Bug #1790
closed
Panic during samba mount
0%
Description
Hello,
I am getting a "Fatal trap 12: page fault while in kernel mode" -panic
on a samba mount command, e.g.
"mount_smbfs -I 192.168.0.195 //guest@192.168.0.195/share /mnt/share/".
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
Fatal trap 12: page fault while in kernel mode
mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
fault virtual address = 0x60
fault code = supervisor read data, page not present
instruction pointer = 0x8:0xffffffff80250e17
stack pointer = 0x10:0xfffffffe37b62ab0
frame pointer = 0x10:0xfffffffe37b62ad0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
current thread = pri 44 (CRIT)
trap number = 12
panic: page fault
mp_lock = 00000000; cpuid = 0
Trace beginning at frame 0xfffffffe37b627f8
panic() at panic+0x1fc
panic() at panic+0x1fc
trap_fatal() at trap_fatal+0x3f4
trap_pfault() at trap_pfault+0x158
trap() at trap+0x67e
calltrap() at calltrap+0x8
--- trap 000000000000000c, rip = ffffffff80250e17, rsp =
fffffffe37b62ab0, rbp = fffffffe37b62ad0 ---
prison_replace_wildcards() at prison_replace_wildcards+0x1f
in_pcbbind() at in_pcbbind+0x2e1
tcp_connect() at tcp_connect+0x52
tcp_usr_connect() at tcp_usr_connect+0xe7
netmsg_pru_connect() at netmsg_pru_connect+0x1b
netmsg_service() at netmsg_service+0x122
tcpmsg_service_loop() at tcpmsg_service_loop+0x26
boot() called on cpu#0
Uptime: 4m23s
Physical memory: 8176 MB
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
There seems to be a problem in prison_replace_wildcards() at
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
kgdb.txt contains my attempt at debugging the situation.
The panic is 100% reproducible on my system and I have a few kernel
dumps from the situation, if somebody needs tehm. I have attached a
band-aid kind of patch, which seems to work, at least with it the samba
works as expected, but perhaps it is not a correct solution.
I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
to be called only twice during the smb mount, not after.
The machine and kernel is a regular Intel x86_64 SMP setup, build
from yesterday's master.
Best regards,
Tero Jääskö
Files
Updated by nthery over 14 years ago
I reproduced the bug and I'm giving it a look.
Cheers,
Nicolas
On 2 July 2010 19:27, Tero Jaasko <tero.jaasko.no.spam.please@mail.suomi.net
wrote:
Hello,
I am getting a "Fatal trap 12: page fault while in kernel mode" -panic on a
samba mount command, e.g.
"mount_smbfs -I 192.168.0.195 //guest@192.168.0.195/share /mnt/share/".--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
Fatal trap 12: page fault while in kernel mode
mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
fault virtual address = 0x60
fault code = supervisor read data, page not present
instruction pointer = 0x8:0xffffffff80250e17
stack pointer = 0x10:0xfffffffe37b62ab0
frame pointer = 0x10:0xfffffffe37b62ad0
code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = Idle
current thread = pri 44 (CRIT)
trap number = 12
panic: page fault
mp_lock = 00000000; cpuid = 0
Trace beginning at frame 0xfffffffe37b627f8
panic() at panic+0x1fc
panic() at panic+0x1fc
trap_fatal() at trap_fatal+0x3f4
trap_pfault() at trap_pfault+0x158
trap() at trap+0x67e
calltrap() at calltrap+0x8
--- trap 000000000000000c, rip = ffffffff80250e17, rsp = fffffffe37b62ab0,
rbp = fffffffe37b62ad0 ---
prison_replace_wildcards() at prison_replace_wildcards+0x1f
in_pcbbind() at in_pcbbind+0x2e1
tcp_connect() at tcp_connect+0x52
tcp_usr_connect() at tcp_usr_connect+0xe7
netmsg_pru_connect() at netmsg_pru_connect+0x1b
netmsg_service() at netmsg_service+0x122
tcpmsg_service_loop() at tcpmsg_service_loop+0x26
boot() called on cpu#0
Uptime: 4m23s
Physical memory: 8176 MB
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<There seems to be a problem in prison_replace_wildcards() at
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
kgdb.txt contains my attempt at debugging the situation.The panic is 100% reproducible on my system and I have a few kernel dumps
from the situation, if somebody needs tehm. I have attached a band-aid kind
of patch, which seems to work, at least with it the samba works as expected,
but perhaps it is not a correct solution.
I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
to be called only twice during the smb mount, not after.The machine and kernel is a regular Intel x86_64 SMP setup, build
from yesterday's master.Best regards,
Tero Jääskö
Updated by nthery over 14 years ago
[...]
There seems to be a problem in prison_replace_wildcards() at
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached
kgdb.txt contains my attempt at debugging the situation.The panic is 100% reproducible on my system and I have a few kernel dumps
from the situation, if somebody needs tehm. I have attached a band-aid kind
of patch, which seems to work, at least with it the samba works as expected,
but perhaps it is not a correct solution.
td is a samba kernel thread created in smb_iod_create() by calling
kthread_create_compat() which according to its comment is used only for samba.
kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
NULL (it points to the forked process). This explains why the td_proc == NULL
check at the beginning of prison_replace_wildcard(), which is presumably there
for detecting kernel threads, fails.
prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
so your patch looks good and a committed it. In the longer term, changing
samba to create a lwkt is probably the way to go.
Thanks for reporting this issue and fixing it.
Updated by nthery over 14 years ago
Fix committed as be36369df85afceebd0c8caca4b22f6e7a147f4f
Updated by tero.jaasko.no.spam.please over 14 years ago
On 10.7.2010 12:06, Nicolas Thery wrote:
td is a samba kernel thread created in smb_iod_create() by calling
kthread_create_compat() which according to its comment is used only for samba.kthread_create_compat() forks process 0 so the resulting kernel thread is a bit
different from other kernel threads: td->td_ucred == NULL but td->td_proc !=
NULL (it points to the forked process). This explains why the td_proc == NULL
check at the beginning of prison_replace_wildcard(), which is presumably there
for detecting kernel threads, fails.prison_remote_ip() already checks if td_ucred != NULL before dereferencing it
so your patch looks good and a committed it. In the longer term, changing
samba to create a lwkt is probably the way to go.
Thank you for the analysis and fix.
BR,
-Tero