kern/139407: smb mount causes system crash if remote share no longer accessible

Bob McClure h8msft at gmail.com
Wed Oct 7 16:10:02 UTC 2009 

>Number:         139407
>Category:       kern
>Synopsis:       smb mount causes system crash if remote share no longer accessible
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Oct 07 16:10:01 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Bob McClure
>Release:        7.1 release / 8.0-RC1
>Organization:
>Environment:
FreeBSD THEMIS-LRAR-01.foo.local 7.1-RELEASE FreeBSD 7.1-RELEASE #0: Tue Jan  6 11:36:08 CST 2009     bobm at Themis-lrar-02.foo.local:/usr/src/sys/amd64/compile/CLUSTER  amd64


BSDTest-lrar-03v# uname -a
FreeBSD BSDTest-lrar-03v.foo.local 8.0-RC1 FreeBSD 8.0-RC1 #0: Mon Oct  5 12:35:15 CDT 2009     root at BSDTest-lrar-03v.foo.local:/usr/src/sys/amd64/compile/CLUSTER  amd64

FreeBSD foo.foodomain 8.0-RC1 FreeBSD 8.0-RC1 #0: Thu Sep 17 20:45:19 UTC 2009     root at almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386


>Description:
If connectivity is lost to a smb mount, issuing the df command can crash the system. I have replicated this with 7.1 Release on an HP server and with 8.0 RC-1 in a VMWare ESX (amd64) and 8.0 RC-1 in VMWARE ESXi (i386).

The connectivity loss can be either network related, remote server problems, or the share deleted.

The crash will not occur until the df command is called.

dump of the crash file references smbiod, So I'm not sure where the problem actually is.


00004640  73 6d 62 5f 64 65 76 3a  20 6c 6f 61 64 65 64 0a  |smb_dev: loaded.|
00004650  6b 65 72 6e 65 6c 20 74  72 61 70 20 31 32 20 77  |kernel trap 12 w|
00004660  69 74 68 20 69 6e 74 65  72 72 75 70 74 73 20 64  |ith interrupts d|
00004670  69 73 61 62 6c 65 64 0a  0a 0a 46 61 74 61 6c 20  |isabled...Fatal |
00004680  74 72 61 70 20 31 32 3a  20 70 61 67 65 20 66 61  |trap 12: page fa|
00004690  75 6c 74 20 77 68 69 6c  65 20 69 6e 20 6b 65 72  |ult while in ker|
000046a0  6e 65 6c 20 6d 6f 64 65  0a 63 70 75 69 64 20 3d  |nel mode.cpuid =|
000046b0  20 32 3b 20 61 70 69 63  20 69 64 20 3d 20 30 32  | 2; apic id = 02|
000046c0  0a 66 61 75 6c 74 20 76  69 72 74 75 61 6c 20 61  |.fault virtual a|
000046d0  64 64 72 65 73 73 09 3d  20 30 78 33 30 0a 66 61  |ddress.= 0x30.fa|
000046e0  75 6c 74 20 63 6f 64 65  09 09 3d 20 73 75 70 65  |ult code..= supe|
000046f0  72 76 69 73 6f 72 20 72  65 61 64 20 64 61 74 61  |rvisor read data|
00004700  2c 20 70 61 67 65 20 6e  6f 74 20 70 72 65 73 65  |, page not prese|
00004710  6e 74 0a 69 6e 73 74 72  75 63 74 69 6f 6e 20 70  |nt.instruction p|
00004720  6f 69 6e 74 65 72 09 3d  20 30 78 38 3a 30 78 66  |ointer.= 0x8:0xf|
00004730  66 66 66 66 66 66 66 38  30 35 34 38 31 37 66 0a  |fffffff8054817f.|
00004740  73 74 61 63 6b 20 70 6f  69 6e 74 65 72 09 20 20  |stack pointer.  |
00004750  20 20 20 20 20 20 3d 20  30 78 31 30 3a 30 78 66  |      = 0x10:0xf|
00004760  66 66 66 66 66 66 66 37  64 36 36 65 39 34 30 0a  |fffffff7d66e940.|
00004770  66 72 61 6d 65 20 70 6f  69 6e 74 65 72 09 20 20  |frame pointer.  |
00004780  20 20 20 20 20 20 3d 20  30 78 31 30 3a 30 78 66  |      = 0x10:0xf|
00004790  66 66 66 66 66 30 30 30  63 37 34 62 36 65 30 0a  |fffff000c74b6e0.|
000047a0  63 6f 64 65 20 73 65 67  6d 65 6e 74 09 09 3d 20  |code segment..= |
000047b0  62 61 73 65 20 30 78 30  2c 20 6c 69 6d 69 74 20  |base 0x0, limit |
000047c0  30 78 66 66 66 66 66 2c  20 74 79 70 65 20 30 78  |0xfffff, type 0x|
000047d0  31 62 0a 09 09 09 3d 20  44 50 4c 20 30 2c 20 70  |1b....= DPL 0, p|
000047e0  72 65 73 20 31 2c 20 6c  6f 6e 67 20 31 2c 20 64  |res 1, long 1, d|
000047f0  65 66 33 32 20 30 2c 20  67 72 61 6e 20 31 0a 70  |ef32 0, gran 1.p|
00004800  72 6f 63 65 73 73 6f 72  20 65 66 6c 61 67 73 09  |rocessor eflags.|
00004810  3d 20 72 65 73 75 6d 65  2c 20 49 4f 50 4c 20 3d  |= resume, IOPL =|
00004820  20 30 0a 63 75 72 72 65  6e 74 20 70 72 6f 63 65  | 0.current proce|
00004830  73 73 09 09 3d 20 31 30  32 34 20 28 73 6d 62 69  |ss..= 1024 (smbi|
00004840  6f 64 30 29 0a 74 72 61  70 20 6e 75 6d 62 65 72  |od0).trap number|
00004850  09 09 3d 20 31 32 0a 70  61 6e 69 63 3a 20 70 61  |..= 12.panic: pa|
00004860  67 65 20 66 61 75 6c 74  0a 63 70 75 69 64 20 3d  |ge fault.cpuid =|
00004870  20 32 0a 55 70 74 69 6d  65 3a 20 36 6d 33 37 73  | 2.Uptime: 6m37s|
00004880  0a 50 68 79 73 69 63 61  6c 20 6d 65 6d 6f 72 79  |.Physical memory|
00004890  3a 20 31 32 32 37 33 20  4d 42 0a 44 75 6d 70 69  |: 12273 MB.Dumpi|
000048a0  6e 67 20 36 34 35 20 4d  42 3a 00 00 00 00 00 00  |ng 645 MB:......|
000048b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

>How-To-Repeat:
This can be repliated in a VMWare ESXi instance to avoid crashing a physical sever.
 
install a local instance of samba with security = local

create a share on the local machine
#[foo]
#   path = /home/foo
#   valid users = bob
#   public=no
#   writeable = yes
#   browsable = yes
#   create mask = 0777

# Mount the share
 mount_smbfs -I foo //bob at foo/foo mount

# rename the share to a new name
#[fooxx]
#   path = /home/foo
#   valid users = bob
#   public=no
#   writeable = yes
#   browsable = yes
#   create mask = 0777

samba restart

df <- no error
samba stop
df <- system crash


>Fix:
Unknown

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list