Subject: kern/30831: smbfs crashes on smp box
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <deadbug@gmail.com>
List: netbsd-bugs
Date: 07/25/2005 12:13:01
>Number: 30831
>Category: kern
>Synopsis: smbfs crashes on smp box
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jul 25 12:13:00 +0000 2005
>Originator: Martin Végiard
>Release: 3.0_BETA
>Organization:
>Environment:
NetBSD Z 3.0_BETA NetBSD 3.0_BETA (PowerEdge.MP) #10: Sat Jul 23 12:53:33 EDT 2005 root@Z:/usr/src/sys/arch/i386/compile/PowerEdge.MP i386
>Description:
With a 4gig smbfs mounted, I use rsync to backup that data and the machine will randomly 'freeze' dropping me in the kernel's debugger.
It crashes on : movl 0x30(%eax), %eax
Which turns out to be /usr/src/sys/fs/smbfs/smbfs_vfsops.c
smbfs_sync(...)
exactly here:
/* $NetBSD: smbfs_vfsops.c,v 1.47 2005/02/26 22:58:55 perry Exp $ */
456: if ((vp->v_type == VNON || (np->n_flag & NMODIFIED) == 0) &&
^^^^^^^^^
seems np has been dereferenced...
***0xc02d5756 <smbfs_sync+122>: mov 0x30(%eax),%eax***
0xc02d5759 <smbfs_sync+125>: shr $0x2,%eax
0xc02d575c <smbfs_sync+128>: xor $0x1,%eax
0xc02d575f <smbfs_sync+131>: test $0x1,%al
>How-To-Repeat:
Mount a smbfs with enough data on a box with more than one cpu and rsync!
>Fix:
Verify that np is still valid before using it. (Requires a lock?)