current-users: Re: smbfs panic

Subject: Re: smbfs panic
To: Patrick Welche <prlw1@newn.cam.ac.uk>
From: Antti Kantee <pooka@cs.hut.fi>
List: current-users
Date: 12/04/2007 15:57:34
On Tue Dec 04 2007 at 13:11:59 +0000, Patrick Welche wrote:
> I didn't think I would have an opportunity to try this so soon - sadly
> before I read your message, but I seem to have extracted something:
> (4.99.39/i386 of Dec 3 15:51 GMT, happened during /etc/daily)

Well, I don't really know smbfs at all.  But if I were to hazard a very
quick guess, it looks like the connection is dying while there is an
outstanding request.  The cleaner is then going through all outstanding
requests to clean them up and finds one request in an unexpected state
(without a callout) and therefore panics.

Try this.  But I'll only commit it if you can make the panic repeatable
and find no other ill effects.  Try e.g. ifconfiging your interface down
while making smbfs requests.  If it doesn't fix it, file a PR with this
analysis and hope someone who understands the smb code takes interest.
.. Or use the FUSE smbfs.  I promise to fix all kernel crashes due to
using it ;)

Index: netsmb/smb_iod.c
===================================================================
RCS file: /cvsroot/src/sys/netsmb/smb_iod.c,v
retrieving revision 1.27
diff -p -u -r1.27 smb_iod.c
--- netsmb/smb_iod.c	9 Jul 2007 21:11:15 -0000	1.27
+++ netsmb/smb_iod.c	4 Dec 2007 13:55:12 -0000
@@ -78,7 +78,10 @@ smb_iod_rqprocessed(struct smb_rq *rqp, 
 	rqp->sr_rpgen++;
 	rqp->sr_state = SMBRQ_NOTIFIED;
 	wakeup(&rqp->sr_state);
-	callout_stop(&rqp->sr_timo_ch);
+	if (rqp->sr_timo > 0) {
+		callout_stop(&rqp->sr_timo_ch);
+		callout_destroy(&rqp->sr_timo_ch);
+	}
 	if (rqp->sr_recvcallback)
 		(*rqp->sr_recvcallback)(rqp->sr_recvarg);
 	SMBRQ_SUNLOCK(rqp);

> db{0}> mach cpu 0
> using CPU 0
> db{0}> bt
> breakpoint(c053011a,cd4c2b58,cd4c2b3c,c0337823,c0624a78) at netbsd:breakpoint+0x
> 1
> panic(c05da364,c052d0ac,c052d18a,c052d08c,1a1) at netbsd:panic+0xd1
> __kernassert(c052d0ac,c052d08c,1a1,c052d18a,1ae67a0) at netbsd:__kernassert+0x37
> 
> callout_stop(cdd7cee8,1,cd4c2bcc,c01c3cc5,cdd7cea0) at netbsd:callout_stop+0x45
> smb_iod_rqprocessed(cdd7cea0,39,cd4c2bfc,c0337697,c2a4a300) at netbsd:smb_iod_rq
> processed+0x50
> smb_iod_invrq(c2a50c80,1,cd4c2bfc,c01c4e77,c2a50c80) at netbsd:smb_iod_invrq+0x6
> 6
> smb_iod_dead(c2a50c80,cdd7cea0,cd4c2bfc,c01c3c0c,cdd7cea0) at netbsd:smb_iod_dea
> d+0x26
> smb_iod_sendall(c2a50c80,0,c050b993,c05e7834,c0000000) at netbsd:smb_iod_sendall
> +0x109
> smb_iod_main(c2a50c80,18,c050b993,0,0) at netbsd:smb_iod_main+0x3e
> smb_iod_thread(c2a50c80,0,c0100297,0,c0100297) at netbsd:smb_iod_thread+0x7d
> db{0}> mach cpu 1
> using CPU 1
> db{0}> bt
> _kernel_lock(1,cdcfc380,cde658bc,c03374c4,cdcfc380) at netbsd:_kernel_lock+0x21d
> 
> sleepq_block(0,0,c050b977,c05e7834,1624554) at netbsd:sleepq_block+0x1bb
> ltsleep(cdd7cea0,20,c050b977,0,cdd7cf2c) at netbsd:ltsleep+0x14e
> smb_iod_waitrq(cdd7cea0,c0624554,cde6596c,c01c4935,c2a50c84) at netbsd:smb_iod_w
> aitrq+0xe4
> smb_rq_reply(cdd7cea0,3,cde6596c,c2a4a300,c2a50c80) at netbsd:smb_rq_reply+0x1a
> smb_t2_reply(cdd7df68,c2992d00,cde659e8,3,cde65905) at netbsd:smb_t2_reply+0x1b
> smb_t2_request_int(cdd7df68,cde65a6a,0,0,16) at netbsd:smb_t2_request_int+0x593
> smb_t2_request(cdd7df68,1,cde65af4,cde65aac,0) at netbsd:smb_t2_request+0x32
> smbfs_smb_statvfs(c3453780,d2253000,cde65af4,c039bc23,cc089e80) at netbsd:smbfs_
> smb_statvfs+0x94
> smbfs_statvfs(c2aff000,d2253000,8b4,c0352d67,c062fc40) at netbsd:smbfs_statvfs+0
> x74
> dostatvfs(c2aff000,d2253000,cdcfc380,1,1) at netbsd:dostatvfs+0x8d
> do_sys_pstatvfs(cdcfc380,bb90fa0c,1,d2253000,0) at netbsd:do_sys_pstatvfs+0xb6
> sys_statvfs1(cdcfc380,cde65c34,cde65c2c,2,13e0e79) at netbsd:sys_statvfs1+0x48
> syscall(cde65c78,b3,bfbf00ab,1f,bfbf001f) at netbsd:syscall+0x1d6
> db{0}> show reg
> ds          0x10
> es          0x10
> fs          0x30
> gs          0x10
> edi         0xcd9d3000
> esi         0xc01c4e79  smb_iod_thread
> ebp         0xcd4c2b1c
> ebx         0xcdc49a80
> edx         0xc0000010
> ecx         0x5
> eax         0x1
> eip         0xc03ecf49  breakpoint+0x1
> cs          0x8
> eflags      0x286
> esp         0xcd4c2b10
> ss          0x10
> netbsd:breakpoint+0x1:  ret
> db{0}> examine/s c052d0ac
> netbsd:_link_ptimers_pool+0xcc: diagnostic
> db{0}> examine/s c05da364
> netbsd:sentinel_node+0x2224:    kernel %sassertion "%s" failed: file "%s", line %d
> db{0}> examine/s c052d18a
> netbsd:_link_ptimers_pool+0x1aa:        c->c_magic == CALLOUT_MAGIC
> db{0}> examine/s c052d08c
> netbsd:_link_ptimers_pool+0xac: ../../../../kern/kern_timeout.c
> 

-- 
Antti Kantee <pooka@iki.fi>                     Of course he runs NetBSD
http://www.iki.fi/pooka/                          http://www.NetBSD.org/
    "la qualité la plus indispensable du cuisinier est l'exactitude"