Bug 4403 - atomic counter underflow in smbfs
Summary: atomic counter underflow in smbfs
Status: CLOSED CODE_FIX
Alias: None
Product: Alternate Trees
Classification: Unclassified
Component: mm (show other bugs)
Hardware: i386 Linux
: P2 high
Assignee: Adrian Bunk
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-25 23:38 UTC by Jean Delvare
Modified: 2006-04-23 08:25 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.12-rc1-mm3
Subsystem:
Regression: ---
Bisected commit-id:


Attachments
Proposed replacement patch (1.29 KB, patch)
2005-03-26 01:48 UTC, Jean Delvare
Details | Diff

Description Jean Delvare 2005-03-25 23:38:41 UTC
Distribution: Slackware 9.1
Problem Description:

File operations on smbfs fail frequently with the following traces in dmesg:

smb_proc_readX_data: offset is larger than SMB_READX_MAX_PAD or negative!
smb_proc_readX_data: -35 > 64 || -35 < 0
smb_add_request: request [e1b2ce60, mid=400] timed out!
BUG: atomic counter underflow at:
 [<e9aa9df0>] smb_rput+0x50/0x60 [smbfs]
 [<e9aa3a3c>] smb_proc_readX+0xdc/0xf0 [smbfs]
 [<e9aa8d77>] smb_readpage_sync+0x97/0x120 [smbfs]
 [<e9aa8e17>] smb_readpage+0x17/0x60 [smbfs]
 [<c0134b80>] read_pages+0xf0/0x140
 [<c0134c7e>] __do_page_cache_readahead+0xae/0x100
 [<c0134e11>] blockable_page_cache_readahead+0x51/0xd0
 [<c0134f03>] make_ahead_window+0x73/0xb0
 [<c0134ff3>] page_cache_readahead+0xb3/0x170
 [<c012ed2c>] do_generic_mapping_read+0x53c/0x550
 [<e9aa52b0>] smb_proc_getattr_trans2+0x80/0xf0 [smbfs]
 [<c012efb7>] __generic_file_aio_read+0x1a7/0x1f0
 [<c012ed40>] file_read_actor+0x0/0xd0
 [<c012f10c>] generic_file_read+0x9c/0xc0
 [<c0124850>] autoremove_wake_function+0x0/0x50
 [<e9aa912e>] smb_file_read+0x7e/0x90 [smbfs]
 [<c0148114>] vfs_read+0xb4/0x140
 [<c0148407>] sys_read+0x47/0x80
 [<c0102975>] syscall_call+0x7/0xb

Even just listing smbfs mount points will cause trouble:
BUG: atomic counter underflow at:
 [<e9aa9df0>] smb_rput+0x50/0x60 [smbfs]
 [<e9aa5516>] smb_proc_getattr_trans2_all+0xd6/0xf0 [smbfs]
 [<c01543c9>] follow_mount+0x59/0xb0
 [<e9aa5835>] smb_proc_getattr+0x35/0x60 [smbfs]
 [<e9aa80c3>] smb_refresh_inode+0x23/0x120 [smbfs]
 [<e9aa81f4>] smb_revalidate_inode+0x34/0x40 [smbfs]
 [<e9aa89e9>] smb_getattr+0x19/0x40 [smbfs]
 [<e9aa89d0>] smb_getattr+0x0/0x40 [smbfs]
 [<c015071a>] vfs_getattr+0x2a/0x90
 [<c0150810>] vfs_lstat+0x40/0x50
 [<c0150e52>] sys_lstat64+0x12/0x30
 [<c010db70>] do_page_fault+0x0/0x581
 [<c0102975>] syscall_call+0x7/0xb

If it matters, the local SMB client is samba 2.2.10, and the remote SMB server
is samba 2.2.10 as well.

Steps to reproduce:
cat /mnt/some_smbfs/some_file > /dev/null
or
ls -l /mnt (where some mount points have smbfs type)

Grep'ing through the logs reveals that the problem never happened before this
morning so the problem has to be new in 2.6.12-rc1-mm3
Comment 1 Jean Delvare 2005-03-25 23:47:39 UTC
I can reproduce it on a different client machine (completely different hardware,
Slackware 10.1, samba 3.0.10) running 2.6.12-rc1-mm3 as well. Same server though.
Comment 2 Jean Delvare 2005-03-26 00:23:03 UTC
Reverting fs-smbfs-requestc-fix-null-dereference.patch fixed the problem, and
actually the patch looks broken to me.
Comment 3 Jean Delvare 2005-03-26 01:48:52 UTC
Created attachment 4804 [details]
Proposed replacement patch
Comment 4 Adrian Bunk 2005-03-26 04:17:55 UTC
Thanks for this report.

I'll discuss it in your linux-kernel message.
Comment 5 Jean Delvare 2005-04-09 01:41:49 UTC
The faulty patch was dropped in 2.6.12-rc1-mm4, fixing the problem.
Comment 6 John Carter 2006-02-22 14:32:10 UTC
This bug seems to have reappeared in 2.6.16-rc4-mm1. Looking at the code for
request.c it seems as if Jean's patch hasn't been applied yet.

smb_add_request: request [cc805080, mid=52] timed out!
BUG: atomic counter underflow at:
 <df9afac0> smb_rput+0x1b/0x6b [smbfs]   <df9abdb6> smb_proc_readX+0xd3/0xdb [smbfs]
 <df9af0a7> smb_readpage+0xd5/0x15a [smbfs]   <c01379ed>
__do_page_cache_readahead+0x1db/0x244
 <c02e989e> release_sock+0x6e/0xbf   <c02e98e7> release_sock+0xb7/0xbf
 <c0118a10> local_bh_enable+0x5f/0x73   <c030db02> tcp_sendmsg+0x898/0x94e
 <c0137c55> blockable_page_cache_readahead+0x45/0x99   <c0137dd2>
page_cache_readahead+0x9c/0x132
 <c0132ef0> do_generic_mapping_read+0x155/0x441   <c013391d>
__generic_file_aio_read+0x16d/0x1b8
 <c0131cfa> file_read_actor+0x0/0xe2   <c0133ac6> generic_file_read+0xad/0xc3
 <c01249b4> autoremove_wake_function+0x0/0x3a   <df9ae9c1>
smb_revalidate_inode+0x50/0x58 [smbfs]
 <df9aed42> smb_file_read+0x26/0x72 [smbfs]   <c014b691> vfs_read+0x87/0x11d
 <c014bfbd> sys_read+0x3b/0x64   <c0102b93> sysenter_past_esp+0x54/0x75
smb_add_request: request [cc805e80, mid=53] timed out!
Comment 7 Jean Delvare 2006-02-24 00:55:03 UTC
John, what makes you think the original bug and yours are the same? Granted, 
the trace looks the same, but there are no changes to fs/smbfs/request.c in 
2.6.16-rc4-mm1 so the cause of the problem is unlikely to be the same.

Note that there is nothing wrong with my patch not having been applied. It was 
simply a proposed replacement for the -mm patch which had been causing the 
problem in the first place; that original patch was finally discarded.

I hope to have some time to test 2.6.16-rc4-mm1 myself this evening and see if 
I can reproduce your problem. At any rate, I believe you'd better open a new 
bug.
Comment 8 Jean Delvare 2006-03-03 14:44:56 UTC
Any news about this?

I wasn't able to reproduce the problem, smbfs seems to work fine for me in
2.6.16-rc4-mm1 and -mm2.

John, can you please try 2.6.16-rc5-mm2 and report?
Comment 9 Jean Delvare 2006-04-23 08:25:52 UTC
No feedback from John Carter, so I am closing this bug again.

Note You need to log in before you can comment on or make changes to this bug.