Red Hat Bugzilla – Bug 426080
CIFS: cifs_write() vs cifs_close() race
Last modified: 2014-06-18 03:37:14 EDT
Virtuozzo kenrel based on RHEL4.5 kernel 2.6.9-55.el4 has been crashed with the following calltrace: Dec 13 04:00:26 kernel: CIFS VFS: No response to cmd 47 mid 1435 Dec 13 04:00:26 kernel: CIFS VFS: No response to cmd 47 mid 1442 Dec 13 04:00:26 kernel: CIFS VFS: No response to cmd 47 mid 1438 Dec 13 04:00:26 kernel: CIFS VFS: close with pending writes Dec 13 04:00:29 last message repeated 4 times Dec 13 04:00:30 kernel: CIFS VFS: Send error in Close = -9 Dec 13 04:00:33 kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000008 printing eip: ed496813 *pde = 00004001 Oops: 0000 [#1] SMP Modules linked in: smbfs loop mptctl simfs tun nls_iso8859_1 cifs vzrst iptable_nat vzcpt ip_conntrack ip_vzredir vzredir vzcompat vzdquota vzfs vzethdev vzevent vzlist vzstat ip_vznetstat af_packet ipt_length ipt_ttl ipt_tcpmss ipt_TCPMSS iptable_mangle ipt_multiport ipt_limit ipt_tos ipt_REJECT 8021q bridge vznet vznetstat vzmon vzdev iptable_filter ip_tables thermal processor fan button battery ac uhci_hcd ehci_hcd e1000 sg CPU: 0, VCPU: 4904:2 EIP: 0060:[<ed496813>] Tainted: P VLI EFLAGS: 00210246 (2.6.9-023stab044.4-enterprise) EIP is at cifs_write+0x13/0x530 [cifs] eax: 00000000 ebx: 00000000 ecx: 11e5cf00 edx: 03000000 esi: 1832d0d0 edi: 00001000 ebp: 00000000 esp: 25f05b88 ds: 007b es: 007b ss: 0068 Process server_linux (pid: 10458, veid=4904, threadinfo=25f04000 task=c1c04660) Stack: 2841f940 11e5cf00 00000001 40000000 00000040 25f05bbe 25f05bb8 00000000 ed310c80 00000000 11e5cf00 2841f940 00000001 1dde6954 bcc98e00 1832d0b4 00000000 1832d0d0 ed496dbb 1832d0d0 2ed689c0 bcc98e00 1832d0d0 00001000 Call Trace: [<ed496dbb>] find_writable_file+0x8b/0x100 [cifs] [<ed496f5a>] cifs_partialpagewrite+0x12a/0x1e0 [cifs] [<ed497065>] cifs_writepage+0x55/0x140 [cifs] [<02165369>] pageout+0xb9/0x100 [<024e98c1>] __cond_resched+0x21/0x50 [<0216567e>] shrink_list+0x2ce/0x4c0 [<02165a10>] shrink_cache+0x1a0/0x420 [<02166392>] shrink_zone+0xa2/0xe0 [<02166439>] shrink_caches+0x69/0x80 [<02166607>] try_to_free_pages+0x117/0x340 [<0215d1d7>] __alloc_pages+0x2c7/0x440 [<0215d36b>] __get_free_pages+0x1b/0x40 [<0219513c>] __pollwait+0x8c/0xd0 [<024ab239>] tcp_poll+0x1b9/0x280 [<0247cf76>] sock_poll+0x26/0x30 [<02195432>] do_select+0x1b2/0x310 [<021950b0>] __pollwait+0x0/0xd0 [<021958c0>] sys_select+0x2f0/0x530 [<0210ab4d>] handle_IRQ_event+0x5d/0xb0 Code: ed 89 74 24 08 89 44 24 04 e8 3a 5f c9 14 b8 f7 ff ff ff e9 c4 fd ff ff 55 31 ed 57 56 53 83 ec 54 31 db 89 5c 24 40 8b 44 24 68 <8b> 50 08 b8 f7 ff ff ff 85 d2 0f 84 8e 02 00 00 8b 42 58 8b 80 cifs_write() was failed on the first file dereference. "close with pending writes" and "CIFS VFS: Send error in Close = -9" point us to cifs_close(). Obviously writable file was closed before it was processed by cifs_write(). I belive this issue was fixed in mainline by the following patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=15745320f374aa6cbfe4836b76469159c0f49640 [CIFS] Fix oops in find_writable_file Steve French [Fri, 7 Sep 2007 22:23:48 +0000 (22:23 +0000)] There was a case in which find_writable_file was not waiting long enough under heavy stress when writepages was racing with close of the file handle being used by the write. Signed-off-by: Steve French <sfrench@us.ibm.com> Jeff, I've checked Your latest testkernel 2.6.9-68.2.EL.jtltest.28 but it looks like You still have not fixed this issue.
Thanks for the report. We'll make sure we get this resolved for 4.7.
I've got some test kernels on my people page that contain a new CIFS update and should have a patch for this: http://people.redhat.com/jlayton It would be nice if the reporter could test these kernels on a non-critical machine and let us know if the problem seems to be resolved.
Folding this into bug 427544, which is a bug tracking the update of CIFS code for 4.7. *** This bug has been marked as a duplicate of 427544 ***