netbsd-bugs: kern/17195: kernel crashes when accessing named pipe on nullfs

Subject: kern/17195: kernel crashes when accessing named pipe on nullfs
To: None <gnats-bugs@gnats.netbsd.org>
From: None <jakym@volny.cz>
List: netbsd-bugs
Date: 06/08/2002 18:09:48
>Number:         17195
>Category:       kern
>Synopsis:       kernel crashes when accessing named pipe on nullfs
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 08 11:28:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Jachym _Freza_ Holecek
>Release:        NetBSD 1.6_BETA1
>Organization:
none
>Environment:
System: NetBSD gloom 1.6_BETA1 NetBSD 1.6_BETA1 (GLOOM) #0: Thu Jun 6 13:07:17 CEST 2002 root@gloom:/usr/src/sys/arch/i386/compile/GLOOM i386
(source tree from Jun 2 IIRC)
Architecture: i386
Machine: i386

>Description:
The kernel crashes when I try to access a named fifo located in a nullfs
mounted directory (the mountpoint), dropping me into ddb:

uvm_fault(0x4579990, 0x0, 0, 1) -> e
page fault trap, code 0
fifo_poll+0x19  movl 0(%eax), %eax 

So far, I've observed this behaviour for fifo_poll, fifo_read, fifo_close.
fifo_open never failed. In the fifo_poll case I'm still able to 'sync', the
others just leave the system frozen after an 'sync' attempt. The backtrace
(post-mortem) looks like (frame #27 is relevant IMO):

#0  0x1 in ?? ()
#0  0x1 in ?? ()
#1  0xc035c1bf in cpu_reboot (howto=256, bootstr=0x0)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../arch/i386/i386/machdep.c:2182
#2  0xc02683d7 in db_sync_cmd ()
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../ddb/db_command.c:722
#3  0xc0267fdc in db_command (last_cmdp=0xc06142d4, cmd_table=0xc04cb440)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../ddb/db_command.c:456
#4  0xc0267bdb in db_command_loop ()
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../ddb/db_command.c:246
#5  0xc026b6b4 in db_trap (type=6, code=0)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../ddb/db_trap.c:92
#6  0xc0359122 in kdb_trap (type=6, code=0, regs=0xd4a3079c)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../arch/i386/i386/db_interface.c:129
#7  0xc0362743 in trap (frame={tf_gs = 16, tf_fs = 16, tf_es = 16, tf_ds = 16, 
      tf_edi = -732122916, tf_esi = -727512852, tf_ebp = -727513072, 
      tf_ebx = 0, tf_edx = 7, tf_ecx = -733401728, tf_eax = -1070901388, 
      tf_trapno = 6, tf_err = 0, tf_eip = -1070901285, tf_cs = 8, 
      tf_eflags = 66179, tf_esp = -1, tf_ss = 0, tf_vm86_es = 0, 
      tf_vm86_ds = 0, tf_vm86_fs = -727512852, tf_vm86_gs = 1})
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../arch/i386/i386/trap.c:220
#8  0xc0100e07 in calltrap ()
#9  0xc0261f85 in ufsfifo_close (v=0xd4a308ec)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../ufs/ufs/ufs_vnops.c:1834
#10 0xc02b88ef in layer_bypass (v=0xd4a308ec)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../miscfs/genfs/layer_vnops.c:358
#11 0xc02b45ab in VOP_CLOSE (vp=0xd469cce0, fflag=4, cred=0xffffffff, p=0x0)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/vnode_if.c:293
#12 0xc02ae05f in vclean (vp=0xd469cce0, flags=8, p=0xd45c5744)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/vfs_subr.c:1553
#13 0xc02ae1ce in vgonel (vp=0xd469cce0, p=0xd45c5744)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/vfs_subr.c:1681
#14 0xc02adf77 in vflush (mp=0xc1374400, skipvp=0xd45072fc, flags=2)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/vfs_subr.c:1463
#15 0xc01e712b in nullfs_unmount (mp=0xc1374400, mntflags=524288, p=0xd45c5744)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../miscfs/nullfs/null_vfsops.c:250
#16 0xc02b00cf in dounmount (mp=0xc1374400, flags=524288, p=0xd45c5744)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/vfs_syscalls.c:516
#17 0xc02af122 in vfs_unmountall (p=0xd45c5744)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/vfs_subr.c:2460
#18 0xc02af369 in vfs_shutdown ()
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/vfs_subr.c:2565
#19 0xc035c197 in cpu_reboot (howto=256, bootstr=0x0)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../arch/i386/i386/machdep.c:2169
#20 0xc02683d7 in db_sync_cmd ()
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../ddb/db_command.c:722
#21 0xc0267fdc in db_command (last_cmdp=0xc06142d4, cmd_table=0xc04cb440)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../ddb/db_command.c:456
#22 0xc0267bdb in db_command_loop ()
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../ddb/db_command.c:246
#23 0xc026b6b4 in db_trap (type=6, code=0)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../ddb/db_trap.c:92
#24 0xc0359122 in kdb_trap (type=6, code=0, regs=0xd4a30c78)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../arch/i386/i386/db_interface.c:129
#25 0xc0362743 in trap (frame={tf_gs = 16, tf_fs = 16, tf_es = 16, tf_ds = 16, 
      tf_edi = 1, tf_esi = 0, tf_ebp = -727511808, tf_ebx = -727511632, 
      tf_edx = 15, tf_ecx = -727511632, tf_eax = 0, tf_trapno = 6, tf_err = 0, 
      tf_eip = -1070901551, tf_cs = 8, tf_eflags = 66306, tf_esp = 0, 
      tf_ss = 4, tf_vm86_es = 0, tf_vm86_ds = -1067024904, 
      tf_vm86_fs = -727511652, tf_vm86_gs = -1})
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../arch/i386/i386/trap.c:220
#26 0xc0100e07 in calltrap ()
#27 0xc02b88ef in layer_bypass (v=0xd4a30db0)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../miscfs/genfs/layer_vnops.c:358
#28 0xc02b47cd in VOP_POLL (vp=0xd469cce0, events=88, p=0xd45c5744)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/vnode_if.c:563
#29 0xc02b433e in vn_poll (fp=0xd45055e4, events=88, p=0xd45c5744)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/vfs_vnops.c:595
#30 0xc0296275 in selscan (p=0xd45c5744, ibitp=0xd4a30e84, obitp=0xd4a30e8c, 
    nfd=20, retval=0xd4a30f78)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/sys_generic.c:780
#31 0xc0296034 in sys_select (p=0xd45c5744, v=0xd4a30f80, retval=0xd4a30f78)
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../kern/sys_generic.c:709
#32 0xc0362347 in syscall_plain (frame={tf_gs = 31, tf_fs = 31, tf_es = 31, 
      tf_ds = 31, tf_edi = -1077945980, tf_esi = 0, tf_ebp = -1077945948, 
      tf_ebx = 0, tf_edx = 64, tf_ecx = 6, tf_eax = 93, tf_trapno = 3, 
      tf_err = 2, tf_eip = 1209940483, tf_cs = 23, tf_eflags = 663, 
      tf_esp = -1077946056, tf_ss = 31, tf_vm86_es = 0, tf_vm86_ds = 0, 
      tf_vm86_fs = 0, tf_vm86_gs = 0})
    at /usr/src/sys/arch/i386/compile/GLOOM/../../../../arch/i386/i386/syscall.c:140
#33 0xc0100e7c in syscall1 ()
can not access 0xbfbfd9a4, invalid translation (invalid PDE)
can not access 0xbfbfd9a4, invalid translation (invalid PDE)

The code in layer_bypass() which seems to produce calltrap() just VCALLs the
fifo_poll() routine in this case (nothing seems illegal there). fifo_poll()
isn't shown as a separate frame in the dump, but I'm quite sure (ddb stepping)
it is entered.

>How-To-Repeat:
% mount -t null dir dest
% cd dest
% mkfifo aaa
% echo Hello > aaa &
% cat aaa
# ddb on console now, cat never exits

(or run mc or asciiview with nullfs-mounted /tmp, which is how I came to this)

>Fix:
Not known.
>Release-Note:
>Audit-Trail:
>Unformatted: