kern/98064: Crash with FIFOs (named pipes) and truncate()

Maxim Konovalov maxim at macomnet.ru
Mon May 29 08:40:45 PDT 2006 

The following reply was made to PR kern/98064; it has been noted by GNATS.

From: Maxim Konovalov <maxim at macomnet.ru>
To: Bruce Evans <bde at zeta.org.au>
Cc: bug-followup at FreeBSD.org
Subject: Re: kern/98064: Crash with FIFOs (named pipes) and truncate()
Date: Mon, 29 May 2006 19:33:16 +0400 (MSD)

 On Tue, 30 May 2006, 00:04+1000, Bruce Evans wrote:
 
 > On Mon, 29 May 2006, Maxim Konovalov wrote:
 >
 > > >  I have used used the following fixes in this area for many years.  They
 > > >  make truncate() on a fifo and some other file types always succeed
 > > >  instead of wandering off into UFS_TRUNCATE() (which is always (?)
 > > >  ffs_truncate()) and tending to cause panics there.
 > > [...]
 > >
 > > Why doesn't RELENG_4 suffer from this?  The code of ufs_setattr() is
 > > very similar there.
 >
 > Hmm, my fixes are for ~5.2 and they may be unnecessary there too.  I don't
 > remember noticing this particular problem.  Perhaps some changes in -current
 > resulted in ffs_update() doing more and happening to do something bad.
 > Unfortunately, the PR doesn't contain much debugging info so it isn't
 > clear that the problem is in ffs_update().
 
 Here is a backtrace:
 
 Unread portion of the kernel message buffer:
 No strategy for buffer at 0xcc6a8b70
 vnode
 0xc2c6c514: tag ufs, type VFIFO
     usecount 1, writecount 0, refcount 2 mountedhere 0
     flags ()
      lock type ufs: EXCL (count 1) by thread 0xc28ca6c0 (pid 1039)
 	ino 141854, on dev ad0s1e
 
 Fatal trap 12: page fault while in kernel mode
 fault virtual address	= 0xc
 fault code		= supervisor read, page not present
 instruction pointer	= 0x20:0xc047cf95
 stack pointer	        = 0x28:0xd565f798
 frame pointer	        = 0x28:0xd565f798
 code segment		= base 0x0, limit 0xfffff, type 0x1b
 			= DPL 0, pres 1, def32 1, gran 1
 processor eflags	= interrupt enabled, resume, IOPL = 0
 current process		= 1039 (q)
 panic: from debugger
 Uptime: 31s
 Physical memory: 494 MB
 Dumping 48 MB: 33 17 1
 
 #0  doadump () at pcpu.h:166
 166		__asm __volatile("movl %%fs:0,%0" : "=r" (td));
 gdb% bt
 #0  doadump () at pcpu.h:166
 #1  0xc04b4de4 in boot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:409
 #2  0xc04b508f in panic (fmt=0xc05e237c "from debugger")
     at /usr/src/sys/kern/kern_shutdown.c:565
 #3  0xc0444f25 in db_panic (addr=-1069035627, have_addr=0, count=-1,
     modif=0xd565f578 "") at /usr/src/sys/ddb/db_command.c:426
 #4  0xc0444ebc in db_command (last_cmdp=0xc0640704, cmd_table=0x0)
     at /usr/src/sys/ddb/db_command.c:395
 #5  0xc0444f7a in db_command_loop () at /usr/src/sys/ddb/db_command.c:446
 #6  0xc0446b91 in db_trap (type=12, code=0) at /usr/src/sys/ddb/db_main.c:221
 #7  0xc04cfb35 in kdb_trap (type=12, code=0, tf=0x0)
     at /usr/src/sys/kern/subr_kdb.c:481
 #8  0xc05bfa14 in trap_fatal (frame=0xd565f758, eva=12)
     at /usr/src/sys/i386/i386/trap.c:861
 #9  0xc05bf77f in trap_pfault (frame=0xd565f758, usermode=0, eva=12)
     at /usr/src/sys/i386/i386/trap.c:778
 #10 0xc05bf3bd in trap (frame=
       {tf_fs = -1027211256, tf_es = 65576, tf_ds = -714801112, tf_edi = 67584, tf_esi = -1027160812, tf_ebp = -714737768, tf_isp = -714737788, tf_ebx = -1027336392, tf_edx = 0, tf_ecx = -1056878592, tf_eax = 0, tf_trapno = 12, tf_err = 0, tf_eip = -1069035627, tf_cs = 32, tf_eflags = 590406, tf_esp = -714737748, tf_ss = -1068030820}) at /usr/src/sys/i386/i386/trap.c:463
 #11 0xc05b035a in calltrap () at /usr/src/sys/i386/i386/exception.s:138
 ---Type <return> to continue, or q <return> to quit---
 #12 0xc047cf95 in fifo_printinfo (vp=0x0)
     at /usr/src/sys/fs/fifofs/fifo_vnops.c:448
 #13 0xc057249c in ufs_print (ap=0x0) at /usr/src/sys/ufs/ufs/ufs_vnops.c:1965
 #14 0xc05d1c70 in VOP_PRINT_APV (vop=0x0, a=0xd565f7cc) at vnode_if.c:1899
 #15 0xc050cafa in vn_printf (vp=0xc2c6c514, fmt=0xc05e2816 "%s\n")
     at vnode_if.h:971
 #16 0xc0502a4e in vop_nostrategy (ap=0xd565f8a8)
     at /usr/src/sys/kern/vfs_default.c:195
 #17 0xc05d1b05 in VOP_STRATEGY_APV (vop=0xc062a280, a=0xd565f8a8)
     at vnode_if.c:1797
 #18 0xc0568920 in ffsext_strategy (ap=0xd565f8a8)
     at /usr/src/sys/ufs/ffs/ffs_vnops.c:1291
 #19 0xc05d1b05 in VOP_STRATEGY_APV (vop=0xc0631520, a=0xd565f8a8)
     at vnode_if.c:1797
 #20 0xc04ff6fd in bufstrategy (bo=0x0, bp=0xcc6a8b70) at vnode_if.h:928
 #21 0xc04fa81e in bufwrite (bp=0xcc6a8b70) at buf.h:419
 #22 0xc04fae51 in bawrite (bp=0x0) at buf.h:405
 #23 0xc0552581 in ffs_truncate (vp=0xc2c6c514, length=16000, flags=67584,
     cred=0xc2be3e80, td=0xc28ca6c0) at /usr/src/sys/ufs/ffs/ffs_inode.c:304
 #24 0xc056ffe9 in ufs_setattr (ap=0x0) at /usr/src/sys/ufs/ufs/ufs_vnops.c:532
 #25 0xc05d0ae6 in VOP_SETATTR_APV (vop=0x0, a=0xd565fb3c) at vnode_if.c:586
 #26 0xc0513195 in kern_truncate (td=0xc28ca6c0, path=0x0,
     pathseg=UIO_USERSPACE, length=16000) at vnode_if.h:314
 ---Type <return> to continue, or q <return> to quit---
 #27 0xc0512fac in truncate (td=0xc28ca6c0, uap=0x0)
     at /usr/src/sys/kern/vfs_syscalls.c:3018
 #28 0xc05bfd2a in syscall (frame=
       {tf_fs = 59, tf_es = 59, tf_ds = 59, tf_edi = -1077941208, tf_esi = -1077941216, tf_ebp = -1077941336, tf_isp = -714736284, tf_ebx = 672492728, tf_edx = 16, tf_ecx = 2, tf_eax = 198, tf_trapno = 12, tf_err = 2, tf_eip = 672423415, tf_cs = 51, tf_eflags = 534, tf_esp = -1077941380, tf_ss = 59})
     at /usr/src/sys/i386/i386/trap.c:1016
 #29 0xc05b03af in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s:191
 #30 0x00000033 in ?? ()
 Previous frame inner to this frame (corrupt stack?)
 gdb%
 
 -- 
 Maxim Konovalov

More information about the freebsd-bugs mailing list