kern/41128: tmpfs kernel diagnostic assertion "de->td_node == fnode" failed

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/41128: tmpfs kernel diagnostic assertion "de->td_node == fnode" failed
From: njoly%pasteur.fr@localhost
Date: Fri, 3 Apr 2009 13:50:01 +0000 (UTC)

>Number:         41128
>Category:       kern
>Synopsis:       tmpfs kernel diagnostic assertion "de->td_node == fnode" failed
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 03 13:50:00 +0000 2009
>Originator:     Nicolas Joly
>Release:        NetBSD 5.99.9
>Organization:
Institut Pasteur
>Environment:
System: NetBSD lanfeust.sis.pasteur.fr 5.99.9 NetBSD 5.99.9 (LANFEUST) #22: Fri 
Apr 3 11:57:30 CEST 2009 
njoly%lanfeust.sis.pasteur.fr@localhost:/local/src/NetBSD/obj.amd64/sys/arch/amd64/compile/LANFEUST
 amd64
Architecture: x86_64
Machine: amd64
>Description:
Concurrent file access from 2 programs/threads on the same file on tmpfs
can triggers a kernel diagnostic assertion.

panic: kernel diagnostic assertion "de->td_node == fnode" failed: file "/local/s
rc/NetBSD/src/sys/fs/tmpfs/tmpfs_vnops.c", line 832
fatal breakpoint trap in supervisor mode
trap type 1 code 0 rip ffffffff80238765 cs 8 rflags 246 cr2  7f7ffddfaf00 cpl 0 
rsp ffff800049f04880

The first thread create/remove a file, and the second one try to rename it.

The following testcase (thanks to Antti Kantee for the rump version) triggers
it in less than 10 seconds.

njoly@lanfeust [~]> cat crashtmpfs.c
#include <sys/types.h>
#include <sys/mount.h>

#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>

#include <rump/rump.h>
#include <rump/rump_syscalls.h>
#include <rump/ukfs.h>

#include <fs/tmpfs/tmpfs_args.h>

void *
w1(void *arg)
{
  int fd;

  for (;;) {
    fd = rump_sys_open("/rename.test1", O_WRONLY|O_CREAT|O_TRUNC, 0666);
    rump_sys_unlink("/rename.test1");
    rump_sys_close(fd);
  }
  return NULL;
}

int main() {
  struct tmpfs_args args;
  struct ukfs *fs;
  pthread_t pt;
  int fail = 0, succ = 0;

  memset(&args, 0, sizeof(args));
  args.ta_version = TMPFS_ARGS_VERSION;
  args.ta_root_mode = 0777;

  ukfs_init();
  fs = ukfs_mount(MOUNT_TMPFS, "tmpfs", UKFS_DEFAULTMP, 0, &args, sizeof(args));
  if (fs == NULL)
    err(1, "ukfs_mount");

  pthread_create(&pt, NULL, w1, fs);

  while (1) {
    int rv;
    rv = rump_sys_rename("/rename.test1", "/rename.test2");
    if (rv == 0) {
      if (succ++ % 10000 == 0)
        printf("success\n");
    } else {
      if (fail++ % 10000 == 0)
        printf("fail\n");
    }
  }

  return 0; }
njoly@lanfeust [~]> cc -g -O0 -o crashtmpfs crashtmpfs.c -lukfs -lrumpfs_tmpfs 
-lrumpvfs -lrump -lrumpuser
njoly@lanfeust [~]> ./crashtmpfs 
fail
success
fail
fail
panic: kernel diagnostic assertion "de->td_node == fnode" failed: file 
"/local/src/NetBSD/src/sys/rump/fs/lib/libtmpfs/../../../../fs/tmpfs/tmpfs_vnops.c",
 line 832
zsh: abort (core dumped)  ./crashtmpfs
njoly@lanfeust [~]> gdb ./crashtmpfs ./crashtmpfs.core
GNU gdb 6.5
Copyright (C) 2006 Free Software Foundation, Inc.
[...]
Core was generated by `crashtmpfs'.
Program terminated with signal 6, Aborted.
#0  0x00007f7ffd1e40da in _lwp_kill () from /usr/lib/libc.so.12
(gdb) bt
#0  0x00007f7ffd1e40da in _lwp_kill () from /usr/lib/libc.so.12
#1  0x00007f7ffd1e39d2 in abort ()
    at /local/src/NetBSD/src/lib/libc/stdlib/abort.c:74
#2  0x00007f7ffd404229 in rumpuser_panic ()
    at 
/local/src/NetBSD/src/lib/librumpuser/../../sys/rump/librump/rumpuser/rumpuser.c:448
#3  0x00007f7ffd639463 in panic (
    fmt=0x7f7ffd657860 "kernel %sassertion \"%s\" failed: file \"%s\", line 
%d") at /local/src/NetBSD/src/lib/librump/../../sys/rump/../kern/subr_prf.c:294
#4  0x00007f7ffd62ce33 in __kernassert (t=0x6 <Address 0x6 out of bounds>, 
    f=0x7f7ffd1e40da "r\001ÃH\213\r\024S\022", l=1, e=0x0)
    at 
/local/src/NetBSD/src/lib/librump/../../sys/rump/../lib/libkern/__assert.c:50
#5  0x00007f7ffda08aa9 in tmpfs_rename (v=<value optimized out>)
    at 
/local/src/NetBSD/src/sys/rump/fs/lib/libtmpfs/../../../../fs/tmpfs/tmpfs_vnops.c:832
#6  0x00007f7ffd635fb1 in VOP_RENAME (fdvp=0x7f7ffc5aa1a0, fvp=0x6, 
    fcnp=<value optimized out>, tdvp=0x7f7ffd1e40da, tvp=0x1, tcnp=0x0)
    at /local/src/NetBSD/src/lib/librump/../../sys/rump/../kern/vnode_if.c:998
#7  0x00007f7ffd822288 in do_sys_rename (from=<value optimized out>, 
    to=0x400e42 "/rename.test2", seg=UIO_USERSPACE, retain=0)
    at 
/local/src/NetBSD/src/lib/librumpvfs/../../sys/rump/../kern/vfs_syscalls.c:3423
#8  0x00007f7ffd65048b in rump_sys_rename (from=<value optimized out>, 
    to=<value optimized out>)
    at 
/local/src/NetBSD/src/lib/librump/../../sys/rump/librump/rumpkern/rump_syscalls.c:878
#9  0x0000000000400cee in main () at crashtmpfs.c:50


>How-To-Repeat:
Run the above testcase.
>Fix:
Please.

Prev by Date: PR/41127 CVS commit: src/sbin/newfs
Next by Date: Re: kern/41127: Creating a new filesystem on usbstick fails
Previous by Thread: PR/41127 CVS commit: src/sbin/newfs
Next by Thread: Re: kern/41128 (tmpfs kernel diagnostic assertion "de->td_node == fnode" failed)
Indexes:

Home | Main Index | Thread Index | Old Index