Project

General

Profile

Actions

Bug #14989

closed

SMB panic running smbtorture smb2.durable-open.delete_on_close1

Added by Gordon Ross 7 days ago. Updated 3 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cifs - CIFS server and client
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:
racktop:BSR-11788

Description

While doing tests on some other changes, hit this panic:

# mdb -k 6
Loading modules: [ ... ]
> ::status
panic message: assertion failed: of->f_fid != 0, file: ../../common/fs/smbsrv/smb_ofile.c, line: 445
dump content: kernel pages only
> $C
fffffe000840c4c0 vpanic()
fffffe000840c510 0xfffffffffbdcd945()
fffffe000840c560 smb_ofile_open+0xaa(fffffe06af746010, fffffe06af746278, fffffe06b148a3e0)
fffffe000840c6e0 smb_common_open+0x119e(fffffe06af746010)
fffffe000840caa0 smb2_create+0x7b5(fffffe06af746010)
fffffe000840cb20 smb2sr_work+0x53d(fffffe06af746010)
fffffe000840cb60 smb2_tq_work+0x94(fffffe06af746010)
fffffe000840cc00 taskq_d_thread+0x12d(fffffe065b5e3c90)
fffffe000840cc10 thread_start+0xb()

From racktop: c673240f86b2d7c360d60573fe4db79f34a39190
BSR-11788 SMB panic running smbtorture smb2.durable-open.delete_on_close1

Actions #1

Updated by Gordon Ross 7 days ago

Upstreaming from racktop
commit a0ec0274f91d1706af556b33637c81df96b8bd87
Author: Gordon Ross <>
Date: Sun Jul 10 21:37:04 2022 -0400

BSR-11788 SMB panic running smbtorture smb2.durable-open.delete_on_close1

Internal reviewers:
Jerry Jelinek
Garrett D'Amore
Andy Stormont
Sam Zaydel

Actions #2

Updated by Gordon Ross 7 days ago

  • Description updated (diff)
Actions #3

Updated by Toomas Soome 7 days ago

  • Description updated (diff)
Actions #4

Updated by Electric Monk 7 days ago

  • Gerrit CR set to 2372
Actions #5

Updated by Gordon Ross 7 days ago

The oplock break logic requires a "proposed open", which smbsrv represents as an smb_ofile_t that's not yet in the list of open files (on the smb_node_t). That ofile is created about halfway through the "last_comp_found" part of the big if/else. Note that after we do the smb_ofile_alloc(), the "tree_fid" we reserved earlier is put on that ofile, and the local "tree_fid" variable is cleared so the function exit cleanup will not free it.

It's possible that an object can become unavailable (eg. marked for deletion) after we've found it, so there's code to "back out of" the state we put in place after finding the object. That state "back out" is incomplete, because we need to "take back" the "tree_fid" we previously "gave" to the ofile (we'll need that tree_fid later). That part of the "back out" logic was incomplete, leading to the later ofile_open being passed an invalid FID.

Actions #6

Updated by Toomas Soome 7 days ago

  • Description updated (diff)
Actions #7

Updated by Toomas Soome 7 days ago

  • Description updated (diff)
Actions #8

Updated by Toomas Soome 6 days ago

  • External Bug set to racktop:BSR-11788
Actions #9

Updated by Gordon Ross 6 days ago

Testing: smbtorture smb2.durable-open.delete_on_close1
It's tricky to hit this. One may need to try several times, or delay an open after the lookup so another request can mark the object deleted.

Actions #10

Updated by Electric Monk 3 days ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 088ae41ea793fc92f1e949ea035e6d896025acb4

commit  088ae41ea793fc92f1e949ea035e6d896025acb4
Author: Gordon Ross <gwr@racktopsystems.com>
Date:   2022-09-23T19:54:59.000Z

    14989 SMB panic running smbtorture smb2.durable-open.delete_on_close1
    Reviewed-by: Jerry Jelinek <gjelinek@racktopsystems.com>
    Reviewed-by: Garrett D'Amore <gdamore@damore.org>
    Reviewed by: Andy Stormont <astormont@racktopsystems.com>
    Reviewed by: Sam Zaydel <szaydel@racktopsystems.com>
    Reviewed by: Gordon Ross <Gordon.W.Ross@gmail.com>
    Reviewed by: Matt Barden <mbarden@tintri.com>
    Approved by: Dan McDonald <danmcd@mnx.io>

Actions

Also available in: Atom PDF