[8898] in Athena Bugs
talos crash
daemon@ATHENA.MIT.EDU (John Carr)
Thu Jan 30 02:36:07 1992
To: op@Athena.MIT.EDU, bugs@Athena.MIT.EDU
Date: Thu, 30 Jan 92 02:35:49 EST
From: John Carr <jfc@Athena.MIT.EDU>
talos crashed last night with "panic: irele". I looked at the crash dump.
Someone was rmm-ing a mail message. The rename of 301 to .#301 failed with
error EDQUOT (disk quota exceeded). On return ufs_rename() called irele()
to drop the reference count on the file inode, but the inode was locked so
the kernel crashed. I looked at the UFS kernel code for a while, but didn't
find any obvious problems.
The only way I can think of that this could happen is if two processes were
trying to rename the same file (possibly due to an NFS retransmit), one
process unlocked the inode and went to sleep (possibly due to writing back
the updated directory), another process locked the inode and went to sleep,
and the first process woke up assuming the inode was still unlocked.
Adding this code to the end of ufs_inode.c:ufs_rename() (after the "out"
label) will either fix the bug or make the nfsd's hang instead of crashing
depending on whether the previous paragraph is a correct analysis:
/* If another process has this inode locked, wait for it
to be free. */
while (sip->i_flag & ILOCKED) {
printf("ufs_rename sleeping on locked inode %x\n", sip);
sip->i_flag |= IWANT;
sleep((caddr_t)sid, PINOD);
}
