Bug #1790

Panic during samba mount

Added by tero.jaasko.no.spam.please over 4 years ago. Updated over 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-

Description

Hello,
I am getting a "Fatal trap 12: page fault while in kernel mode" -panic
on a samba mount command, e.g.
"mount_smbfs -I 192.168.0.195 ///share /mnt/share/".

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
Fatal trap 12: page fault while in kernel mode
mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
fault virtual address = 0x60
fault code = supervisor read data, page not present
instruction pointer = 0x8:0xffffffff80250e17
stack pointer = 0x10:0xfffffffe37b62ab0
frame pointer = 0x10:0xfffffffe37b62ad0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
current thread = pri 44 (CRIT)
trap number = 12
panic: page fault
mp_lock = 00000000; cpuid = 0
Trace beginning at frame 0xfffffffe37b627f8
panic() at panic+0x1fc
panic() at panic+0x1fc
trap_fatal() at trap_fatal+0x3f4
trap_pfault() at trap_pfault+0x158
trap() at trap+0x67e
calltrap() at calltrap+0x8
--- trap 000000000000000c, rip = ffffffff80250e17, rsp =
fffffffe37b62ab0, rbp = fffffffe37b62ad0 ---
prison_replace_wildcards() at prison_replace_wildcards+0x1f
in_pcbbind() at in_pcbbind+0x2e1
tcp_connect() at tcp_connect+0x52
tcp_usr_connect() at tcp_usr_connect+0xe7
netmsg_pru_connect() at netmsg_pru_connect+0x1b
netmsg_service() at netmsg_service+0x122
tcpmsg_service_loop() at tcpmsg_service_loop+0x26
boot() called on cpu#0
Uptime: 4m23s
Physical memory: 8176 MB
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

There seems to be a problem in prison_replace_wildcards() at
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
kgdb.txt contains my attempt at debugging the situation.

The panic is 100% reproducible on my system and I have a few kernel
dumps from the situation, if somebody needs tehm. I have attached a
band-aid kind of patch, which seems to work, at least with it the samba
works as expected, but perhaps it is not a correct solution.
I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
to be called only twice during the smb mount, not after.

The machine and kernel is a regular Intel x86_64 SMP setup, build
from yesterday's master.

Best regards,
Tero Jääskö

kgdb.txt Magnifier (4.88 KB) tero.jaasko.no.spam.please, 07/02/2010 05:31 PM

ignore_null_td_ucred.patch Magnifier (382 Bytes) tero.jaasko.no.spam.please, 07/02/2010 05:31 PM

History

#1 Updated by nthery over 4 years ago

I reproduced the bug and I'm giving it a look.

Cheers,
Nicolas

On 2 July 2010 19:27, Tero Jaasko <
> wrote:

> Hello,
> I am getting a "Fatal trap 12: page fault while in kernel mode" -panic on a
> samba mount command, e.g.
> "mount_smbfs -I 192.168.0.195 ///share /mnt/share/".
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
> Fatal trap 12: page fault while in kernel mode
> mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
> fault virtual address = 0x60
> fault code = supervisor read data, page not present
> instruction pointer = 0x8:0xffffffff80250e17
> stack pointer = 0x10:0xfffffffe37b62ab0
> frame pointer = 0x10:0xfffffffe37b62ad0
> code segment = base 0x0, limit 0xfffff, type 0x1b
> = DPL 0, pres 1, long 0, def32 0, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = Idle
> current thread = pri 44 (CRIT)
> trap number = 12
> panic: page fault
> mp_lock = 00000000; cpuid = 0
> Trace beginning at frame 0xfffffffe37b627f8
> panic() at panic+0x1fc
> panic() at panic+0x1fc
> trap_fatal() at trap_fatal+0x3f4
> trap_pfault() at trap_pfault+0x158
> trap() at trap+0x67e
> calltrap() at calltrap+0x8
> --- trap 000000000000000c, rip = ffffffff80250e17, rsp = fffffffe37b62ab0,
> rbp = fffffffe37b62ad0 ---
> prison_replace_wildcards() at prison_replace_wildcards+0x1f
> in_pcbbind() at in_pcbbind+0x2e1
> tcp_connect() at tcp_connect+0x52
> tcp_usr_connect() at tcp_usr_connect+0xe7
> netmsg_pru_connect() at netmsg_pru_connect+0x1b
> netmsg_service() at netmsg_service+0x122
> tcpmsg_service_loop() at tcpmsg_service_loop+0x26
> boot() called on cpu#0
> Uptime: 4m23s
> Physical memory: 8176 MB
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
>
> There seems to be a problem in prison_replace_wildcards() at
> sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
> kgdb.txt contains my attempt at debugging the situation.
>
> The panic is 100% reproducible on my system and I have a few kernel dumps
> from the situation, if somebody needs tehm. I have attached a band-aid kind
> of patch, which seems to work, at least with it the samba works as expected,
> but perhaps it is not a correct solution.
> I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
> to be called only twice during the smb mount, not after.
>
> The machine and kernel is a regular Intel x86_64 SMP setup, build
> from yesterday's master.
>
> Best regards,
> Tero Jääskö
>

#2 Updated by nthery over 4 years ago

[...]
>> There seems to be a problem in prison_replace_wildcards() at
>> sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
>> kgdb.txt contains my attempt at debugging the situation.
>>
>> The panic is 100% reproducible on my system and I have a few kernel dumps
>> from the situation, if somebody needs tehm. I have attached a band-aid kind
>> of patch, which seems to work, at least with it the samba works as expected,
>> but perhaps it is not a correct solution.

td is a samba kernel thread created in smb_iod_create() by calling
kthread_create_compat() which according to its comment is used only for samba.

kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
NULL (it points to the forked process). This explains why the td_proc == NULL
check at the beginning of prison_replace_wildcard(), which is presumably there
for detecting kernel threads, fails.

prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
so your patch looks good and a committed it. In the longer term, changing
samba to create a lwkt is probably the way to go.

Thanks for reporting this issue and fixing it.

#3 Updated by nthery over 4 years ago

Fix committed as be36369df85afceebd0c8caca4b22f6e7a147f4f

#4 Updated by tero.jaasko.no.spam.please over 4 years ago

On 10.7.2010 12:06, Nicolas Thery wrote:

> td is a samba kernel thread created in smb_iod_create() by calling
> kthread_create_compat() which according to its comment is used only for samba.
>
> kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
> different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
> NULL (it points to the forked process). This explains why the td_proc == NULL
> check at the beginning of prison_replace_wildcard(), which is presumably there
> for detecting kernel threads, fails.
>
> prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
> so your patch looks good and a committed it. In the longer term, changing
> samba to create a lwkt is probably the way to go.

Thank you for the analysis and fix.

BR,
-Tero

Also available in: Atom PDF