Context Navigation

#15912 closed bug (fixed)

file_cache / vfs_read_pages / do_iterative_fd_io create invalidly sized I/O requests

Reported by:	waddlesplash	Owned by:	nobody
Priority:	blocker	Milestone:	R1/beta2
Component:	System/Kernel	Version:	R1/Development
Keywords:		Cc:
Blocked By:		Blocking:
Platform:	All

Description

I happened to discover this while working on the NVMe driver. I had added an assert to the end of the I/O path that the transferred size was equal to the request length, which originally tripped because I wasn't fulfilling all of requests. And then it started tripping after I had... until I added this assert at the top of the IO hook:

ASSERT(request->Buffer()->VecAt(0).length <= request->Length());

And, well, what do you know:

PANIC: ASSERT FAILED (../src/add-ons/kernel/drivers/disk/nvme/nvme_disk.cpp:661): request->Buffer()->VecAt(0).length <= request->Length()
Welcome to Kernel Debugging Land...
Thread 276 "launch_daemon" running on CPU 0
stack trace for thread 276 "launch_daemon"
    kernel stack: 0xffffffff818ce000 to 0xffffffff818d3000
      user stack: 0x00007f986d832000 to 0x00007f986e832000
frame                       caller             <image>:function + offset
 0 ffffffff818d1f98 (+  24) ffffffff8014e44c   <kernel_x86_64> arch_debug_call_with_fault_handler + 0x16
 1 ffffffff818d1fb0 (+  80) ffffffff800ad6d8   <kernel_x86_64> debug_call_with_fault_handler + 0x88
 2 ffffffff818d2000 (+  96) ffffffff800af061   <kernel_x86_64> kernel_debugger_loop(char const*, char const*, __va_list_tag*, int) + 0xf1
 3 ffffffff818d2060 (+  80) ffffffff800af35e   <kernel_x86_64> kernel_debugger_internal(char const*, char const*, __va_list_tag*, int) + 0x6e
 4 ffffffff818d20b0 (+ 240) ffffffff800af6c7   <kernel_x86_64> panic + 0xb7
 5 ffffffff818d21a0 (+ 416) ffffffff81519ec1   <nvme_disk> nvme_disk_io(void*, IORequest*) + 0x8f1
 6 ffffffff818d2340 (+  80) ffffffff800cf475   <kernel_x86_64> devfs_io(fs_volume*, fs_vnode*, void*, IORequest*) + 0xb5
 7 ffffffff818d2390 (+  80) ffffffff8010f7d6   <kernel_x86_64> vfs_vnode_io + 0x36
 8 ffffffff818d23e0 (+ 240) ffffffff8010fa62   <kernel_x86_64> do_iterative_fd_io_iterate(void*, IORequest*, bool*) + 0x232
 9 ffffffff818d24d0 (+  96) ffffffff8010fe52   <kernel_x86_64> do_iterative_fd_io + 0xe2
10 ffffffff818d2530 (+  80) ffffffff8010f7d6   <kernel_x86_64> vfs_vnode_io + 0x36
11 ffffffff818d2580 (+ 368) ffffffff8010ffb6   <kernel_x86_64> vfs_read_pages + 0x96
12 ffffffff818d26f0 (+  80) ffffffff80052ace   <kernel_x86_64> file_cache_read + 0x8e
13 ffffffff818d2740 (+  80) ffffffff800f17ba   <kernel_x86_64> _kern_read + 0xba
14 ffffffff818d2790 (+  32) ffffffff8016be9f   <kernel_x86_64> pread + 0x1f
15 ffffffff818d27b0 (+  16) ffffffff815a97f8   <packagefs> _ZN5BFdIO6ReadAtElPvm.localalias.6 + 0x18
16 ffffffff818d27c0 (+  80) ffffffff8016ed13   <kernel_x86_64> BPositionIO::ReadAtExactly(long, void*, unsigned long, unsigned long*) + 0x53
17 ffffffff818d2810 (+  64) ffffffff815a55dd   <packagefs> _ZN11BPackageKit5BHPKG8BPrivate27PackageFileHeapAccessorBase12ReadFileDataEmPvm.localalias.0 + 0x2d
18 ffffffff818d2850 (+  64) ffffffff815a5660   <packagefs> BPackageKit::BHPKG::BPrivate::PackageFileHeapAccessorBase::ReadAndDecompressChunkData(unsigned long, unsigned long, unsigned long, void*, void*) + 0x30
19 ffffffff818d2890 (+  96) ffffffff815a504e   <packagefs> _ZN11BPackageKit5BHPKG8BPrivate27PackageFileHeapAccessorBase16ReadDataToOutputElmP7BDataIO.localalias.4 + 0xde
20 ffffffff818d28f0 (+ 112) ffffffff81586777   <packagefs> _ZN16CachedDataReader14_ReadIntoPagesEPP7vm_pagemm.localalias.2 + 0x77
21 ffffffff818d2960 (+ 464) ffffffff81587664   <packagefs> _ZN16CachedDataReader14_ReadCacheLineElmlmP7BDataIO.localalias.6 + 0x654
22 ffffffff818d2b30 (+  64) ffffffff81587a53   <packagefs> _ZN16CachedDataReader16ReadDataToOutputElmP7BDataIO.localalias.9 + 0x83
23 ffffffff818d2b70 (+ 112) ffffffff81591120   <packagefs> _ZN11PackageFile4ReadEP9IORequest.localalias.7 + 0xc0
24 ffffffff818d2be0 (+  32) ffffffff81589776   <packagefs> packagefs_io(fs_volume*, fs_vnode*, void*, IORequest*) + 0x26
25 ffffffff818d2c00 (+  80) ffffffff8010f7d6   <kernel_x86_64> vfs_vnode_io + 0x36
26 ffffffff818d2c50 (+  32) ffffffff80052149   <kernel_x86_64> PrecacheIO::ReadAsync() + 0x29
27 ffffffff818d2c70 (+  96) ffffffff8005234e   <kernel_x86_64> cache_prefetch_vnode + 0x1fe
28 ffffffff818d2cd0 (+ 384) ffffffff8013456a   <kernel_x86_64> _vm_map_file(int, char const*, void**, unsigned int, unsigned long, unsigned int, unsigned int, bool, int, long, bool) + 0x56a
29 ffffffff818d2e50 (+ 176) ffffffff80137aec   <kernel_x86_64> _user_map_file + 0x10c
30 ffffffff818d2f00 (+  48) ffffffff8014ffa4   <kernel_x86_64> x86_64_syscall_entry + 0xfe
user iframe at 0xffffffff818d2f30 (end = 0xffffffff818d2ff8)
 rax 0xcc                  rbx 0x0                   rcx 0x1a7e3c563e4
 rdx 0x1                   rsi 0x7f986e830358        rdi 0x7f986e830360
 rbp 0x7f986e8303b0         r8 0x1003                 r9 0x1
 r10 0x1880000             r11 0x3206                r12 0x8ef4ecbc8
 r13 0x7f986e830360        r14 0x0                   r15 0x8ef4ecbc8
 rip 0x1a7e3c563e4         rsp 0x7f986e8302f8     rflags 0x3206
 vector: 0x63, error code: 0x0
31 ffffffff818d2f30 (+140294787290240) 000001a7e3c563e4   </boot/system/runtime_loader@0x000001a7e3c3e000> <unknown> + 0x183e4
32 00007f986e8303b0 (+5376) 000001a7e3c4bcb3   </boot/system/runtime_loader@0x000001a7e3c3e000> <unknown> + 0xdcb3
33 00007f986e8318b0 (+ 112) 000001a7e3c496a9   </boot/system/runtime_loader@0x000001a7e3c3e000> <unknown> + 0xb6a9
34 00007f986e831920 (+ 128) 000001a7e3c49b3a   </boot/system/runtime_loader@0x000001a7e3c3e000> <unknown> + 0xbb3a
35 00007f986e8319a0 (+  48) 000001a7e3c52463   </boot/system/runtime_loader@0x000001a7e3c3e000> <unknown> + 0x14463
36 00007f986e8319d0 (+   0) 00007f645921b260   <commpage> commpage_thread_exit + 0x00
kdebug> io_request 0xffffffff82021a00
io_request at 0xffffffff82021a00
  owner:             0x0000000000000000
  parent:            0xffffffff818d25a0
  status:            No Error (1)
  mutex:             0xffffffff82021a38
  IOBuffer:          0xffffffff8206ae40
  offset:            201245565
  length:            38019
  transfer size:     0
  relative offset:   0
  pending children:  0
  flags:             0x0
  team:              276
  thread:            276
  r/w:               read
  partial transfer:  no
  finished cvar:     0xffffffff82021ad0
  iteration:
    vec index:       0
    vec offset:      0
    remaining bytes: 38019
  callbacks:
    finished 0x0000000000000000, cookie 0x0000000000000000
    iteration 0x0000000000000000, cookie 0x0000000000000000
  children:
kdebug> io_
  io_buffer         io_context        io_operation      io_request      
  io_request_owner  io_scheduler    
kdebug> io_buffer 0xffffffff8206ae40
IOBuffer at 0xffffffff8206ae40
  origin:     kernel
  kind:       virtual
  length:     38019
  capacity:   1
  vecs:       1
    [0] 0xffffffff80860000, 53526
kdebug>

Change History (5)

comment:1 by waddlesplash, 4 years ago

Milestone:	Unscheduled → R1/beta2

comment:2 by waddlesplash, 4 years ago

Blocking:	15902 added

comment:3 by waddlesplash, 4 years ago

Posted https://review.haiku-os.org/c/haiku/+/2523 which will catch this at a higher level, in IORequest itself.

comment:4 by waddlesplash, 4 years ago

Resolution:	→ fixed
Status:	new → closed

Fixed in hrev54101.

comment:5 by waddlesplash, 4 years ago

Blocking:	15902 removed

Note: See TracTickets for help on using tickets.

Download in other formats: