Distribution: Slackware 9.1 Problem Description: File operations on smbfs fail frequently with the following traces in dmesg: smb_proc_readX_data: offset is larger than SMB_READX_MAX_PAD or negative! smb_proc_readX_data: -35 > 64 || -35 < 0 smb_add_request: request [e1b2ce60, mid=400] timed out! BUG: atomic counter underflow at: [<e9aa9df0>] smb_rput+0x50/0x60 [smbfs] [<e9aa3a3c>] smb_proc_readX+0xdc/0xf0 [smbfs] [<e9aa8d77>] smb_readpage_sync+0x97/0x120 [smbfs] [<e9aa8e17>] smb_readpage+0x17/0x60 [smbfs] [<c0134b80>] read_pages+0xf0/0x140 [<c0134c7e>] __do_page_cache_readahead+0xae/0x100 [<c0134e11>] blockable_page_cache_readahead+0x51/0xd0 [<c0134f03>] make_ahead_window+0x73/0xb0 [<c0134ff3>] page_cache_readahead+0xb3/0x170 [<c012ed2c>] do_generic_mapping_read+0x53c/0x550 [<e9aa52b0>] smb_proc_getattr_trans2+0x80/0xf0 [smbfs] [<c012efb7>] __generic_file_aio_read+0x1a7/0x1f0 [<c012ed40>] file_read_actor+0x0/0xd0 [<c012f10c>] generic_file_read+0x9c/0xc0 [<c0124850>] autoremove_wake_function+0x0/0x50 [<e9aa912e>] smb_file_read+0x7e/0x90 [smbfs] [<c0148114>] vfs_read+0xb4/0x140 [<c0148407>] sys_read+0x47/0x80 [<c0102975>] syscall_call+0x7/0xb Even just listing smbfs mount points will cause trouble: BUG: atomic counter underflow at: [<e9aa9df0>] smb_rput+0x50/0x60 [smbfs] [<e9aa5516>] smb_proc_getattr_trans2_all+0xd6/0xf0 [smbfs] [<c01543c9>] follow_mount+0x59/0xb0 [<e9aa5835>] smb_proc_getattr+0x35/0x60 [smbfs] [<e9aa80c3>] smb_refresh_inode+0x23/0x120 [smbfs] [<e9aa81f4>] smb_revalidate_inode+0x34/0x40 [smbfs] [<e9aa89e9>] smb_getattr+0x19/0x40 [smbfs] [<e9aa89d0>] smb_getattr+0x0/0x40 [smbfs] [<c015071a>] vfs_getattr+0x2a/0x90 [<c0150810>] vfs_lstat+0x40/0x50 [<c0150e52>] sys_lstat64+0x12/0x30 [<c010db70>] do_page_fault+0x0/0x581 [<c0102975>] syscall_call+0x7/0xb If it matters, the local SMB client is samba 2.2.10, and the remote SMB server is samba 2.2.10 as well. Steps to reproduce: cat /mnt/some_smbfs/some_file > /dev/null or ls -l /mnt (where some mount points have smbfs type) Grep'ing through the logs reveals that the problem never happened before this morning so the problem has to be new in 2.6.12-rc1-mm3
I can reproduce it on a different client machine (completely different hardware, Slackware 10.1, samba 3.0.10) running 2.6.12-rc1-mm3 as well. Same server though.
Reverting fs-smbfs-requestc-fix-null-dereference.patch fixed the problem, and actually the patch looks broken to me.
Created attachment 4804 [details] Proposed replacement patch
Thanks for this report. I'll discuss it in your linux-kernel message.
The faulty patch was dropped in 2.6.12-rc1-mm4, fixing the problem.
This bug seems to have reappeared in 2.6.16-rc4-mm1. Looking at the code for request.c it seems as if Jean's patch hasn't been applied yet. smb_add_request: request [cc805080, mid=52] timed out! BUG: atomic counter underflow at: <df9afac0> smb_rput+0x1b/0x6b [smbfs] <df9abdb6> smb_proc_readX+0xd3/0xdb [smbfs] <df9af0a7> smb_readpage+0xd5/0x15a [smbfs] <c01379ed> __do_page_cache_readahead+0x1db/0x244 <c02e989e> release_sock+0x6e/0xbf <c02e98e7> release_sock+0xb7/0xbf <c0118a10> local_bh_enable+0x5f/0x73 <c030db02> tcp_sendmsg+0x898/0x94e <c0137c55> blockable_page_cache_readahead+0x45/0x99 <c0137dd2> page_cache_readahead+0x9c/0x132 <c0132ef0> do_generic_mapping_read+0x155/0x441 <c013391d> __generic_file_aio_read+0x16d/0x1b8 <c0131cfa> file_read_actor+0x0/0xe2 <c0133ac6> generic_file_read+0xad/0xc3 <c01249b4> autoremove_wake_function+0x0/0x3a <df9ae9c1> smb_revalidate_inode+0x50/0x58 [smbfs] <df9aed42> smb_file_read+0x26/0x72 [smbfs] <c014b691> vfs_read+0x87/0x11d <c014bfbd> sys_read+0x3b/0x64 <c0102b93> sysenter_past_esp+0x54/0x75 smb_add_request: request [cc805e80, mid=53] timed out!
John, what makes you think the original bug and yours are the same? Granted, the trace looks the same, but there are no changes to fs/smbfs/request.c in 2.6.16-rc4-mm1 so the cause of the problem is unlikely to be the same. Note that there is nothing wrong with my patch not having been applied. It was simply a proposed replacement for the -mm patch which had been causing the problem in the first place; that original patch was finally discarded. I hope to have some time to test 2.6.16-rc4-mm1 myself this evening and see if I can reproduce your problem. At any rate, I believe you'd better open a new bug.
Any news about this? I wasn't able to reproduce the problem, smbfs seems to work fine for me in 2.6.16-rc4-mm1 and -mm2. John, can you please try 2.6.16-rc5-mm2 and report?
No feedback from John Carter, so I am closing this bug again.