netbsd-5 puffs crash

To: current-users%netbsd.org@localhost
Subject: netbsd-5 puffs crash
From: Greg Troxel <gdt%ir.bbn.com@localhost>
Date: Mon, 21 Nov 2011 19:28:11 -0500

I had a crash on a reasonably up-to-date netbsd-5 system.
I had left sshfs mounts running overnight.

The backtrace was:

foo root 1 /var/crash #> gdb /netbsd
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...(no debugging symbols found)

(gdb) target kvm netbsd.10.core
#0  0xc05a6402 in cpu_reboot ()
(gdb) bt
#0  0xc05a6402 in cpu_reboot ()
#1  0xc04e9900 in panic ()
#2  0xc05a9137 in trap ()
#3  0xc010cc77 in calltrap ()
#4  0xc03b4e65 in flushvncache ()
#5  0xc03b872b in puffs_vnop_fsync ()
#6  0xc0531266 in VOP_FSYNC ()
#7  0xc052276f in vinvalbuf ()
#8  0xc052296d in vclean ()
#9  0xc0524321 in vflush ()
#10 0xc03b4150 in puffs_vfsop_unmount ()
#11 0xc0521426 in VFS_UNMOUNT ()
#12 0xc052900f in dounmount ()
#13 0xc03b1178 in puffs_msgif_close ()
#14 0xc0391271 in putter_fop_close ()
#15 0xc04ae96d in closef ()
#16 0xc04aeab6 in fd_close ()
#17 0xc05a8c0d in syscall ()
#18 0xc010058e in syscall1 ()
(gdb) fr 4
#4  0xc03b4e65 in flushvncache ()
(gdb) i fr
Stack level 4, frame at 0xce09aa44:
 eip = 0xc03b4e65 in flushvncache; saved eip 0xc03b872b
 called by frame at 0xce09aa84, caller of frame at 0xce09a958
 Arglist at 0xce09aa3c, args: 
 Locals at 0xce09aa3c, Previous frame's sp is 0xce09aa44
 Saved registers:
  ebp at 0xce09aa3c, esi at 0xce09aa38, eip at 0xce09aa40

Looking at the assembler, the problem was that 

        struct puffs_node *pn = VPTOPP(vp);

was pn was NULL, so pn->pn_stat caused a trap.

So:

  in sys/fs/puffs/puffs_vnops.c:flushvncache, should there be a check
  for non-NULL pn?  KASSERT?

  Do people think the problem was a vnode reference kept beyond when the
  vnode was freed?  Something else?
  






(gdb) disass flushvncache
Dump of assembler code for function flushvncache:
0xc03b4e30 <flushvncache+0>:    push   %ebp
0xc03b4e31 <flushvncache+1>:    mov    %esp,%ebp
0xc03b4e33 <flushvncache+3>:    push   %esi
0xc03b4e34 <flushvncache+4>:    mov    %eax,%esi
0xc03b4e36 <flushvncache+6>:    push   %ebx
0xc03b4e37 <flushvncache+7>:    sub    $0xa0,%esp
0xc03b4e3d <flushvncache+13>:   mov    %edx,0xffffff80(%ebp)
0xc03b4e40 <flushvncache+16>:   mov    0xc(%ebp),%edx
0xc03b4e43 <flushvncache+19>:   mov    0x8(%ebp),%eax
0xc03b4e46 <flushvncache+22>:   mov    %ecx,0xffffff84(%ebp)
0xc03b4e49 <flushvncache+25>:   mov    %edx,0xffffff7c(%ebp)
0xc03b4e4f <flushvncache+31>:   movzbl 0x10(%ebp),%edx
0xc03b4e53 <flushvncache+35>:   mov    %eax,0xffffff78(%ebp)
0xc03b4e59 <flushvncache+41>:   mov    0xb0(%esi),%eax
0xc03b4e5f <flushvncache+47>:   mov    %dl,0xffffff77(%ebp)
0xc03b4e65 <flushvncache+53>:   testb  $0xf0,0x1c(%eax)
0xc03b4e69 <flushvncache+57>:   jne    0xc03b4ed0 <flushvncache+160>
0xc03b4e6b <flushvncache+59>:   cmpb   $0x1,0xffffff77(%ebp)
0xc03b4e72 <flushvncache+66>:   mov    %esi,(%esp)
0xc03b4e75 <flushvncache+69>:   sbb    %ebx,%ebx
0xc03b4e77 <flushvncache+71>:   call   0xc010cd80 <mutex_enter>
0xc03b4e7c <flushvncache+76>:   mov    0xffffff78(%ebp),%eax
0xc03b4e82 <flushvncache+82>:   and    $0xfffffffe,%ebx
0xc03b4e85 <flushvncache+85>:   mov    0xffffff7c(%ebp),%edx
0xc03b4e8b <flushvncache+91>:   add    $0x3,%ebx
0xc03b4e8e <flushvncache+94>:   mov    %ebx,0x14(%esp)
0xc03b4e92 <flushvncache+98>:   mov    %esi,(%esp)
0xc03b4e95 <flushvncache+101>:  add    $0xfff,%eax
0xc03b4e9a <flushvncache+106>:  adc    $0x0,%edx
0xc03b4e9d <flushvncache+109>:  and    $0xfffff000,%eax
0xc03b4ea2 <flushvncache+114>:  mov    %eax,0xc(%esp)
0xc03b4ea6 <flushvncache+118>:  mov    0xffffff80(%ebp),%eax
0xc03b4ea9 <flushvncache+121>:  mov    %edx,0x10(%esp)
0xc03b4ead <flushvncache+125>:  mov    0xffffff84(%ebp),%edx
0xc03b4eb0 <flushvncache+128>:  and    $0xfffff000,%eax
0xc03b4eb5 <flushvncache+133>:  mov    %eax,0x4(%esp)
0xc03b4eb9 <flushvncache+137>:  mov    %edx,0x8(%esp)
0xc03b4ebd <flushvncache+141>:  call   0xc0530690 <VOP_PUTPAGES>
0xc03b4ec2 <flushvncache+146>:  add    $0xa0,%esp
0xc03b4ec8 <flushvncache+152>:  pop    %ebx
0xc03b4ec9 <flushvncache+153>:  pop    %esi
0xc03b4eca <flushvncache+154>:  pop    %ebp
0xc03b4ecb <flushvncache+155>:  ret    
0xc03b4ecc <flushvncache+156>:  lea    0x0(%esi),%esi
0xc03b4ed0 <flushvncache+160>:  lea    0xffffff88(%ebp),%ebx
0xc03b4ed3 <flushvncache+163>:  mov    %ebx,(%esp)
0xc03b4ed6 <flushvncache+166>:  call   0xc0520220 <vattr_null>
0xc03b4edb <flushvncache+171>:  mov    $0xfffffffe,%ecx
0xc03b4ee0 <flushvncache+176>:  mov    %ebx,%edx
0xc03b4ee2 <flushvncache+178>:  cmpb   $0x1,0xffffff77(%ebp)
0xc03b4ee9 <flushvncache+185>:  sbb    %eax,%eax
0xc03b4eeb <flushvncache+187>:  and    $0x2,%eax
0xc03b4eee <flushvncache+190>:  inc    %eax
0xc03b4eef <flushvncache+191>:  mov    %eax,(%esp)
0xc03b4ef2 <flushvncache+194>:  mov    %esi,%eax
0xc03b4ef4 <flushvncache+196>:  call   0xc03b48d0 <dosetattr>
0xc03b4ef9 <flushvncache+201>:  test   %eax,%eax
0xc03b4efb <flushvncache+203>:  je     0xc03b4e6b <flushvncache+59>
0xc03b4f01 <flushvncache+209>:  jmp    0xc03b4ec2 <flushvncache+146>
0xc03b4f03 <flushvncache+211>:  lea    0x0(%esi),%esi
0xc03b4f09 <flushvncache+217>:  lea    0x0(%edi),%edi
End of assembler dump.

Attachment: pgpaJQrCtlHme.pgp
Description: PGP signature

Prev by Date: Build still broken (port amd64) - redefinition of vn_close()
Next by Date: daily CVS update output
Previous by Thread: Build still broken (port amd64) - redefinition of vn_close()
Next by Thread: daily CVS update output
Indexes:

Home | Main Index | Thread Index | Old Index