Project

General

Profile

Actions

Bug #1790

closed

Panic during samba mount

Added by tero.jaasko.no.spam.please over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Hello,
I am getting a "Fatal trap 12: page fault while in kernel mode" -panic
on a samba mount command, e.g.
"mount_smbfs -I 192.168.0.195 /share /mnt/share/".

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
Fatal trap 12: page fault while in kernel mode
mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
fault virtual address = 0x60
fault code = supervisor read data, page not present
instruction pointer = 0x8:0xffffffff80250e17
stack pointer = 0x10:0xfffffffe37b62ab0
frame pointer = 0x10:0xfffffffe37b62ad0
code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
current thread = pri 44 (CRIT)
trap number = 12
panic: page fault
mp_lock = 00000000; cpuid = 0
Trace beginning at frame 0xfffffffe37b627f8
panic() at panic+0x1fc
panic() at panic+0x1fc
trap_fatal() at trap_fatal+0x3f4
trap_pfault() at trap_pfault+0x158
trap() at trap+0x67e
calltrap() at calltrap+0x8
--- trap 000000000000000c, rip = ffffffff80250e17, rsp =
fffffffe37b62ab0, rbp = fffffffe37b62ad0 ---
prison_replace_wildcards() at prison_replace_wildcards+0x1f
in_pcbbind() at in_pcbbind+0x2e1
tcp_connect() at tcp_connect+0x52
tcp_usr_connect() at tcp_usr_connect+0xe7
netmsg_pru_connect() at netmsg_pru_connect+0x1b
netmsg_service() at netmsg_service+0x122
tcpmsg_service_loop() at tcpmsg_service_loop+0x26
boot() called on cpu#0
Uptime: 4m23s
Physical memory: 8176 MB
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

There seems to be a problem in prison_replace_wildcards() at
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
kgdb.txt contains my attempt at debugging the situation.

The panic is 100% reproducible on my system and I have a few kernel
dumps from the situation, if somebody needs tehm. I have attached a
band-aid kind of patch, which seems to work, at least with it the samba
works as expected, but perhaps it is not a correct solution.
I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
to be called only twice during the smb mount, not after.

The machine and kernel is a regular Intel x86_64 SMP setup, build
from yesterday's master.

Best regards,
Tero Jääskö


Files

kgdb.txt (4.88 KB) kgdb.txt tero.jaasko.no.spam.please, 07/02/2010 05:31 PM
ignore_null_td_ucred.patch (382 Bytes) ignore_null_td_ucred.patch tero.jaasko.no.spam.please, 07/02/2010 05:31 PM
Actions #1

Updated by nthery over 13 years ago

I reproduced the bug and I'm giving it a look.

Cheers,
Nicolas

On 2 July 2010 19:27, Tero Jaasko <

wrote:

Hello,
I am getting a "Fatal trap 12: page fault while in kernel mode" -panic on a
samba mount command, e.g.
"mount_smbfs -I 192.168.0.195 /share /mnt/share/".

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
Fatal trap 12: page fault while in kernel mode
mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
fault virtual address = 0x60
fault code = supervisor read data, page not present
instruction pointer = 0x8:0xffffffff80250e17
stack pointer = 0x10:0xfffffffe37b62ab0
frame pointer = 0x10:0xfffffffe37b62ad0
code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
current thread = pri 44 (CRIT)
trap number = 12
panic: page fault
mp_lock = 00000000; cpuid = 0
Trace beginning at frame 0xfffffffe37b627f8
panic() at panic+0x1fc
panic() at panic+0x1fc
trap_fatal() at trap_fatal+0x3f4
trap_pfault() at trap_pfault+0x158
trap() at trap+0x67e
calltrap() at calltrap+0x8
--- trap 000000000000000c, rip = ffffffff80250e17, rsp = fffffffe37b62ab0,
rbp = fffffffe37b62ad0 ---
prison_replace_wildcards() at prison_replace_wildcards+0x1f
in_pcbbind() at in_pcbbind+0x2e1
tcp_connect() at tcp_connect+0x52
tcp_usr_connect() at tcp_usr_connect+0xe7
netmsg_pru_connect() at netmsg_pru_connect+0x1b
netmsg_service() at netmsg_service+0x122
tcpmsg_service_loop() at tcpmsg_service_loop+0x26
boot() called on cpu#0
Uptime: 4m23s
Physical memory: 8176 MB
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

There seems to be a problem in prison_replace_wildcards() at
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
kgdb.txt contains my attempt at debugging the situation.

The panic is 100% reproducible on my system and I have a few kernel dumps
from the situation, if somebody needs tehm. I have attached a band-aid kind
of patch, which seems to work, at least with it the samba works as expected,
but perhaps it is not a correct solution.
I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
to be called only twice during the smb mount, not after.

The machine and kernel is a regular Intel x86_64 SMP setup, build
from yesterday's master.

Best regards,
Tero Jääskö

Actions #2

Updated by nthery over 13 years ago

[...]

There seems to be a problem in prison_replace_wildcards() at
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
kgdb.txt contains my attempt at debugging the situation.

The panic is 100% reproducible on my system and I have a few kernel dumps
from the situation, if somebody needs tehm. I have attached a band-aid kind
of patch, which seems to work, at least with it the samba works as expected,
but perhaps it is not a correct solution.

td is a samba kernel thread created in smb_iod_create() by calling
kthread_create_compat() which according to its comment is used only for samba.

kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
NULL (it points to the forked process). This explains why the td_proc == NULL
check at the beginning of prison_replace_wildcard(), which is presumably there
for detecting kernel threads, fails.

prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
so your patch looks good and a committed it. In the longer term, changing
samba to create a lwkt is probably the way to go.

Thanks for reporting this issue and fixing it.

Actions #3

Updated by nthery over 13 years ago

Fix committed as be36369df85afceebd0c8caca4b22f6e7a147f4f

Actions #4

Updated by tero.jaasko.no.spam.please over 13 years ago

On 10.7.2010 12:06, Nicolas Thery wrote:

td is a samba kernel thread created in smb_iod_create() by calling
kthread_create_compat() which according to its comment is used only for samba.

kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
NULL (it points to the forked process). This explains why the td_proc == NULL
check at the beginning of prison_replace_wildcard(), which is presumably there
for detecting kernel threads, fails.

prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
so your patch looks good and a committed it. In the longer term, changing
samba to create a lwkt is probably the way to go.

Thank you for the analysis and fix.

BR,
-Tero

Actions

Also available in: Atom PDF