netbsd-bugs: kern/20322: panic when writing to blockdevice before close

Subject: kern/20322: panic when writing to blockdevice before close
To: None <gnats-bugs@gnats.netbsd.org>
From: None <chris@pin.lu>
List: netbsd-bugs
Date: 02/12/2003 20:51:56
>Number:         20322
>Category:       kern
>Synopsis:       panic when writing to blockdevice before close
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Feb 12 12:20:00 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Christian Limpach
>Release:        NetBSD 1.6_STABLE
>Organization:
	
>Environment:
	
	
System: NetBSD oito.pin 1.6_STABLE NetBSD 1.6_STABLE (OITO) #2: Mon Feb  3 04:41:08 CET 2003     chris@marble:/devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO i386
Architecture: i386
Machine: i386
>Description:
	writing to a partition's blockdevice and immediately closing
	the filedescriptor used for the write results in a
	DIAGNOSTIC-panic if the blockdevice is also used in a ccd and
	there's activity on the ccd.

	the panic occurs in vinvalbuf when the vp's v_numoutput is > 0.
	
	with activity on the ccd, the write before close is only scheduled
	and thus v_numoutput is > 0 since vwakeup hasn't happened yet.

	(gdb) frame 3
#3  0xc0207bf8 in vinvalbuf (vp=0xcb37791c, flags=1, cred=0xc073a180, p=0xcb2ca908,
    slpflag=0, slptimeo=0)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../kern/vfs_subr.c:676
676                             panic("vinvalbuf: dirty bufs, vp %p", vp);
(gdb) p *vp
$1 = {v_uobj = {vmobjlock = {lock_data = 0}, pgops = 0xc039e2c4, memq = {tqh_first = 0x0, 
      tqh_last = 0xcb377924}, uo_npages = 0, uo_refs = 2}, v_size = 214179840, v_flag = 0, 
  v_numoutput = 1, v_writecount = 1, v_holdcnt = 2, v_id = 5842, v_mount = 0xc06f0400, 
  v_op = 0xc062b100, v_freelist = {tqe_next = 0x0, tqe_prev = 0xcb070c1c}, v_mntvnodes = {
    le_next = 0xcb33a73c, le_prev = 0xcb1f4940}, v_cleanblkhd = {lh_first = 0xc36f7d60}, 
  v_dirtyblkhd = {lh_first = 0x0}, v_synclist = {le_next = 0xcb28a194, le_prev = 0xc062b730}, 
  v_un = {vu_mountedhere = 0xc073c860, vu_socket = 0xc073c860, vu_specinfo = 0xc073c860, 
    vu_fifoinfo = 0xc073c860}, v_lease = 0x0, v_type = VBLK, v_tag = VT_UFS, v_lock = {
    lk_interlock = {lock_data = 0}, lk_flags = 1024, lk_sharecount = 0, 
    lk_exclusivecount = 1, lk_recurselevel = 0, lk_waitcount = 0, 
    lk_wmesg = 0xc0346390 "vnlock", lk_un = {lk_un_sleep = {lk_sleep_lockholder = 318, 
        lk_sleep_prio = 20, lk_sleep_timo = 0}, lk_un_spin = {lk_spin_cpu = 318}}}, 
  v_vnlock = 0xcb377988, v_data = 0xcb1de494}

#3  0xc0207bf8 in vinvalbuf (vp=0xcb37791c, flags=1, cred=0xc073a180, p=0xcb2ca908, 
    slpflag=0, slptimeo=0)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../kern/vfs_subr.c:676
#4  0xc021417c in spec_close (v=0xcb403dec)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../miscfs/specfs/spec_vnops.c:620
#5  0xc01c2ccd in ufsspec_close (v=0xcb403dec)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../ufs/ufs/ufs_vnops.c:1765
#6  0xc020ed47 in VOP_CLOSE (vp=0xcb37791c, fflag=3, cred=0xc073a180, p=0xcb2ca908)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../kern/vnode_if.c:293
#7  0xc020e3ad in vn_close (vp=0xcb37791c, flags=3, cred=0xc073a180, p=0xcb2ca908)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../kern/vfs_vnops.c:229
#8  0xc020eb7a in vn_closefile (fp=0xcb0838bc, p=0xcb2ca908)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../kern/vfs_vnops.c:640
#9  0xc01d86ac in closef (fp=0xcb0838bc, p=0xcb2ca908)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../kern/kern_descrip.c:1112
#10 0xc01d84cd in fdfree (p=0xcb2ca908)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../kern/kern_descrip.c:989
#11 0xc01da323 in exit1 (p=0xcb2ca908, rv=0)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../kern/kern_exit.c:172
#12 0xc01da222 in sys_exit (p=0xcb2ca908, v=0xcb403f80, retval=0xcb403f78)
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../kern/kern_exit.c:128
#13 0xc02a5463 in syscall_plain (frame={tf_gs = 31, tf_fs = 31, tf_es = 31, tf_ds = 31, 
      tf_edi = 134602408, tf_esi = 0, tf_ebp = -1077946208, tf_ebx = -1, tf_edx = 0, 
      tf_ecx = 57, tf_eax = 1, tf_trapno = 3, tf_err = 2, tf_eip = 134580267, tf_cs = 23, 
      tf_eflags = 643, tf_esp = -1077946252, tf_ss = 31, tf_vm86_es = 0, tf_vm86_ds = 0, 
      tf_vm86_fs = 0, tf_vm86_gs = 0})
    at /devel/netbsd/src-1-6-mp/sys/arch/i386/compile/OITO/../../../../arch/i386/i386/syscall.c:142
#14 0xc0100dc9 in syscall1 ()


>How-To-Repeat:
ccdconfig ccd0 0 0 /dev/wd0m
disklabel ccd0:
 a:    416320      2000     4.2BSD      0     0     0   # (Cyl.    0*- 204*)
 d:    418320         0     4.2BSD      0     0     0   # (Cyl.    0 - 204*)

newfs /dev/ccd0a
mount /dev/ccd0a /mnt
cd /; pax -rw -pe -X . /mnt &
dd if=/dev/zero of=/dev/wd0m bs=512 count=8 seek=100
(may require a couple tries)

>Fix:
	the problem seems not to arise if the program writing to the
	partition calls fsync() before close().

>Release-Note:
>Audit-Trail:
>Unformatted: