172942 – [smbfs] Unmounting a smb mount when the server became unavailable causes kernel panic

Bug 172942 - [smbfs] Unmounting a smb mount when the server became unavailable causes kernel panic

Summary: [smbfs] Unmounting a smb mount when the server became unavailable causes kern...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	1.0-CURRENT
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	Rick Macklem

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-10-21 22:00 UTC by Helmut Schneider
Modified:	2015-12-02 23:09 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Fix a race that causes crashes in smbfs that destroyed mutexes prematurely (688 bytes, patch) 2015-10-16 12:29 UTC, Rick Macklem	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Helmut Schneider 2012-10-21 22:00:00 UTC

I'm mounting a smb share of a Windows Server 2008R2 share using:
mount_smbfs ${OPTIONS} -N -I ${HOST} //${USER}@${NBTHOST}/${SHARE} $
{MNTPOINT}

OPTIONS are e.g. noexec,nosuid,noatime,rw

When the Windows Server becomes unavailable or even when I restart the server and I then unmount the smb share, the kernel panics.

[helmut@BSDHelmut /usr/obj/usr/src/sys/GENERIC-QUOTA-PF-ALTQ]$ sudo kgdb kernel.debug /var/crash/vmcore.0
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 0; apic id = 00
fault virtual address   = 0x20
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff808b41a8
stack pointer           = 0x28:0xffffff807be52a60
frame pointer           = 0x28:0xffffff807be52a90
code segment            = base rx0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = resume, IOPL = 0
current process         = 1887 (smbiod1)
trap number             = 12
panic: page fault
cpuid = 0
KDB: stack backtrace:
#0 0xffffffff808a57ae at kdb_backtrace+0x5e
#1 0xffffffff80870367 at panic+0x187
#2 0xffffffff80b56920 at trap_fatal+0x290
#3 0xffffffff80b56fd7 at trap+0x287
#4 0xffffffff80b415cf at calltrap+0x8
#5 0xffffffff80860400 at _mtx_unlock_sleep+0x50
#6 0xffffffff8163150c at smb_iod_invrq+0xbc
#7 0xffffffff81632621 at smb_iod_addrq+0x211
#8 0xffffffff8162efd9 at smb_rq_simple+0x39
#9 0xffffffff8162d70d at smb_smb_ssnclose+0xbd
#10 0xffffffff8163220d at smb_iod_thread+0x2fd
#11 0xffffffff80843edf at fork_exit+0x11f
#12 0xffffffff80b41afe at fork_trampoline+0xe
Uptime: 1h27m34s
Dumping 405 out of 2029 MB:..4%..12%..24%..32%..44%..52%..64%..72%..83%..91%Attempt to write outside dump device boundaries.
offset(4295016960), mediaoffset(2147566592), length(57344), mediasize(2147483648).

Dump map grown while dumping. Retrying...
Dumping 405 out of 2029 MB:

Reading symbols from /boot/kernel/geom_mirror.ko...Reading symbols from /boot/kernel/geom_mirror.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/geom_mirror.ko
Reading symbols from /boot/kernel/tmpfs.ko...Reading symbols from /boot/kernel/tmpfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/tmpfs.ko
Reading symbols from /usr/local/lib/vmware-tools/modules/drivers/vmmemctl.ko...done.
Loaded symbols for /usr/local/lib/vmware-tools/modules/drivers/vmmemctl.ko
Reading symbols from /usr/local/lib/vmware-tools/modules/drivers/vmxnet.ko...done.
Loaded symbols for /usr/local/lib/vmware-tools/modules/drivers/vmxnet.ko
Reading symbols from /usr/local/lib/vmware-tools/modules/drivers/vmblock.ko...done.
Loaded symbols for /usr/local/lib/vmware-tools/modules/drivers/vmblock.ko
Reading symbols from /usr/local/lib/vmware-tools/modules/drivers/vmhgfs.ko...done.
Loaded symbols for /usr/local/lib/vmware-tools/modules/drivers/vmhgfs.ko
Reading symbols from /boot/kernel/smbfs.ko...Reading symbols from /boot/kernel/smbfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smbfs.ko
Reading symbols from /boot/kernel/libiconv.ko...Reading symbols from /boot/kernel/libiconv.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libiconv.ko
Reading symbols from /boot/kernel/libmchain.ko...Reading symbols from /boot/kernel/libmchain.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libmchain.ko
Reading symbols from /boot/kernel/accf_http.ko...Reading symbols from /boot/kernel/accf_http.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/accf_http.ko
Reading symbols from /boot/kernel/accf_data.ko...Reading symbols from /boot/kernel/accf_data.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/accf_data.ko
#0  doadump (textdump=Variable "textdump" is not available.
) at pcpu.h:224

warning: Source file is more recent than executable.

224             __asm("movq %%gs:0,%0" : "=r" (td));
(kgdb) bt
#0  doadump (textdump=Variable "textdump" is not available.
) at pcpu.h:224
#1  0xffffffff8086fea5 in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:442
#2  0xffffffff80870351 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:607
#3  0xffffffff80b56920 in trap_fatal (frame=0xc, eva=Variable "eva" is not available.
) at /usr/src/sys/amd64/amd64/trap.c:819
#4  0xffffffff80b56fd7 in trap (frame=0xffffff807be529b0) at /usr/src/sys/amd64/amd64/trap.c:322
#5  0xffffffff80b415cf in calltrap () at /usr/src/sys/amd64/amd64/exception.S:228
#6  0xffffffff808b41a8 in turnstile_broadcast (ts=0x0, queue=0)
    at /usr/src/sys/kern/subr_turnstile.c:831
#7  0xffffffff80860400 in _mtx_unlock_sleep (m=0xfffffe0016b9c2f0, opts=Variable "opts" is not available.
)
    at /usr/src/sys/kern/kern_mutex.c:675
#8  0xffffffff8163150c in smb_iod_invrq (iod=Variable "iod" is not available.
)
    at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:91
#9  0xffffffff81632621 in smb_iod_addrq (rqp=0xfffffe0016b9c200)
    at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:418
#10 0xffffffff8162efd9 in smb_rq_simple (rqp=0xfffffe0016b9c200)
    at /usr/src/sys/modules/smbfs/../../netsmb/smb_rq.c:168
#11 0xffffffff8162d70d in smb_smb_ssnclose (vcp=Variable "vcp" is not available.
)
    at /usr/src/sys/modules/smbfs/../../netsmb/smb_smb.c:434
#12 0xffffffff8163220d in smb_iod_thread (arg=Variable "arg" is not available.
)
    at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:180
#13 0xffffffff80843edf in fork_exit (callout=0xffffffff81631f10 <smb_iod_thread>,
    arg=0xfffffe0002997000, frame=0xffffff807be52c50) at /usr/src/sys/kern/kern_fork.c:995
#14 0xffffffff80b41afe in fork_trampoline () at /usr/src/sys/amd64/amd64/exception.S:602
#15 0x0000000000000000 in ?? ()
#16 0x0000000000000000 in ?? ()
#17 0x0000000000000001 in ?? ()
#18 0x0000000000000000 in ?? ()
#19 0x0000000000000000 in ?? ()
#20 0x0000000000000000 in ?? ()
#21 0x0000000000000000 in ?? ()
#22 0x0000000000000000 in ?? ()
#23 0x0000000000000000 in ?? ()
#24 0x0000000000000000 in ?? ()
#25 0x0000000000000000 in ?? ()
#26 0x0000000000000000 in ?? ()
#27 0x0000000000000000 in ?? ()
#28 0x0000000000000000 in ?? ()
#29 0x0000000000000000 in ?? ()
#30 0x0000000000000000 in ?? ()

Comment 1 Mark Linimon freebsd_committer

2013-04-07 00:23:45 UTC

Responsible Changed
From-To: freebsd-bugs->freebsd-fs

Over to maintainer(s).

Comment 2 Rick Macklem freebsd_committer

2015-10-16 12:29:02 UTC

Created attachment 162116 [details]
Fix a race that causes crashes in smbfs that destroyed mutexes prematurely

This patch seems to have fixed a similar problem w.r.t.
smbfs crashes for someone who reported the problem to a
mailing list. I believe it fixes the problem.
It will be committed in a few weeks if nothing is reported
to indicate that it doesn't fix the problem.

Comment 3 Rick Macklem freebsd_committer

2015-10-16 12:34:06 UTC

I believe there is a race caused by smb_iod_destroy() where it
calls sbm_iod_request() to shutdown the connection/iod thread.
smb_iod_request() does an msleep(..PDROP..), which can return
as soon as smb_iod_main() does the wakeup(). After returning
from the msleep(), it returns to smb_iod_destroy(), which then
destroys the mutexes and frees the iod structure.

Unfortunately, smb_iod_main() is not done with the mutexes when
it calls wakeup().

I believe this patch fixes the problem by moving the code that
destroys the mutexs and frees the iod structure to the end of
the smb_iod thread.

Comment 4 Rick Macklem freebsd_committer

2015-10-18 13:05:36 UTC

Now that I've looked at the backtraces a little more closely,
this one appears the same as PR#175557 and several others and
I think it has already been fixeed via r264600.

Comment 5 Rick Macklem freebsd_committer

2015-12-02 23:09:52 UTC

I believe this was fixed by r264600. I have also commited and
MFC'd the other two patches I have for smbfs crashes.