Bug 175557

Summary: [smbfs] [panic] kernel panic in smbfs.ko while accessing windows share
Product: Base System Reporter: Wen <senoutouya>
Component: kernAssignee: Andrey V. Elsukov <ae>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Wen 2013-01-25 10:00:00 UTC 
root@h7bsd:/root # kgdb
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
#0  sched_switch (td=0xc117b5d0, newtd=0xc4d9d5c0, flags=260) at /usr/src/sys/kern/sched_ule.c:1927
1927                    cpuid = PCPU_GET(cpuid);
(kgdb) core /var/crash/vmcore.1 

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x14
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0b024bf
stack pointer           = 0x28:0xd9784b30
frame pointer           = 0x28:0xd9784b4c
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = resume, IOPL = 0
current process         = 1032 (smbiod0)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xc0af3aff at kdb_backtrace+0x4f
#1 0xc0ac052f at panic+0x16f
#2 0xc0e25013 at trap_fatal+0x323
#3 0xc0e25087 at trap_pfault+0x67
#4 0xc0e2608a at trap+0x44a
#5 0xc0e0f66c at calltrap+0x6
#6 0xc0aae309 at _mtx_unlock_sleep+0x59
#7 0xc0aaea73 at _mtx_unlock_flags+0x53
#8 0xc7ae8b63 at smb_iod_invrq+0xd3
#9 0xc7ae9d27 at smb_iod_addrq+0x237
#10 0xc7ae61e5 at smb_rq_enqueue+0xf5
#11 0xc7ae6625 at smb_rq_simple+0x25
#12 0xc7ae4cf5 at smb_smb_ssnsetup+0x1c5
#13 0xc7ae8cc4 at smb_iod_connect+0x114
#14 0xc7ae9781 at smb_iod_thread+0x1e1
#15 0xc0a90526 at fork_exit+0x96
#16 0xc0e0f6e4 at fork_trampoline+0x8
Uptime: 3m24s
Physical memory: 1007 MB
Dumping 99 MB: 84 68 52 36 20 4

Reading symbols from /boot/kernel/smbfs.ko...Reading symbols from /boot/kernel/smbfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smbfs.ko
Reading symbols from /boot/kernel/libiconv.ko...Reading symbols from /boot/kernel/libiconv.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libiconv.ko
Reading symbols from /boot/kernel/libmchain.ko...Reading symbols from /boot/kernel/libmchain.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libmchain.ko
#0  doadump (textdump=1) at pcpu.h:244
244     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:244
#1  0xc0ac027f in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:448
#2  0xc0ac0572 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:636
#3  0xc0e25013 in trap_fatal (frame=0xd9784af0, eva=20) at /usr/src/sys/i386/i386/trap.c:1018
#4  0xc0e25087 in trap_pfault (frame=0xd9784af0, usermode=0, eva=20) at /usr/src/sys/i386/i386/trap.c:833
#5  0xc0e2608a in trap (frame=0xd9784af0) at /usr/src/sys/i386/i386/trap.c:545
#6  0xc0e0f66c in calltrap () at /usr/src/sys/i386/i386/exception.s:169
#7  0xc0b024bf in turnstile_broadcast (ts=0x0, queue=0) at /usr/src/sys/kern/subr_turnstile.c:838
#8  0xc0aae309 in _mtx_unlock_sleep (m=0xc79dd294, opts=0, file=0xc7af58d6 "/usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c", line=91) at /usr/src/sys/kern/kern_mutex.c:715
#9  0xc0aaea73 in _mtx_unlock_flags (m=0xc79dd294, opts=0, file=0xc7af58d6 "/usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c", line=91) at /usr/src/sys/kern/kern_mutex.c:238
#10 0xc7ae8b63 in smb_iod_invrq (iod=Variable "iod" is not available.
) at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:91
#11 0xc7ae9d27 in smb_iod_addrq (rqp=0xc79dd200) at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:418
#12 0xc7ae61e5 in smb_rq_enqueue (rqp=0xc79dd200) at /usr/src/sys/modules/smbfs/../../netsmb/smb_rq.c:187
#13 0xc7ae6625 in smb_rq_simple (rqp=0xc79dd200) at /usr/src/sys/modules/smbfs/../../netsmb/smb_rq.c:168
#14 0xc7ae4cf5 in smb_smb_ssnsetup (vcp=0xc75ddc00, scred=0xc7579ac0) at /usr/src/sys/modules/smbfs/../../netsmb/smb_smb.c:423
#15 0xc7ae8cc4 in smb_iod_connect (iod=0xc7579a80) at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:160
#16 0xc7ae9781 in smb_iod_thread (arg=0xc7579a80) at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:609
#17 0xc0a90526 in fork_exit (callout=0xc7ae95a0 <smb_iod_thread>, arg=0xc7579a80, frame=0xd9784d08) at /usr/src/sys/kern/kern_fork.c:992
#18 0xc0e0f6e4 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:276

--------------------------------------------------------------------------------
kernel panic happens after i do concurrent file operation (gmake -j4) in the mounted dir.
however, it doesn't crash when accessing windows shares on machines other than the VM host.

How-To-Repeat: 1. setup a virtual machine in vmware.
2. install freebsd 8.2/9.1 on the vm.
3. share a folder on the windows host
4. mount -t smbfs //USER@WINDOWSHOST/SHARE /mnt
5. cd /mnt/
6. make some concurrent file operations (eg: gmake -j4)
7. first it will complain 'Bad file descriptor' 'No space left on device' or 'Operation Timed Out'
8. repeat step 6 several times then it crashes.
Comment 1 Wen 2013-01-25 12:52:55 UTC 
Crash is found with vm host:
Windows 7 Ultimate, 64-bit 6.1.7601, Service Pack 1 + VMware WorkStation 9
Windows 7 Ultimate, 64-bit 6.1.7601, Service Pack 1 + VMware WorkStation 8


Crash is not found with vm host:
Windows Server 2003 SP2 Enterprise x64 + VMware WorkStation 7
Windows Server 2008 R2 x64 + VMware Workstation 9

All of them accessing windows share on their own host os.
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2013-01-26 07:53:53 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->freebsd-bugs

reclassify.
Comment 3 dfilter service freebsd_committer freebsd_triage 2014-04-17 13:22:12 UTC 
Author: ae
Date: Thu Apr 17 12:22:08 2014
New Revision: 264600
URL: http://svnweb.freebsd.org/changeset/base/264600

Log:
  Remove redundant unlock.
  
  This code was removed from the opensolaris and darwin's
  netsmb implementations, in DfBSD it also has been disabled.
  
  PR:		36566, 87859, 139407, 161579, 175557, 178412, 186652
  MFC after:	2 weeks
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netsmb/smb_iod.c

Modified: head/sys/netsmb/smb_iod.c
==============================================================================
--- head/sys/netsmb/smb_iod.c	Thu Apr 17 12:16:51 2014	(r264599)
+++ head/sys/netsmb/smb_iod.c	Thu Apr 17 12:22:08 2014	(r264600)
@@ -87,8 +87,6 @@ smb_iod_invrq(struct smbiod *iod)
 	 */
 	SMB_IOD_RQLOCK(iod);
 	TAILQ_FOREACH(rqp, &iod->iod_rqlist, sr_link) {
-		if (rqp->sr_flags & SMBR_INTERNAL)
-			SMBRQ_SUNLOCK(rqp);
 		rqp->sr_flags |= SMBR_RESTART;
 		smb_iod_rqprocessed(rqp, ENOTCONN);
 	}
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 4 Andrey V. Elsukov freebsd_committer freebsd_triage 2014-05-02 22:45:05 UTC 
State Changed
From-To: open->closed

Fixed in head/ and stable/10.
Comment 5 Andrey V. Elsukov freebsd_committer freebsd_triage 2014-05-02 22:45:05 UTC 
Responsible Changed
From-To: freebsd-bugs->ae

Take it.