Bug #1790
Panic during samba mount
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
Hello,
I am getting a "Fatal trap 12: page fault while in kernel mode" -panic
on a samba mount command, e.g.
"mount_smbfs -I 192.168.0.195 //guest@192.168.0.195/share /mnt/share/".
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
Fatal trap 12: page fault while in kernel mode
mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
fault virtual address = 0x60
fault code = supervisor read data, page not present
instruction pointer = 0x8:0xffffffff80250e17
stack pointer = 0x10:0xfffffffe37b62ab0
frame pointer = 0x10:0xfffffffe37b62ad0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
current thread = pri 44 (CRIT)
trap number = 12
panic: page fault
mp_lock = 00000000; cpuid = 0
Trace beginning at frame 0xfffffffe37b627f8
panic() at panic+0x1fc
panic() at panic+0x1fc
trap_fatal() at trap_fatal+0x3f4
trap_pfault() at trap_pfault+0x158
trap() at trap+0x67e
calltrap() at calltrap+0x8
--- trap 000000000000000c, rip = ffffffff80250e17, rsp =
fffffffe37b62ab0, rbp = fffffffe37b62ad0 ---
prison_replace_wildcards() at prison_replace_wildcards+0x1f
in_pcbbind() at in_pcbbind+0x2e1
tcp_connect() at tcp_connect+0x52
tcp_usr_connect() at tcp_usr_connect+0xe7
netmsg_pru_connect() at netmsg_pru_connect+0x1b
netmsg_service() at netmsg_service+0x122
tcpmsg_service_loop() at tcpmsg_service_loop+0x26
boot() called on cpu#0
Uptime: 4m23s
Physical memory: 8176 MB
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
There seems to be a problem in prison_replace_wildcards() at
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
kgdb.txt contains my attempt at debugging the situation.
The panic is 100% reproducible on my system and I have a few kernel
dumps from the situation, if somebody needs tehm. I have attached a
band-aid kind of patch, which seems to work, at least with it the samba
works as expected, but perhaps it is not a correct solution.
I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
to be called only twice during the smb mount, not after.
The machine and kernel is a regular Intel x86_64 SMP setup, build
from yesterday's master.
Best regards,
Tero Jääskö
Related todos
History
Updated by nthery almost 3 years ago
I reproduced the bug and I'm giving it a look.
Cheers,
Nicolas
On 2 July 2010 19:27, Tero Jaasko <tero.jaasko.no.spam.please@mail.suomi.net
> wrote:
> Hello,
> I am getting a "Fatal trap 12: page fault while in kernel mode" -panic on a
> samba mount command, e.g.
> "mount_smbfs -I 192.168.0.195 //guest@192.168.0.195/share /mnt/share/".
>
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
> Fatal trap 12: page fault while in kernel mode
> mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
> fault virtual address = 0x60
> fault code = supervisor read data, page not present
> instruction pointer = 0x8:0xffffffff80250e17
> stack pointer = 0x10:0xfffffffe37b62ab0
> frame pointer = 0x10:0xfffffffe37b62ad0
> code segment = base 0x0, limit 0xfffff, type 0x1b
> = DPL 0, pres 1, long 0, def32 0, gran 1
> processor eflags = interrupt enabled, resume, IOPL = 0
> current process = Idle
> current thread = pri 44 (CRIT)
> trap number = 12
> panic: page fault
> mp_lock = 00000000; cpuid = 0
> Trace beginning at frame 0xfffffffe37b627f8
> panic() at panic+0x1fc
> panic() at panic+0x1fc
> trap_fatal() at trap_fatal+0x3f4
> trap_pfault() at trap_pfault+0x158
> trap() at trap+0x67e
> calltrap() at calltrap+0x8
> --- trap 000000000000000c, rip = ffffffff80250e17, rsp = fffffffe37b62ab0,
> rbp = fffffffe37b62ad0 ---
> prison_replace_wildcards() at prison_replace_wildcards+0x1f
> in_pcbbind() at in_pcbbind+0x2e1
> tcp_connect() at tcp_connect+0x52
> tcp_usr_connect() at tcp_usr_connect+0xe7
> netmsg_pru_connect() at netmsg_pru_connect+0x1b
> netmsg_service() at netmsg_service+0x122
> tcpmsg_service_loop() at tcpmsg_service_loop+0x26
> boot() called on cpu#0
> Uptime: 4m23s
> Physical memory: 8176 MB
> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
>
> There seems to be a problem in prison_replace_wildcards() at
> sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
> kgdb.txt contains my attempt at debugging the situation.
>
> The panic is 100% reproducible on my system and I have a few kernel dumps
> from the situation, if somebody needs tehm. I have attached a band-aid kind
> of patch, which seems to work, at least with it the samba works as expected,
> but perhaps it is not a correct solution.
> I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
> to be called only twice during the smb mount, not after.
>
> The machine and kernel is a regular Intel x86_64 SMP setup, build
> from yesterday's master.
>
> Best regards,
> Tero Jääskö
>
Updated by nthery almost 3 years ago
[...]
>> There seems to be a problem in prison_replace_wildcards() at
>> sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
>> kgdb.txt contains my attempt at debugging the situation.
>>
>> The panic is 100% reproducible on my system and I have a few kernel dumps
>> from the situation, if somebody needs tehm. I have attached a band-aid kind
>> of patch, which seems to work, at least with it the samba works as expected,
>> but perhaps it is not a correct solution.
td is a samba kernel thread created in smb_iod_create() by calling
kthread_create_compat() which according to its comment is used only for samba.
kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
NULL (it points to the forked process). This explains why the td_proc == NULL
check at the beginning of prison_replace_wildcard(), which is presumably there
for detecting kernel threads, fails.
prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
so your patch looks good and a committed it. In the longer term, changing
samba to create a lwkt is probably the way to go.
Thanks for reporting this issue and fixing it.
Updated by nthery almost 3 years ago
Fix committed as be36369df85afceebd0c8caca4b22f6e7a147f4f
Updated by tero.jaasko.no.spam.please almost 3 years ago
On 10.7.2010 12:06, Nicolas Thery wrote:
> td is a samba kernel thread created in smb_iod_create() by calling
> kthread_create_compat() which according to its comment is used only for samba.
>
> kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
> different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
> NULL (it points to the forked process). This explains why the td_proc == NULL
> check at the beginning of prison_replace_wildcard(), which is presumably there
> for detecting kernel threads, fails.
>
> prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
> so your patch looks good and a committed it. In the longer term, changing
> samba to create a lwkt is probably the way to go.
Thank you for the analysis and fix.
BR,
-Tero