netbsd-bugs: kern/31433: crash in wi causes crash in genfs

Subject: kern/31433: crash in wi causes crash in genfs_vnops.c
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <erh@swapsimple.com>
List: netbsd-bugs
Date: 09/30/2005 21:38:00
>Number:         31433
>Category:       kern
>Synopsis:       crash in wi causes pagedaemon assert failure in genfs_vnops.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 30 21:38:00 +0000 2005
>Originator:     Eric Haszlakiewicz
>Release:        NetBSD 3.99.9
>Organization:
>Environment:
System: NetBSD poe.swapsimple.com 3.99.9 NetBSD 3.99.9 (POE) #0: Mon Sep 26 02:23:25 CDT 2005 erh@poe.swapsimple.com:/usr/build/POE i386
Architecture: i386
Machine: i386
>Description:

	I was in the middle of performing a build with ant and jikes.  Since
I was logged in remotely, the output from it caused a fair amount of traffic
to go across the wi0 interface.  This caused the initial assert failure in
wi.c, line 1827.  I have had this happen before, but since wi is known to
have problems, I didn't bother to report it.
	However, this time the initial panic triggered a second panic in
genfs_vnops.c.  The trace back and last few lines from the message buf are
below.  I also have the kernel core dump available.
	This crash caused some minor filesystem corruption.  Not sure whether
it's related or not.  (the piixide lost interrupt messages are from a dvd-rw)


GNU gdb 5.3nb1
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"...
(gdb) target kcore netbsd.6.core
panic: kernel %sassertion "%s" failed: file "%s", line %d
#0  0x1fe74000 in ?? ()
(gdb) where
#0  0x1fe74000 in ?? ()
#1  0xc034d1a6 in cpu_reboot (howto=260, bootstr=0x0)
    at /usr/src/sys/arch/i386/i386/machdep.c:752
#2  0xc02b8998 in panic (
    fmt=0xc04c6b20 "kernel %sassertion \"%s\" failed: file \"%s\", line %d")
    at /usr/src/sys/kern/subr_prf.c:253
#3  0xc040abf8 in __assert (t=0xc045215d "diagnostic ", 
    f=0xc049e940 "/usr/src/sys/miscfs/genfs/genfs_vnops.c", l=1249, 
    e=0xc045f091 "!pagedaemon") at /usr/src/sys/lib/libkern/__assert.c:45
#4  0xc02eea67 in genfs_putpages (v=0xcb6febc8)
    at /usr/src/sys/miscfs/genfs/genfs_vnops.c:1262
#5  0xc02ebad4 in VOP_PUTPAGES (vp=0xd13072f4, offlo=0, offhi=0, flags=17)
    at /usr/src/sys/kern/vnode_if.c:2015
#6  0xc0244bca in ffs_full_fsync (v=0xcb6fecf8)
    at /usr/src/sys/ufs/ffs/ffs_vnops.c:383
#7  0xc02444bb in ffs_fsync (v=0xcb6fecf8)
    at /usr/src/sys/ufs/ffs/ffs_vnops.c:277
#8  0xc02eb438 in VOP_FSYNC (vp=0xd13072f4, cred=0xcab80000, flags=0, offlo=0, 
    offhi=0, p=0xcab8cab4) at /usr/src/sys/kern/vnode_if.c:782
#9  0xc024290a in ffs_sync (mp=<incomplete type>, waitfor=2, cred=0xcab80000, 
    p=0xcab8cab4) at /usr/src/sys/ufs/ffs/ffs_vfsops.c:1327
#10 0xc02e35ed in sys_sync (l=0xcab8b738, v=0x0, retval=0x0)
    at /usr/src/sys/kern/vfs_syscalls.c:653
#11 0xc02e1950 in vfs_shutdown () at /usr/src/sys/kern/vfs_subr.c:2222
#12 0xc034d1ba in cpu_reboot (howto=256, bootstr=0x0)
    at /usr/src/sys/arch/i386/i386/machdep.c:738
#13 0xc02b8998 in panic (
    fmt=0xc04c6b20 "kernel %sassertion \"%s\" failed: file \"%s\", line %d")
    at /usr/src/sys/kern/subr_prf.c:253
#14 0xc040abf8 in __assert (t=0xc045215d "diagnostic ", 
    f=0xc0455b80 "/usr/src/sys/dev/ic/wi.c", l=1827, 
    e=0xc0455caf "sc->sc_txcmds > 0") at /usr/src/sys/lib/libkern/__assert.c:45
#15 0xc01a0357 in wi_cmd_intr (sc=0xc1284000) at /usr/src/sys/dev/ic/wi.c:1841
#16 0xc019e155 in wi_intr (arg=0xc1284000) at /usr/src/sys/dev/ic/wi.c:727
(gdb) print "%s", (char *)(msgbufp->msg_bufc + 9000)
(gdb) printf "%s", (char *)(msgbufp->msg_bufc + 9000)
e changed to UP
piixide0:1:0: lost interrupt
	type: atapi tc_bcount: 0 tc_skip: 0
piixide0:1:0: lost interrupt
	type: atapi tc_bcount: 0 tc_skip: 0
piixide0:1:0: lost interrupt
	type: atapi tc_bcount: 0 tc_skip: 0
piixide0:1:0: lost interrupt
	type: atapi tc_bcount: 0 tc_skip: 0
piixide0:1:0: lost interrupt
	type: atapi tc_bcount: 0 tc_skip: 0
piixide0:1:0: lost interrupt
	type: atapi tc_bcount: 0 tc_skip: 0
panic: kernel diagnostic assertion "sc->sc_txcmds > 0" failed: file "/usr/src/sys/dev/ic/wi.c", line 1827
Begin traceback...
__main(c045215d,c0455b80,723,c0455caf,0) at netbsd:__main
wi_cmd_intr(c1284000,cb6fef1c,c0340f70,c051579c,c04a50a0) at netbsd:wi_cmd_intr+0x6b
wi_intr(c1284000,0,10,30,10) at netbsd:wi_intr+0x235
Xintr_legacy10() at netbsd:Xintr_legacy10+0xad
--- interrupt ---
Xspllower(0,c02990d2,8,203,c051579c) at netbsd:Xspllower+0xe
_simple_lock_try(d1212ee0,c04a50a0,364,246,8018) at netbsd:_simple_lock_try+0xa5
uvmpd_scan(c02a9c02,c04d0d74,aaabab12,8033,0) at netbsd:uvmpd_scan+0x20f
uvm_pageout(cab8b738,592000,59a000,0,c0100321) at netbsd:uvm_pageout+0x134
End traceback...
syncing disks... panic: kernel diagnostic assertion "!pagedaemon" failed: file "/usr/src/sys/miscfs/genfs/genfs_vnops.c", line 1249
Begin traceback...
__main(c045215d,c049e940,4e1,c045f091,c08878a0) at netbsd:__main
genfs_putpages(cb6febc8,cd03992c,cb6fec00,c02eb9d4,c0432040) at netbsd:genfs_putpages+0x86f
VOP_PUTPAGES(d13072f4,0,0,0,0) at netbsd:VOP_PUTPAGES+0x40
ffs_full_fsync(cb6fecf8,10,c045bffd,cb6fec90,d130737c) at netbsd:ffs_full_fsync+0x3be
ffs_fsync(cb6fecf8,d13072f4,10012,c02eb690,c0431880) at netbsd:ffs_fsync+0x4b
VOP_FSYNC(d13072f4,cab80000,0,0,0) at netbsd:VOP_FSYNC+0x4c
ffs_sync(c1346000,2,cab80000,cab8cab4,cb6fedb0) at netbsd:ffs_sync+0x27a
sys_sync(cab8b738,0,0,0,100) at netbsd:sys_sync+0xf5
vfs_shutdown(c04c6b20,0,cb6fee10,c02b8998,100) at netbsd:vfs_shutdown+0x64
cpu_reboot(100,0,206,c0432040,d11b0040) at netbsd:cpu_reboot+0x1ca
panic(c04c6b20,c045215d,c0455caf,c0455b80,723) at netbsd:panic+0x108
__main(c045215d,c0455b80,723,c0455caf,0) at netbsd:__main
wi_cmd_intr(c1284000,cb6fef1c,c0340f70,c051579c,c04a50a0) at netbsd:wi_cmd_intr+0x6b
wi_intr(c1284000,0,10,30,10) at netbsd:wi_intr+0x235
Xintr_legacy10() at netbsd:Xintr_legacy10+0xad
--- interrupt ---
Xspllower(0,c02990d2,8,203,c051579c) at netbsd:Xspllower+0xe
_simple_lock_try(d1212ee0,c04a50a0,364,246,8018) at netbsd:_simple_lock_try+0xa5
uvmpd_scan(c02a9c02,c04d0d74,aaabab12,8033,0) at netbsd:uvmpd_scan+0x20f
uvm_pageout(cab8b738,592000,59a000,0,c0100321) at netbsd:uvm_pageout+0x134
End traceback...

dumping to dev 19,1 offset 1282527
dump 511 510 509 508 507 506 505 504 503 502 501 500 499 498 497 496 495
etc...

	
>How-To-Repeat:
	Some pattern of data tranfer across the wi0 interface triggers the
initial panic.  I've had the happen before, but don't know a good way to
reproduce it.  Sending a lot of traffic across seems to increase the
chances of a crash.

>Fix: