Date: Tue, 22 Oct 2002 14:51:43 -0400 (EDT) From: John Baldwin <jhb@FreeBSD.org> To: Vallo Kallaste <kalts@estpak.ee> Cc: Maxime Henrion <mux@FreeBSD.org>, Vitaly Markitantov <vm@dics.com.ua>, current@FreeBSD.org Subject: Re: smbfs broken? Message-ID: <XFMail.20021022145143.jhb@FreeBSD.org> In-Reply-To: <20021022180527.GA4048@tiiu.internal>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22-Oct-2002 Vallo Kallaste wrote:
> On Tue, Oct 22, 2002 at 10:48:58AM -0400, John Baldwin <jhb@FreeBSD.org> wrote:
>
>> Can you compile smbfs into your kernel 'options SMBFS' instead of as a
>> module and then get a dump and provide a trace?
>
>> >#13 0xc0383f58 in calltrap () at {standard input}:99
>> >#14 0xc455a66e in ?? ()
>> >#15 0xc455a072 in ?? ()
>> >#16 0xc4559e87 in ?? ()
>> >#17 0xc45609f8 in ?? ()
>>
>> These frames are in smbfs and are where the bug is, but we obviously
>> can't figure out much with just ??'s.
>
> I had all but SMBFS in kernel, mostly because it has been working
> only occasionally in the near past. Here's the improved backtrace,
> for more information you'll need to step me down your own path, I
> have no debugging skills.
>
>
> Script started on Tue Oct 22 20:57:11 2002
> bash-2.05b# gdb -k /sys/i386/compile/Myhakas-5.0-SMP/kernel.debug /usr/crash/vmc ore.0
> GNU gdb 5.2.1 (FreeBSD)
> Copyright 2002 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-undermydesk-freebsd"...
> panic: bdwrite: buffer is not busy
> panic messages:
> ---
> Fatal trap 12: page fault while in kernel mode
> cpuid = 0; lapic.id = 00000000
> fault virtual address = 0x2
> fault code = supervisor read, page not present
> instruction pointer = 0x8:0x2
As someone else has pointed out, it is executing at a garbage
address which is why it panic'd. My guess is that smb_smb_readx()
called some function which had a buffer overflow of a variable on
the stack and trashed the return address.
Actually, there are some bugs in the mbchains code. I've just
committed a possible fix. Can you cvsup and try out revision
1.9 of subr_mchain.c and see if it works better? Thanks.
>#14 0xc03c8aee in smb_smb_readx (ssp=0xc424d034, fid=2048, len=0xd66eb756,
> rresid=0xd66eb7f8, uio=0xd66eb868, scred=0x0)
> at ../../../netsmb/smb_smb.c:636
md_get_uint16le(mdp, NULL);
The md_get_* functions didn't all handle the case of the second
argument being NULL properly.
--
John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve!" - http://www.FreeBSD.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20021022145143.jhb>