From nobody@FreeBSD.org  Fri Jan 25 09:50:29 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	by hub.freebsd.org (Postfix) with ESMTP id 002D0435
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Jan 2013 09:50:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id CE4B9AA1
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Jan 2013 09:50:28 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id r0P9oSbI095537
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 25 Jan 2013 09:50:28 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id r0P9oSLM095536;
	Fri, 25 Jan 2013 09:50:28 GMT
	(envelope-from nobody)
Message-Id: <201301250950.r0P9oSLM095536@red.freebsd.org>
Date: Fri, 25 Jan 2013 09:50:28 GMT
From: Wen <senoutouya@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: kernel panic in smbfs.ko while accessing windows share
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         175557
>Category:       kern
>Synopsis:       [smbfs] [panic] kernel panic in smbfs.ko while accessing windows share
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ae
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 25 10:00:00 UTC 2013
>Closed-Date:    Fri May 02 21:45:40 UTC 2014
>Last-Modified:  Fri May 02 21:45:40 UTC 2014
>Originator:     Wen
>Release:        8.2 and 9.1 RELEASE
>Organization:
>Environment:
FreeBSD freebsd8 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011     root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

FreeBSD h7bsd 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec  4 06:55:39 UTC 2012     root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

FreeBSD is running in a virtual machine, Host:
Windows 7 Ultimate, 64-bit 6.1.7601, Service Pack 1 + VMWare Workstation 9.0.1 build-894247

samba version: unknown, comes with FreeBSD

Host Hardware:
Intel i5230 4-core 3.2Ghz, 4GB RAM
VM Hardware:
1*4-core 3.2Ghz CPU, 1GB RAM
>Description:
root@h7bsd:/root # kgdb
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
#0  sched_switch (td=0xc117b5d0, newtd=0xc4d9d5c0, flags=260) at /usr/src/sys/kern/sched_ule.c:1927
1927                    cpuid = PCPU_GET(cpuid);
(kgdb) core /var/crash/vmcore.1 

Unread portion of the kernel message buffer:
kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x14
fault code              = supervisor read, page not present
instruction pointer     = 0x20:0xc0b024bf
stack pointer           = 0x28:0xd9784b30
frame pointer           = 0x28:0xd9784b4c
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, def32 1, gran 1
processor eflags        = resume, IOPL = 0
current process         = 1032 (smbiod0)
trap number             = 12
panic: page fault
cpuid = 1
KDB: stack backtrace:
#0 0xc0af3aff at kdb_backtrace+0x4f
#1 0xc0ac052f at panic+0x16f
#2 0xc0e25013 at trap_fatal+0x323
#3 0xc0e25087 at trap_pfault+0x67
#4 0xc0e2608a at trap+0x44a
#5 0xc0e0f66c at calltrap+0x6
#6 0xc0aae309 at _mtx_unlock_sleep+0x59
#7 0xc0aaea73 at _mtx_unlock_flags+0x53
#8 0xc7ae8b63 at smb_iod_invrq+0xd3
#9 0xc7ae9d27 at smb_iod_addrq+0x237
#10 0xc7ae61e5 at smb_rq_enqueue+0xf5
#11 0xc7ae6625 at smb_rq_simple+0x25
#12 0xc7ae4cf5 at smb_smb_ssnsetup+0x1c5
#13 0xc7ae8cc4 at smb_iod_connect+0x114
#14 0xc7ae9781 at smb_iod_thread+0x1e1
#15 0xc0a90526 at fork_exit+0x96
#16 0xc0e0f6e4 at fork_trampoline+0x8
Uptime: 3m24s
Physical memory: 1007 MB
Dumping 99 MB: 84 68 52 36 20 4

Reading symbols from /boot/kernel/smbfs.ko...Reading symbols from /boot/kernel/smbfs.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/smbfs.ko
Reading symbols from /boot/kernel/libiconv.ko...Reading symbols from /boot/kernel/libiconv.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libiconv.ko
Reading symbols from /boot/kernel/libmchain.ko...Reading symbols from /boot/kernel/libmchain.ko.symbols...done.
done.
Loaded symbols for /boot/kernel/libmchain.ko
#0  doadump (textdump=1) at pcpu.h:244
244     pcpu.h: No such file or directory.
        in pcpu.h
(kgdb) bt
#0  doadump (textdump=1) at pcpu.h:244
#1  0xc0ac027f in kern_reboot (howto=260) at /usr/src/sys/kern/kern_shutdown.c:448
#2  0xc0ac0572 in panic (fmt=Variable "fmt" is not available.
) at /usr/src/sys/kern/kern_shutdown.c:636
#3  0xc0e25013 in trap_fatal (frame=0xd9784af0, eva=20) at /usr/src/sys/i386/i386/trap.c:1018
#4  0xc0e25087 in trap_pfault (frame=0xd9784af0, usermode=0, eva=20) at /usr/src/sys/i386/i386/trap.c:833
#5  0xc0e2608a in trap (frame=0xd9784af0) at /usr/src/sys/i386/i386/trap.c:545
#6  0xc0e0f66c in calltrap () at /usr/src/sys/i386/i386/exception.s:169
#7  0xc0b024bf in turnstile_broadcast (ts=0x0, queue=0) at /usr/src/sys/kern/subr_turnstile.c:838
#8  0xc0aae309 in _mtx_unlock_sleep (m=0xc79dd294, opts=0, file=0xc7af58d6 "/usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c", line=91) at /usr/src/sys/kern/kern_mutex.c:715
#9  0xc0aaea73 in _mtx_unlock_flags (m=0xc79dd294, opts=0, file=0xc7af58d6 "/usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c", line=91) at /usr/src/sys/kern/kern_mutex.c:238
#10 0xc7ae8b63 in smb_iod_invrq (iod=Variable "iod" is not available.
) at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:91
#11 0xc7ae9d27 in smb_iod_addrq (rqp=0xc79dd200) at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:418
#12 0xc7ae61e5 in smb_rq_enqueue (rqp=0xc79dd200) at /usr/src/sys/modules/smbfs/../../netsmb/smb_rq.c:187
#13 0xc7ae6625 in smb_rq_simple (rqp=0xc79dd200) at /usr/src/sys/modules/smbfs/../../netsmb/smb_rq.c:168
#14 0xc7ae4cf5 in smb_smb_ssnsetup (vcp=0xc75ddc00, scred=0xc7579ac0) at /usr/src/sys/modules/smbfs/../../netsmb/smb_smb.c:423
#15 0xc7ae8cc4 in smb_iod_connect (iod=0xc7579a80) at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:160
#16 0xc7ae9781 in smb_iod_thread (arg=0xc7579a80) at /usr/src/sys/modules/smbfs/../../netsmb/smb_iod.c:609
#17 0xc0a90526 in fork_exit (callout=0xc7ae95a0 <smb_iod_thread>, arg=0xc7579a80, frame=0xd9784d08) at /usr/src/sys/kern/kern_fork.c:992
#18 0xc0e0f6e4 in fork_trampoline () at /usr/src/sys/i386/i386/exception.s:276

--------------------------------------------------------------------------------
kernel panic happens after i do concurrent file operation (gmake -j4) in the mounted dir.
however, it doesn't crash when accessing windows shares on machines other than the VM host.


>How-To-Repeat:
1. setup a virtual machine in vmware.
2. install freebsd 8.2/9.1 on the vm.
3. share a folder on the windows host
4. mount -t smbfs //USER@WINDOWSHOST/SHARE /mnt
5. cd /mnt/
6. make some concurrent file operations (eg: gmake -j4)
7. first it will complain 'Bad file descriptor' 'No space left on device' or 'Operation Timed Out'
8. repeat step 6 several times then it crashes.

>Fix:


>Release-Note:
>Audit-Trail:

From: senoutouya <senoutouya@gmail.com>
To: bug-followup@FreeBSD.org, senoutouya@gmail.com
Cc:  
Subject: Re: ports/175557: kernel panic in smbfs.ko while accessing windows share
Date: Fri, 25 Jan 2013 20:52:55 +0800

 --14dae9cdbec7ffaa1004d41c6782
 Content-Type: text/plain; charset=UTF-8
 
 Crash is found with vm host:
 Windows 7 Ultimate, 64-bit 6.1.7601, Service Pack 1 + VMware WorkStation 9
 Windows 7 Ultimate, 64-bit 6.1.7601, Service Pack 1 + VMware WorkStation 8
 
 
 Crash is not found with vm host:
 Windows Server 2003 SP2 Enterprise x64 + VMware WorkStation 7
 Windows Server 2008 R2 x64 + VMware Workstation 9
 
 All of them accessing windows share on their own host os.
 
 --14dae9cdbec7ffaa1004d41c6782
 Content-Type: text/html; charset=UTF-8
 Content-Transfer-Encoding: quoted-printable
 
 Crash is found with vm host:<br>Windows 7 Ultimate, 64-bit 6.1.7601, Servic=
 e Pack 1 + VMware WorkStation 9<br>Windows 7 Ultimate, 64-bit 6.1.7601, Ser=
 vice Pack 1 + VMware WorkStation 8<br>=C2=A0<br>=C2=A0<br>Crash is not foun=
 d with vm host:<br>
 Windows Server 2003 SP2 Enterprise x64 + VMware WorkStation 7<br>Windows Se=
 rver 2008 R2 x64 + VMware Workstation 9<br>=C2=A0<br>All of them accessing =
 windows share on their own host os.
 
 --14dae9cdbec7ffaa1004d41c6782--
Responsible-Changed-From-To: freebsd-ports-bugs->freebsd-bugs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Jan 26 07:53:53 UTC 2013 
Responsible-Changed-Why:  
reclassify. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175557 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/175557: commit references a PR
Date: Thu, 17 Apr 2014 12:22:12 +0000 (UTC)

 Author: ae
 Date: Thu Apr 17 12:22:08 2014
 New Revision: 264600
 URL: http://svnweb.freebsd.org/changeset/base/264600
 
 Log:
   Remove redundant unlock.
   
   This code was removed from the opensolaris and darwin's
   netsmb implementations, in DfBSD it also has been disabled.
   
   PR:		36566, 87859, 139407, 161579, 175557, 178412, 186652
   MFC after:	2 weeks
   Sponsored by:	Yandex LLC
 
 Modified:
   head/sys/netsmb/smb_iod.c
 
 Modified: head/sys/netsmb/smb_iod.c
 ==============================================================================
 --- head/sys/netsmb/smb_iod.c	Thu Apr 17 12:16:51 2014	(r264599)
 +++ head/sys/netsmb/smb_iod.c	Thu Apr 17 12:22:08 2014	(r264600)
 @@ -87,8 +87,6 @@ smb_iod_invrq(struct smbiod *iod)
  	 */
  	SMB_IOD_RQLOCK(iod);
  	TAILQ_FOREACH(rqp, &iod->iod_rqlist, sr_link) {
 -		if (rqp->sr_flags & SMBR_INTERNAL)
 -			SMBRQ_SUNLOCK(rqp);
  		rqp->sr_flags |= SMBR_RESTART;
  		smb_iod_rqprocessed(rqp, ENOTCONN);
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: ae 
State-Changed-When: Fri May 2 21:45:05 UTC 2014 
State-Changed-Why:  
Fixed in head/ and stable/10. 


Responsible-Changed-From-To: freebsd-bugs->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Fri May 2 21:45:05 UTC 2014 
Responsible-Changed-Why:  
Take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=175557 
>Unformatted:
