Panic during samba mount

Tero Jaasko tero.jaasko.no.spam.please at mail.suomi.net
Fri Jul 2 10:27:57 PDT 2010


Hello,
I am getting a "Fatal trap 12: page fault while in kernel mode" -panic 
on a samba mount command, e.g.
"mount_smbfs -I 192.168.0.195 //guest at 192.168.0.195/share /mnt/share/".

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<
Fatal trap 12: page fault while in kernel mode
mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
fault virtual address   = 0x60
fault code              = supervisor read data, page not present
instruction pointer     = 0x8:0xffffffff80250e17
stack pointer           = 0x10:0xfffffffe37b62ab0
frame pointer           = 0x10:0xfffffffe37b62ad0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = Idle
current thread          = pri 44 (CRIT)
trap number             = 12
panic: page fault
mp_lock = 00000000; cpuid = 0
Trace beginning at frame 0xfffffffe37b627f8
panic() at panic+0x1fc
panic() at panic+0x1fc
trap_fatal() at trap_fatal+0x3f4
trap_pfault() at trap_pfault+0x158
trap() at trap+0x67e
calltrap() at calltrap+0x8
--- trap 000000000000000c, rip = ffffffff80250e17, rsp = 
fffffffe37b62ab0, rbp = fffffffe37b62ad0 ---
prison_replace_wildcards() at prison_replace_wildcards+0x1f
in_pcbbind() at in_pcbbind+0x2e1
tcp_connect() at tcp_connect+0x52
tcp_usr_connect() at tcp_usr_connect+0xe7
netmsg_pru_connect() at netmsg_pru_connect+0x1b
netmsg_service() at netmsg_service+0x122
tcpmsg_service_loop() at tcpmsg_service_loop+0x26
boot() called on cpu#0
Uptime: 4m23s
Physical memory: 8176 MB
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<

There seems to be a problem in prison_replace_wildcards() at 
sys/kern/kern_jail.c:, as the given "td->td_ucred" is NULL. The attached 
kgdb.txt contains my attempt at debugging the situation.

The panic is 100% reproducible on my system and I have a few kernel 
dumps from the situation, if somebody needs tehm. I have attached a 
band-aid kind of patch, which seems to work, at least with it the samba 
works as expected, but perhaps it is not a correct solution.
I added a kprintf() on the "td->td_ucred == NULL" -case, and it seems
to be called only twice during the smb mount, not after.

The machine and kernel is a regular Intel x86_64 SMP setup, build
from yesterday's master.
Best regards,
Tero Jääskö
Fatal trap 12: page fault while in kernel mode
mp_lock = 00000000; cpuid = 0; lapic->id = 00000000
fault virtual address	= 0x60
fault code		= supervisor read data, page not present
instruction pointer	= 0x8:0xffffffff80250e17
stack pointer	        = 0x10:0xfffffffe37b62ab0
frame pointer	        = 0x10:0xfffffffe37b62ad0
code segment		= base 0x0, limit 0xfffff, type 0x1b
			= DPL 0, pres 1, long 0, def32 0, gran 1
processor eflags	= interrupt enabled, resume, IOPL = 0
current process		= Idle
current thread          = pri 44 (CRIT)
trap number		= 12
panic: page fault
mp_lock = 00000000; cpuid = 0
Trace beginning at frame 0xfffffffe37b627f8
panic() at panic+0x1fc
panic() at panic+0x1fc
trap_fatal() at trap_fatal+0x3f4
trap_pfault() at trap_pfault+0x158
trap() at trap+0x67e
calltrap() at calltrap+0x8
--- trap 000000000000000c, rip = ffffffff80250e17, rsp = fffffffe37b62ab0, rbp = fffffffe37b62ad0 ---
prison_replace_wildcards() at prison_replace_wildcards+0x1f
in_pcbbind() at in_pcbbind+0x2e1
tcp_connect() at tcp_connect+0x52
tcp_usr_connect() at tcp_usr_connect+0xe7
netmsg_pru_connect() at netmsg_pru_connect+0x1b
netmsg_service() at netmsg_service+0x122
tcpmsg_service_loop() at tcpmsg_service_loop+0x26
boot() called on cpu#0
Uptime: 4m23s
Physical memory: 8176 MB
Dumping 830 MB: 815 799 783 767 751 735 719 703 687 671 655 639 623 607 591 575 559 543 527 511 495 479 463 447 431 415 399 383 367 351 335 319 
303 287 271 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15

Reading symbols from /boot/modules/acpi.ko...done.
Loaded symbols for /boot/modules/acpi.ko
Reading symbols from /boot/modules/radeon.ko...done.
Loaded symbols for /boot/modules/radeon.ko
Reading symbols from /boot/modules/drm.ko...done.
Loaded symbols for /boot/modules/drm.ko
Reading symbols from /boot/modules/smbfs.ko...done.
Loaded symbols for /boot/modules/smbfs.ko
Reading symbols from /boot/modules/libmchain.ko...done.
Loaded symbols for /boot/modules/libmchain.ko
Reading symbols from /boot/modules/libiconv.ko...done.
Loaded symbols for /boot/modules/libiconv.ko
_get_mycpu (di=0xffffffff806e6400) at ./machine/thread.h:73
73	    __asm ("movq %%gs:globaldata,%0" : "=r" (gd) : "m"(__mycpu__dummy));
(kgdb) bt
#0  _get_mycpu (di=0xffffffff806e6400) at ./machine/thread.h:73
#1  md_dumpsys (di=0xffffffff806e6400) at /usr/src/sys/platform/pc64/x86_64/dump_machdep.c:262
#2  0xffffffff80263246 in dumpsys () at /usr/src/sys/kern/kern_shutdown.c:839
#3  0xffffffff8026394a in boot (howto=<value optimized out>) at /usr/src/sys/kern/kern_shutdown.c:388
#4  0xffffffff80263d4a in panic (fmt=0xffffffff804c6e28 "%s") at /usr/src/sys/kern/kern_shutdown.c:745
#5  0xffffffff80498507 in trap_fatal (frame=0xfffffffe37b629f8, eva=<value optimized out>) at /usr/src/sys/platform/pc64/x86_64/trap.c:984
#6  0xffffffff8049867d in trap_pfault (frame=0xfffffffe37b629f8, usermode=0) at /usr/src/sys/platform/pc64/x86_64/trap.c:889
#7  0xffffffff80499bf8 in trap (frame=0xfffffffe37b629f8) at /usr/src/sys/platform/pc64/x86_64/trap.c:611
#8  0xffffffff804919be in calltrap () at /usr/src/sys/platform/pc64/x86_64/exception.S:179
#9  0xffffffff80250e17 in prison_replace_wildcards (td=0xfffffffe5b19a558, ip=0xfffffffe37b62b00) at /usr/src/sys/kern/kern_jail.c:372
#10 0xffffffff803148f4 in in_pcbbind (inp=0xfffffffe32830558, nam=0x0, td=0xfffffffe5b19a558) at /usr/src/sys/netinet/in_pcb.c:330
#11 0xffffffff80330234 in tcp_connect (tp=0xfffffffe32830678, flags=0, m=0x0, nam=0xfffffffe5e242b38, td=0xfffffffe5b19a558)
    at /usr/src/sys/netinet/tcp_usrreq.c:1020
#12 0xffffffff803308e8 in tcp_usr_connect (so=0xfffffffe08572c70, nam=0xfffffffe5e242b38, td=0xfffffffe5b19a558)
    at /usr/src/sys/netinet/tcp_usrreq.c:479
#13 0xffffffff802ad74e in netmsg_pru_connect (msg=0xfffffffe5e242a18) at /usr/src/sys/kern/uipc_msg.c:486
#14 0xffffffff80307e73 in netmsg_service (msg=0xfffffffe5e242a18, mpsafe_mode=934685440, mplocked=0) at /usr/src/sys/net/netisr.c:310
#15 0xffffffff803289bd in tcpmsg_service_loop (dummy=<value optimized out>) at /usr/src/sys/netinet/tcp_subr.c:410
#16 0xffffffff8026f6aa in lwkt_deschedule_self (td=0xfffffffe5b19a558) at /usr/src/sys/kern/lwkt_thread.c:250
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(kgdb) frame 9
#9  0xffffffff80250e17 in prison_replace_wildcards (td=0xfffffffe5b19a558, ip=0xfffffffe37b62b00) at /usr/src/sys/kern/kern_jail.c:372
372		if ((pr = td->td_ucred->cr_prison) == NULL)
(kgdb) print td
$1 = (struct thread *) 0xfffffffe5b19a558
(kgdb) print td->td_ucred
$2 = (struct ucred *) 0x0
(kgdb) frame 10
#10 0xffffffff803148f4 in in_pcbbind (inp=0xfffffffe32830558, nam=0x0, td=0xfffffffe5b19a558) at /usr/src/sys/netinet/in_pcb.c:330
330			if (!prison_replace_wildcards(td, (struct sockaddr *)&jsin)) {
(kgdb) print td
$3 = (struct thread *) 0xfffffffe5b19a558
(kgdb) print jsin
$4 = {sin_len = 48 '0', sin_family = 2 '\002', sin_port = 14262, sin_addr = {s_addr = 0}, sin_zero = "\263\v'\200\377\377\377\377"}
(kgdb) 


diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index cfe2641..95e5490 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -369,6 +369,10 @@ prison_replace_wildcards(struct thread *td, struct sockaddr *ip)
 
 	if (td->td_proc == NULL)
 		return (1);
+
+	if (td->td_ucred == NULL)
+		return (1);
+
 	if ((pr = td->td_ucred->cr_prison) == NULL)
 		return (1);
 





More information about the Bugs mailing list