JFS kernel BUG

JFS kernel BUG

[James Spooner]

I've encountered a problem writing large files onto a JFS
filesystem under 2.6.8.1.  As follows.  What is interesting
is that this bug is triggered as the file reaches the 512GB
mark, co-incidence perhaps? :)

mower:~# mount
rootfs on / type rootfs (rw)
/dev/root on / type ext3 (rw)
proc on /proc type proc (rw,nodiratime)
/dev/hda1 on /boot type ext3 (rw)
/dev/md0 on /one type jfs (rw)

mower:~# ls -lh /one
total 512G
-rw-r--r--  1 root root 512G Aug 31 10:25 tmp2

Underlying volume is a RAID0 of 3Ware controllers.

Total volume size is just short of 3TB.

File is being opened using O_DIRECT, bypassing the filesystem
cache.  I've also pulled out Andrew Mortons 2.6.9-rc1-mm1
but to no avail.

Any ideas here?

Cheers

James

BUG() output follows....

BUG at fs/jfs/jfs_xtree.c:1701 assert(p->header.nextindex == ((__u16)(2 +
1)))
------------[ cut here ]------------
kernel BUG at fs/jfs/jfs_xtree.c:1701!
invalid operand: 0000 [#1]
PREEMPT SMP
Modules linked in: jfs af_packet e1000 dm_mod 3w_9xxx parport_pc lp parport
unix
CPU:    0
EIP:    0060:[<f892ee9d>]    Not tainted
EFLAGS: 00010282   (2.6.8.1)
EIP is at xtExtend+0x3f9/0x786 [jfs]
eax: 00000052   ebx: 00000000   ecx: c047ebd4   edx: 00000286
esi: 00000001   edi: 00000000   ebp: dc4bb1c8   esp: f1c0ba8c
ds: 007b   es: 007b   ss: 0068
Process dfwrite (pid: 1701, threadinfo=f1c0a000 task=f1c0c130)
Stack: f8952b1d f8952b0a 000006a5 f894fac0 f1c0baf4 00000001 f895c5d0
00000008
       00000009 00000000 00000000 dc4bb138 dc4bb0e8 00000000 07fffff8
00000000
       00007730 00000000 dc4bb0e8 ed01000a 07fffff8 00000000 08015ff8
00000000
Call Trace:
 [<f89435a8>] extBalloc+0xf6/0x231 [jfs]
 [<c01772b3>] __mark_inode_dirty+0x1df/0x1e4
 [<f89432d1>] extAlloc+0x41d/0x45b [jfs]
 [<f8928344>] jfs_get_blocks+0x2d8/0x356 [jfs]
 [<c014bc90>] find_extend_vma+0x29/0x7e
 [<c0179d28>] get_more_blocks+0x12d/0x157
 [<c017a523>] do_direct_IO+0x351/0x3e8
 [<c0179ad1>] dio_bio_complete+0xb1/0xf2
 [<c017a7ea>] direct_io_worker+0x230/0x5e6
 [<c017ad94>] __blockdev_direct_IO+0x1f4/0x2da
 [<f892806c>] jfs_get_blocks+0x0/0x356 [jfs]
 [<f8928543>] jfs_direct_IO+0x76/0x82 [jfs]
 [<f892806c>] jfs_get_blocks+0x0/0x356 [jfs]
 [<c013c0d4>] generic_file_direct_IO+0x79/0x93
 [<c013bb06>] generic_file_aio_write_nolock+0x85a/0xb29
 [<c023f522>] copy_from_user+0x4a/0x74
 [<c02702c8>] opost+0xd0/0x20b
 [<c0400a73>] skb_to_sgvec+0x208/0x21e
 [<c0272b62>] write_chan+0x176/0x239
 [<c013be49>] generic_file_write_nolock+0x74/0x8c
 [<c013bf59>] generic_file_write+0x56/0x6e
 [<c0153f47>] vfs_write+0xbc/0x127
 [<c023f4c8>] copy_to_user+0x3e/0x4e
 [<c0154083>] sys_write+0x51/0x80
 [<c0105e47>] syscall_call+0x7/0xb
Code: 0f 0b a5 06 0a 2b 95 f8 8b 6c 24 2c 31 db 83 c5 20 0f b6 45


--

James Spooner, BCMS                     email: james@endace.com
Appliance Division                      voice:   +64 7 834 6721
Endace Technology                         fax:   +64 7 858 5095
Hamilton, New Zealand                  mobile:   +64 2 144 7638

Re: JFS kernel BUG

[Dave Kleikamp]

On Mon, 2004-08-30 at 05:35, James Spooner wrote:
> I've encountered a problem writing large files onto a JFS
> filesystem under 2.6.8.1.  As follows.  What is interesting
> is that this bug is triggered as the file reaches the 512GB
> mark, co-incidence perhaps? :)
> 
> BUG at fs/jfs/jfs_xtree.c:1701 assert(p->header.nextindex == ((__u16)(2 +
> 1)))

I've just recently fixed this due to another bug report, but haven't
merged the patch yet.  Can you test it with this patch please?

Thanks,
Shaggy
-- 
David Kleikamp
IBM Linux Technology Center

diff -Nurp linux-2.6.9-rc1-mm1/fs/jfs/jfs_xtree.c linux/fs/jfs/jfs_xtree.c
--- linux-2.6.9-rc1-mm1/fs/jfs/jfs_xtree.c	2004-08-30 09:47:14.245002600 -0500
+++ linux/fs/jfs/jfs_xtree.c	2004-08-30 09:48:29.847509272 -0500
@@ -1622,7 +1622,6 @@ int xtExtend(tid_t tid,		/* transaction 
 	s64 xaddr;
 	struct tlock *tlck;
 	struct xtlock *xtlck = NULL;
-	int rootsplit = 0;
 
 	jfs_info("xtExtend: nxoff:0x%lx nxlen:0x%x", (ulong) xoff, xlen);
 
@@ -1678,8 +1677,6 @@ int xtExtend(tid_t tid,		/* transaction 
 	 * The xtSplitUp() will insert the entry and unpin the leaf page.
 	 */
 	if (nextindex == le16_to_cpu(p->header.maxentry)) {
-		rootsplit = p->header.flag & BT_ROOT;
-
 		/* xtSpliUp() unpins leaf pages */
 		split.mp = mp;
 		split.index = index + 1;
@@ -1691,16 +1688,21 @@ int xtExtend(tid_t tid,		/* transaction 
 		if ((rc = xtSplitUp(tid, ip, &split, &btstack)))
 			return rc;
 
+		/* get back old page */
+		XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
+		if (rc)
+			return rc;
 		/*
 		 * if leaf root has been split, original root has been
 		 * copied to new child page, i.e., original entry now
 		 * resides on the new child page;
 		 */
-		if (rootsplit) {
+		if (p->header.flag & BT_INTERNAL) {
 			ASSERT(p->header.nextindex ==
 			       cpu_to_le16(XTENTRYSTART + 1));
 			xad = &p->xad[XTENTRYSTART];
 			bn = addressXAD(xad);
+			XT_PUTPAGE(mp);
 
 			/* get new child page */
 			XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
@@ -1712,11 +1714,6 @@ int xtExtend(tid_t tid,		/* transaction 
 				tlck = txLock(tid, ip, mp, tlckXTREE|tlckGROW);
 				xtlck = (struct xtlock *) & tlck->lock;
 			}
-		} else {
-			/* get back old page */
-			XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
-			if (rc)
-				return rc;
 		}
 	}
 	/*
@@ -1790,7 +1787,6 @@ int xtTailgate(tid_t tid,		/* transactio
 	struct xtlock *xtlck = 0;
 	struct tlock *mtlck;
 	struct maplock *pxdlock;
-	int rootsplit = 0;
 
 /*
 printf("xtTailgate: nxoff:0x%lx nxlen:0x%x nxaddr:0x%lx\n",
@@ -1848,8 +1844,6 @@ printf("xtTailgate: xoff:0x%lx xlen:0x%x
 	 * The xtSplitUp() will insert the entry and unpin the leaf page.
 	 */
 	if (nextindex == le16_to_cpu(p->header.maxentry)) {
-		rootsplit = p->header.flag & BT_ROOT;
-
 		/* xtSpliUp() unpins leaf pages */
 		split.mp = mp;
 		split.index = index + 1;
@@ -1861,16 +1855,21 @@ printf("xtTailgate: xoff:0x%lx xlen:0x%x
 		if ((rc = xtSplitUp(tid, ip, &split, &btstack)))
 			return rc;
 
+		/* get back old page */
+		XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
+		if (rc)
+			return rc;
 		/*
 		 * if leaf root has been split, original root has been
 		 * copied to new child page, i.e., original entry now
 		 * resides on the new child page;
 		 */
-		if (rootsplit) {
+		if (p->header.flag & BT_INTERNAL) {
 			ASSERT(p->header.nextindex ==
 			       cpu_to_le16(XTENTRYSTART + 1));
 			xad = &p->xad[XTENTRYSTART];
 			bn = addressXAD(xad);
+			XT_PUTPAGE(mp);
 
 			/* get new child page */
 			XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
@@ -1882,11 +1881,6 @@ printf("xtTailgate: xoff:0x%lx xlen:0x%x
 				tlck = txLock(tid, ip, mp, tlckXTREE|tlckGROW);
 				xtlck = (struct xtlock *) & tlck->lock;
 			}
-		} else {
-			/* get back old page */
-			XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
-			if (rc)
-				return rc;
 		}
 	}
 	/*
@@ -1976,7 +1970,7 @@ int xtUpdate(tid_t tid, struct inode *ip
 	s64 nxaddr, xaddr;
 	struct tlock *tlck;
 	struct xtlock *xtlck = NULL;
-	int rootsplit = 0, newpage = 0;
+	int newpage = 0;
 
 	/* there must exist extent to be tailgated */
 	nxoff = offsetXAD(nxad);
@@ -2183,7 +2177,6 @@ int xtUpdate(tid_t tid, struct inode *ip
 
 	/* insert nXAD:recorded */
 	if (nextindex == le16_to_cpu(p->header.maxentry)) {
-		rootsplit = p->header.flag & BT_ROOT;
 
 		/* xtSpliUp() unpins leaf pages */
 		split.mp = mp;
@@ -2196,16 +2189,21 @@ int xtUpdate(tid_t tid, struct inode *ip
 		if ((rc = xtSplitUp(tid, ip, &split, &btstack)))
 			return rc;
 
+		/* get back old page */
+		XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
+		if (rc)
+			return rc;
 		/*
 		 * if leaf root has been split, original root has been
 		 * copied to new child page, i.e., original entry now
 		 * resides on the new child page;
 		 */
-		if (rootsplit) {
+		if (p->header.flag & BT_INTERNAL) {
 			ASSERT(p->header.nextindex ==
 			       cpu_to_le16(XTENTRYSTART + 1));
 			xad = &p->xad[XTENTRYSTART];
 			bn = addressXAD(xad);
+			XT_PUTPAGE(mp);
 
 			/* get new child page */
 			XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
@@ -2218,11 +2216,6 @@ int xtUpdate(tid_t tid, struct inode *ip
 				xtlck = (struct xtlock *) & tlck->lock;
 			}
 		} else {
-			/* get back old page */
-			XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
-			if (rc)
-				return rc;
-
 			/* is nXAD on new page ? */
 			if (newindex >
 			    (le16_to_cpu(p->header.maxentry) >> 1)) {
@@ -2336,8 +2329,6 @@ int xtUpdate(tid_t tid, struct inode *ip
 	xlen = xlen - nxlen;
 	xaddr = xaddr + nxlen;
 	if (nextindex == le16_to_cpu(p->header.maxentry)) {
-		rootsplit = p->header.flag & BT_ROOT;
-
 /*
 printf("xtUpdate.updateLeft.split p:0x%p\n", p);
 */
@@ -2352,16 +2343,22 @@ printf("xtUpdate.updateLeft.split p:0x%p
 		if ((rc = xtSplitUp(tid, ip, &split, &btstack)))
 			return rc;
 
+		/* get back old page */
+		XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
+		if (rc)
+			return rc;
+
 		/*
 		 * if leaf root has been split, original root has been
 		 * copied to new child page, i.e., original entry now
 		 * resides on the new child page;
 		 */
-		if (rootsplit) {
+		if (p->header.flag & BT_INTERNAL) {
 			ASSERT(p->header.nextindex ==
 			       cpu_to_le16(XTENTRYSTART + 1));
 			xad = &p->xad[XTENTRYSTART];
 			bn = addressXAD(xad);
+			XT_PUTPAGE(mp);
 
 			/* get new child page */
 			XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
@@ -2373,11 +2370,6 @@ printf("xtUpdate.updateLeft.split p:0x%p
 				tlck = txLock(tid, ip, mp, tlckXTREE|tlckGROW);
 				xtlck = (struct xtlock *) & tlck->lock;
 			}
-		} else {
-			/* get back old page */
-			XT_GETPAGE(ip, bn, mp, PSIZE, p, rc);
-			if (rc)
-				return rc;
 		}
 	} else {
 		/* if insert into middle, shift right remaining entries */