kern/44504: kernel panics when dding some block sizes to USB flash drives at sd0

>Number:         44504
>Category:       kern
>Synopsis:       kernel panics when dding some block sizes to USB flash drives 
>at sd0
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 02 22:00:01 +0000 2011
>Originator:     Taylor R Campbell <>
>Release:        NetBSD 5.1_STABLE
System: NetBSD smalltalk.local 5.1_STABLE NetBSD 5.1_STABLE (RIADEBUG) #0: Tue 
Feb 1 20:28:45 UTC 2011 
Architecture: i386
Machine: i386

        In multi-user mode on a kernel with DIAGNOSTIC and a few other
        options enabled, I can reliably make the kernel panic by dding
        what appear to be blocks of certain sizes to sd0d, where sd0 is
        some USB flash drive.  I haven't been able to reproduce it in
        single-user mode, and I haven't been able to reproduce it in

        dmesg output for one of the flash drives I tested:

umass0 at uhub3 port 3 configuration 1 interface 0
umass0: Corsair Flash Voyager, rev 2.00/11.00, addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, 1 lun per target
sd0 at scsibus0 target 0 lun 0: <Corsair, Flash Voyager, 1100> disk removable
sd0: 1936 MB, 3936 cyl, 16 head, 63 sec, 512 bytes/sect x 3964928 sectors

        Kernel configuration:

include "arch/i386/conf/GENERIC"
options         DIAGNOSTIC      # expensive kernel consistency checks
options         DEBUG           # expensive debugging checks/support
options         LOCKDEBUG       # debug locks
makeoptions     DEBUG="-g"      # compile full symbol table
options         FFS_EI          # FFS Endian Independent support
options         APPLE_UFS       # Apple UFS support in FFS

        Panic message:

panic: kernel diagnostic assertion "LIST_EMPTY(&vp->v_dirtyblkhd)" failed: file 
"/home/riastradh/netbsd/5/src/sys/kern/vfs_subr.c", line 895
Begin traceback...
uvm_fault(0xcaa5d27c, 0, 1) -> 0xe
fatal page fault in supervisor mode
trap type 6 code 0 eip c05ce021 cs 8 eflags 10246 cr2 37f ilevel 0
panic: trap
Faulted in mid-traceback; aborting...
dumping to dev 0,1 offset 1049975
dump succeeded

        Stack trace from gdb:

% gdb ./netbsd.gdb
(gdb) target kvm /var/crash/netbsd.5.core
#0  0xc05d2f52 in cpu_reboot (howto=260, bootstr=0x0)
    at /home/riastradh/netbsd/5/src/sys/arch/i386/i386/machdep.c:924
924                     dumpsys();
(gdb) bt
#0  0xc05d2f52 in cpu_reboot (howto=260, bootstr=0x0)
    at /home/riastradh/netbsd/5/src/sys/arch/i386/i386/machdep.c:924
#1  0xc0502c90 in panic (fmt=0xc0ae24c3 "trap")
    at /home/riastradh/netbsd/5/src/sys/kern/subr_prf.c:253
#2  0xc05d5f07 in trap (frame=0xcc0ee9b4)
    at /home/riastradh/netbsd/5/src/sys/arch/i386/i386/trap.c:368
#3  0xc010ccd7 in calltrap ()
#4  0xc05ce021 in db_read_bytes (addr=895, size=4, 
    data=0xcc0eea24 "\024�\016�\004")
    at /home/riastradh/netbsd/5/src/sys/arch/i386/i386/db_memrw.c:91
#5  0xc01b9147 in db_get_value (addr=895, size=4, is_signed=false)
    at /home/riastradh/netbsd/5/src/sys/ddb/db_access.c:62
#6  0xc05ce8a4 in db_stack_trace_print (addr=-871437548, have_addr=true, 
    count=65535, modif=0xc0b1a1fc "", pr=0xc0502a70 <printf>)
    at /home/riastradh/netbsd/5/src/sys/arch/i386/i386/db_trace.c:485
#7  0xc0502c65 in panic (
    fmt=0xc0b27c74 "kernel %sassertion \"%s\" failed: file \"%s\", line %d")
    at /home/riastradh/netbsd/5/src/sys/kern/subr_prf.c:242
#8  0xc086dd89 in __kernassert (t=0xc0a85161 "diagnostic ", 
    f=0xc0ad6cfc "/home/riastradh/netbsd/5/src/sys/kern/vfs_subr.c", l=895, 
    e=0xc0ad650d "LIST_EMPTY(&vp->v_dirtyblkhd)")
    at /home/riastradh/netbsd/5/src/sys/lib/libkern/__assert.c:50
#9  0xc0545571 in vinvalbuf (vp=0xcbe6f230, flags=<value optimized out>, 
    cred=0xcc304480, l=0xcc19e780, catch=false, slptimeo=0)
    at /home/riastradh/netbsd/5/src/sys/kern/vfs_subr.c:895
#10 0xc055edcd in spec_close (v=0xcc0eebd8)
    at /home/riastradh/netbsd/5/src/sys/miscfs/specfs/spec_vnops.c:935
#11 0xc05578dc in VOP_CLOSE (vp=0xcbe6f230, fflag=3, cred=0xcc304480)
    at /home/riastradh/netbsd/5/src/sys/kern/vnode_if.c:314
#12 0xc054f87e in vn_close (vp=0xcbe6f230, flags=3, cred=0xcc304480)
    at /home/riastradh/netbsd/5/src/sys/kern/vfs_vnops.c:352
#13 0xc054f8c2 in vn_closefile (fp=0xcc305c00)
    at /home/riastradh/netbsd/5/src/sys/kern/vfs_vnops.c:782
#14 0xc04bbd3d in closef (fp=0xcc305c00)
    at /home/riastradh/netbsd/5/src/sys/kern/kern_descrip.c:755
#15 0xc04bbf01 in fd_close (fd=4)
    at /home/riastradh/netbsd/5/src/sys/kern/kern_descrip.c:646
#16 0xc05d57c8 in syscall (frame=0xcc0eed48)
    at /home/riastradh/netbsd/5/src/sys/sys/syscallvar.h:49
#17 0xc010058e in syscall1 ()


        Plug in a USB flash drive; assume it attaches at sd0.  The
        following all trigger the panic for me:

                # dd if=/dev/zero of=/dev/sd0d bs=123 count=1
                # dd if=/dev/zero of=/dev/sd0d bs=511 count=1
                # dd if=/dev/zero of=/dev/sd0d bs=512 count=1
                # dd if=/dev/zero of=/dev/sd0d bs=1k count=1
                # dd if=/dev/zero of=/dev/sd0d bs=2k count=1

        If F is a file whose size is not an even multiple of 4k, then

                # dd if=F of=/dev/sd0d

        also triggers the panic.

        A block size of 4k does not seem to trigger it; nor does using
        rsd0d.  Specifying a block size that is not a multiple of 512
        with rsd0d fails with EINVAL, but a block size of 512 works,
        even though 512 on sd0d triggers the panic.


