HEAD/src/sys/arch/amd64/compile/XEN3_DOMU amd64
Architecture: amd64 (but also seen with i386)
Machine: amd64
>Description:
	As shown in automated run reports at:
	http://www-soc.lip6.fr/~bouyer/NetBSD-tests/xen/HEAD/
	amd64 and i386 kernels have been panicing on a t_mmap test for some
	time.
lib/libc/sys/t_mmap (332/519): 8 test cases
    mmap_block: panic: kernel diagnostic assertion "vp == vp->v_specnode->sn_dev->sd_bdevvp" failed: file "/home/builds/ab/HEAD/src/sys/miscfs/specfs/spec_vnops.c", line 891 
cpu1: Begin traceback...
kern_assert() at netbsd:kern_assert+0xae
spec_strategy() at netbsd:spec_strategy+0x97
VOP_STRATEGY() at netbsd:VOP_STRATEGY+0x33
genfs_getpages() at netbsd:genfs_getpages+0x1161
VOP_GETPAGES() at netbsd:VOP_GETPAGES+0x4f
uvn_get() at netbsd:uvn_get+0x50
uvm_fault_internal() at netbsd:uvm_fault_internal+0xcab
trap() at netbsd:trap+0x4e4
>How-To-Repeat:

	run anita test against a HEAD build.
>Fix:

>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/46592: lib/libc/sys/t_mmap cause kernel panic
Date: Tue, 12 Jun 2012 12:13:45 +0200

 On Tue, Jun 12, 2012 at 10:05:00AM +0000, bouyer@antioche.eu.org wrote:
 > System: NetBSD anita 6.99.7 NetBSD 6.99.7 (XEN3PAE_DOMU) #0: Sat Jun  9 23:29:25 UTC 2012 builds@b7.netbsd.org:/home/builds/ab/HEAD/amd64/201206092140Z-obj/home/builds/ab/HEAD/src/sys/arch/amd64/compile/XEN3_DOMU amd64
 > Architecture: amd64 (but also seen with i386)
 > Machine: amd64
 > >Description:
 > 	As shown in automated run reports at:
 > 	http://www-soc.lip6.fr/~bouyer/NetBSD-tests/xen/HEAD/
 > 	amd64 and i386 kernels have been panicing on a t_mmap test for some
 > 	time.
 > lib/libc/sys/t_mmap (332/519): 8 test cases
 >     mmap_block: panic: kernel diagnostic assertion "vp == vp->v_specnode->sn_dev->sd_bdevvp" failed: file "/home/builds/ab/HEAD/src/sys/miscfs/specfs/spec_vnops.c", line 891 

 Note that these do not seem to be reproducable when running NetBSD/i386 nor
 NetBSD/amd64 - but only with XEN.

 Also read PR kern/38889 about the missing parts in specfs.

 Martin

From: Manuel Bouyer <bouyer@antioche.eu.org>
To: gnats-bugs@NetBSD.org
Cc: kern-bug-people@NetBSD.org, gnats-admin@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/46592: lib/libc/sys/t_mmap cause kernel panic
Date: Tue, 12 Jun 2012 12:29:22 +0200

 On Tue, Jun 12, 2012 at 10:15:04AM +0000, Martin Husemann wrote:
 >  >     mmap_block: panic: kernel diagnostic assertion "vp == vp->v_specnode->sn_dev->sd_bdevvp" failed: file "/home/builds/ab/HEAD/src/sys/miscfs/specfs/spec_vnops.c", line 891 
 >  
 >  Note that these do not seem to be reproducable when running NetBSD/i386 nor
 >  NetBSD/amd64 - but only with XEN.

 I'm not sure what the difference would be between native and Xen.
 Could it be that a module is not built with DIAGNOSTIC ? Xen doesn't
 use modules.

 -- 
 Manuel Bouyer <bouyer@antioche.eu.org>
      NetBSD: 26 ans d'experience feront toujours la difference
 --

From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: kern/46592: lib/libc/sys/t_mmap cause kernel panic
Date: Wed, 13 Jun 2012 18:48:06 +0000

 On Tue, Jun 12, 2012 at 10:30:05AM +0000, Manuel Bouyer wrote:
  >  >  >     mmap_block: panic: kernel diagnostic assertion "vp == vp->v_specnode->sn_dev->sd_bdevvp" failed: file "/home/builds/ab/HEAD/src/sys/miscfs/specfs/spec_vnops.c", line 891 
  >  >  
  >  >  Note that these do not seem to be reproducable when running NetBSD/i386 nor
  >  >  NetBSD/amd64 - but only with XEN.
  >  
  >  I'm not sure what the difference would be between native and Xen.
  >  Could it be that a module is not built with DIAGNOSTIC ? Xen doesn't
  >  use modules.

 specfs isn't a module. (And shouldn't be.)

 -- 
 David A. Holland
 dholland@netbsd.org

From: Manuel Bouyer <bouyer@antioche.eu.org>
To: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Cc: 
Subject: Re: kern/46592: lib/libc/sys/t_mmap cause kernel panic
Date: Thu, 14 Jun 2012 18:56:05 +0200

 On Tue, Jun 12, 2012 at 10:05:00AM +0000, bouyer@antioche.eu.org wrote:
 > 	As shown in automated run reports at:
 > 	http://www-soc.lip6.fr/~bouyer/NetBSD-tests/xen/HEAD/
 > 	amd64 and i386 kernels have been panicing on a t_mmap test for some
 > 	time.
 > lib/libc/sys/t_mmap (332/519): 8 test cases
 >     mmap_block: panic: kernel diagnostic assertion "vp == vp->v_specnode->sn_dev->sd_bdevvp" failed: file "/home/builds/ab/HEAD/src/sys/miscfs/specfs/spec_vnops.c", line 891 
 > cpu1: Begin traceback...

 This test does 2 reads at the mmaped memory: one before closing the
 file descriptor used to mmap() the device, and one after closing.
 It's the second read which causes the panic.

 > kern_assert() at netbsd:kern_assert+0xae
 > spec_strategy() at netbsd:spec_strategy+0x97
 > VOP_STRATEGY() at netbsd:VOP_STRATEGY+0x33
 > genfs_getpages() at netbsd:genfs_getpages+0x1161
 > VOP_GETPAGES() at netbsd:VOP_GETPAGES+0x4f
 > uvn_get() at netbsd:uvn_get+0x50
 > uvm_fault_internal() at netbsd:uvm_fault_internal+0xcab
 > trap() at netbsd:trap+0x4e4

 I found the problem:
 on the native anita run, the device used for tests is /dev/wd0d; on
 xen anita run it is /dev/xbd0d.

 With the native run, the panic doesn't happen because in genfs_getpage()
 vp->v_size is 0, so it doesn't go to VOP_STRATEGY() and the process gets
 a SEGV. With the Xen run vp->v_size is set to the size of the device.

 The problem is in spec_open(), which does a uvm_vnp_setsize() at the end.
 The problem is there:
         if (cdev_type(dev) != D_DISK || error != 0)  
 		return error;
 But if dev is not a character device, cdev_type(dev) won't return the
 right value. For wd0d it returns D_TTY:
 brw-r-----  1 root  operator  0, 3 May  3  2011 /dev/wd0d
 crw-r-----  1 root  operator  3, 3 May  3  2011 /dev/rwd0d
 crw-------  1 root    wheel       0,       0 Jun 14 13:51 console
 crw-------  1 root    wheel       0,       1 Jun 14 18:50 constty

 cdev_type(dev) looks at the cons driver instead of wd in this case.
 But for xbd0d it returns D_DISK, because the major is the same for
 block and char:
 brw-r-----  1 root  operator  142, 3 May  3  2011 /dev/xbd0d
 crw-r-----  1 root  operator  142, 3 May  3  2011 /dev/rxbd0d

 and so spec_open() goes to the end, where it does a uvm_vnp_setsize().

 A quick fix would be:
 Index: miscfs/specfs/spec_vnops.c
 ===================================================================
 RCS file: /cvsroot/src/sys/miscfs/specfs/spec_vnops.c,v
 retrieving revision 1.135
 diff -u -p -u -r1.135 spec_vnops.c
 --- miscfs/specfs/spec_vnops.c	29 Apr 2012 22:54:00 -0000	1.135
 +++ miscfs/specfs/spec_vnops.c	14 Jun 2012 16:53:09 -0000
 @@ -541,7 +541,7 @@ spec_open(void *v)
  	}
  	mutex_exit(&device_lock);

 -	if (cdev_type(dev) != D_DISK || error != 0)
 +	if (vp->v_type != VCHR || cdev_type(dev) != D_DISK || error != 0)
  		return error;

  	if (vp->v_type == VCHR)

 but it looks like the intend of the code was to set the size for both block and
 char disk devices, so I'm not sure what the right thing to do here really is.

 -- 
 Manuel Bouyer <bouyer@antioche.eu.org>
      NetBSD: 26 ans d'experience feront toujours la difference
 --

From: "Manuel Bouyer" <bouyer@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/46592 CVS commit: src/tests/lib/libc/sys
Date: Thu, 14 Jun 2012 17:47:59 +0000

 Module Name:	src
 Committed By:	bouyer
 Date:		Thu Jun 14 17:47:58 UTC 2012

 Modified Files:
 	src/tests/lib/libc/sys: t_mmap.c

 Log Message:
 Disable the mmap_block test again, it doesn't panic when mmaping /dev/wd0d
 only by accident. PR kern/46592.


 To generate a diff of this commit:
 cvs rdiff -u -r1.6 -r1.7 src/tests/lib/libc/sys/t_mmap.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

From: yamt@mwd.biglobe.ne.jp (YAMAMOTO Takashi)
To: bouyer@antioche.eu.org
Cc: gnats-bugs@NetBSD.org, netbsd-bugs@NetBSD.org
Subject: Re: kern/46592: lib/libc/sys/t_mmap cause kernel panic
Date: Fri, 15 Jun 2012 02:51:36 +0000 (UTC)

 hi,

 > but it looks like the intend of the code was to set the size for both block and
 > char disk devices, so I'm not sure what the right thing to do here really is.

 good catch.

 unless we want to revive checkalias, a fix would be
 	- use bdev_type for VBLK
 	- defer sd_opencnt-- logic for VBLK to somewhere later so that
 	  it covers mmap.  probably spec_inactive?
 	- before decrementing sd_opencnt, flush caches.

 YAMAMOTO Takashi

From: "Stephen Borrill" <sborrill@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/46592 CVS commit: [netbsd-6] src/tests/lib/libc/sys
Date: Fri, 15 Jun 2012 08:53:33 +0000

 Module Name:	src
 Committed By:	sborrill
 Date:		Fri Jun 15 08:53:33 UTC 2012

 Modified Files:
 	src/tests/lib/libc/sys [netbsd-6]: t_mmap.c

 Log Message:
 Pull up the following revisions(s) (requested by bouyer in ticket #345):
 	tests/lib/libc/sys/t_mmap.c:	revision 1.7

 Disable the mmap_block test again. It is only by accident that it doesn't
 panic when mmaping /dev/wd0d. PR kern/46592


 To generate a diff of this commit:
 cvs rdiff -u -r1.2.4.1 -r1.2.4.2 src/tests/lib/libc/sys/t_mmap.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.