From owner-freebsd-current Tue Oct 22 11:52: 0 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A36DE37B401 for ; Tue, 22 Oct 2002 11:51:58 -0700 (PDT) Received: from mail.speakeasy.net (mail17.speakeasy.net [216.254.0.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C09943E6A for ; Tue, 22 Oct 2002 11:51:58 -0700 (PDT) (envelope-from jhb@FreeBSD.org) Received: (qmail 15522 invoked from network); 22 Oct 2002 18:51:55 -0000 Received: from unknown (HELO server.baldwin.cx) ([216.27.160.63]) (envelope-sender ) by mail17.speakeasy.net (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 22 Oct 2002 18:51:55 -0000 Received: from laptop.baldwin.cx (gw1.twc.weather.com [216.133.140.1]) by server.baldwin.cx (8.12.6/8.12.6) with ESMTP id g9MIpen5064106; Tue, 22 Oct 2002 14:51:43 -0400 (EDT) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.5.2 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20021022180527.GA4048@tiiu.internal> Date: Tue, 22 Oct 2002 14:51:43 -0400 (EDT) From: John Baldwin To: Vallo Kallaste Subject: Re: smbfs broken? Cc: Maxime Henrion , Vitaly Markitantov , current@FreeBSD.org Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 22-Oct-2002 Vallo Kallaste wrote: > On Tue, Oct 22, 2002 at 10:48:58AM -0400, John Baldwin wrote: > >> Can you compile smbfs into your kernel 'options SMBFS' instead of as a >> module and then get a dump and provide a trace? > >> >#13 0xc0383f58 in calltrap () at {standard input}:99 >> >#14 0xc455a66e in ?? () >> >#15 0xc455a072 in ?? () >> >#16 0xc4559e87 in ?? () >> >#17 0xc45609f8 in ?? () >> >> These frames are in smbfs and are where the bug is, but we obviously >> can't figure out much with just ??'s. > > I had all but SMBFS in kernel, mostly because it has been working > only occasionally in the near past. Here's the improved backtrace, > for more information you'll need to step me down your own path, I > have no debugging skills. > > > Script started on Tue Oct 22 20:57:11 2002 > bash-2.05b# gdb -k /sys/i386/compile/Myhakas-5.0-SMP/kernel.debug /usr/crash/vmc ore.0 > GNU gdb 5.2.1 (FreeBSD) > Copyright 2002 Free Software Foundation, Inc. > GDB is free software, covered by the GNU General Public License, and you are > welcome to change it and/or distribute copies of it under certain conditions. > Type "show copying" to see the conditions. > There is absolutely no warranty for GDB. Type "show warranty" for details. > This GDB was configured as "i386-undermydesk-freebsd"... > panic: bdwrite: buffer is not busy > panic messages: > --- > Fatal trap 12: page fault while in kernel mode > cpuid = 0; lapic.id = 00000000 > fault virtual address = 0x2 > fault code = supervisor read, page not present > instruction pointer = 0x8:0x2 As someone else has pointed out, it is executing at a garbage address which is why it panic'd. My guess is that smb_smb_readx() called some function which had a buffer overflow of a variable on the stack and trashed the return address. Actually, there are some bugs in the mbchains code. I've just committed a possible fix. Can you cvsup and try out revision 1.9 of subr_mchain.c and see if it works better? Thanks. >#14 0xc03c8aee in smb_smb_readx (ssp=0xc424d034, fid=2048, len=0xd66eb756, > rresid=0xd66eb7f8, uio=0xd66eb868, scred=0x0) > at ../../../netsmb/smb_smb.c:636 md_get_uint16le(mdp, NULL); The md_get_* functions didn't all handle the case of the second argument being NULL properly. -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message