netbsd-bugs: kern/30831: smbfs crashes on smp box

Subject: kern/30831: smbfs crashes on smp box
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: None <deadbug@gmail.com>
List: netbsd-bugs
Date: 07/25/2005 12:13:01

>Number:         30831
>Category:       kern
>Synopsis:       smbfs crashes on smp box
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 25 12:13:00 +0000 2005
>Originator:     Martin Végiard
>Release:        3.0_BETA
>Organization:
>Environment:
NetBSD Z 3.0_BETA NetBSD 3.0_BETA (PowerEdge.MP) #10: Sat Jul 23 12:53:33 EDT 2005  root@Z:/usr/src/sys/arch/i386/compile/PowerEdge.MP i386

>Description:
With a 4gig smbfs mounted, I use rsync to backup that data and the machine will randomly 'freeze' dropping me in the kernel's debugger.

It crashes on : movl 0x30(%eax), %eax
Which turns out to be /usr/src/sys/fs/smbfs/smbfs_vfsops.c 
smbfs_sync(...)
exactly here: 
/*    $NetBSD: smbfs_vfsops.c,v 1.47 2005/02/26 22:58:55 perry Exp $ */
456: if ((vp->v_type == VNON || (np->n_flag & NMODIFIED) == 0) &&
                                 ^^^^^^^^^
seems np has been dereferenced...

***0xc02d5756 <smbfs_sync+122>:    mov    0x30(%eax),%eax***
0xc02d5759 <smbfs_sync+125>:    shr    $0x2,%eax
0xc02d575c <smbfs_sync+128>:    xor    $0x1,%eax
0xc02d575f <smbfs_sync+131>:    test   $0x1,%al


>How-To-Repeat:
Mount a smbfs with enough data on a box with more than one cpu and rsync!

>Fix:
Verify that np is still valid before using it. (Requires a lock?)