Date: Fri, 25 May 2018 23:47:00 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 228497] Kernel panic, NULL pointer dereference in nfsrv_checksequence Message-ID: <bug-228497-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D228497 Bug ID: 228497 Summary: Kernel panic, NULL pointer dereference in nfsrv_checksequence Product: Base System Version: 11.1-STABLE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: cryopie@gmail.com Two FreeBSD 11.1 systems crashed within fifteen minutes of each other.=20 Host1: (CPU: Intel(R) Core(TM) i3-4150 CPU @ 3.50GHz (3500.06-MHz K8-class CPU)): db:0:kdb.enter.default> bt Tracing pid 2291 tid 101254 td 0xfffff800526b5000 nfsrv_checksequence() at nfsrv_checksequence+0x208/frame 0xfffffe0860a85e20 nfsrvd_sequence() at nfsrvd_sequence+0x12a/frame 0xfffffe0860a85e70 nfsrvd_dorpc() at nfsrvd_dorpc+0xeed/frame 0xfffffe0860a86050 nfssvc_program() at nfssvc_program+0x5c0/frame 0xfffffe0860a86200 svc_run_internal() at svc_run_internal+0xcc9/frame 0xfffffe0860a86340 svc_run() at svc_run+0x161/frame 0xfffffe0860a86390 nfsrvd_nfsd() at nfsrvd_nfsd+0x236/frame 0xfffffe0860a86500 nfssvc_nfsd() at nfssvc_nfsd+0x1d9/frame 0xfffffe0860a86960 sys_nfssvc() at sys_nfssvc+0x9c/frame 0xfffffe0860a86980 amd64_syscall() at amd64_syscall+0xa4a/frame 0xfffffe0860a86ab0 Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0860a86ab0 --- syscall (155, FreeBSD ELF64, sys_nfssvc), rip =3D 0x800871c9a, rsp =3D 0x7fffffffe518, rbp =3D 0x7fffffffe940 --- May 25 17:53:00 Host1 current process =3D 2291 (nfsd: master) May 25 17:53:00 Host1 processor eflags =3D interrupt enabled, resume, IOPL = =3D 0 May 25 17:53:00 Host1 =3D DPL 0, pres 1, long 1, def32 0, = gran 1 May 25 17:53:00 Host1 code segment =3D base 0x0, limit 0xfffff,= type 0x1b ----- Host2: (CPU: Intel(R) Xeon(R) CPU E5-4650 0 @ 2.70GHz (2700.00-MHz K8-class CPU)): db:0:kdb.enter.default> bt Tracing pid 2001 tid 102447 td 0xfffff800a716d000 nfsrv_checksequence() at nfsrv_checksequence+0x208/frame 0xfffffe08629ca540 nfsrvd_sequence() at nfsrvd_sequence+0x12a/frame 0xfffffe08629ca590 nfsrvd_dorpc() at nfsrvd_dorpc+0xeed/frame 0xfffffe08629ca770 nfssvc_program() at nfssvc_program+0x5c0/frame 0xfffffe08629ca920 svc_run_internal() at svc_run_internal+0xcc9/frame 0xfffffe08629caa60 svc_thread_start() at svc_thread_start+0xb/frame 0xfffffe08629caa70 fork_exit() at fork_exit+0x85/frame 0xfffffe08629caab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe08629caab0 --- trap 0xc, rip =3D 0x800871c9a, rsp =3D 0x7fffffffe518, rbp =3D 0x7fffff= ffe940 --- May 25 17:39:19 Host2 current process =3D 2001 (nfsd: service) May 25 17:39:19 Host2 processor eflags =3D interrupt enabled, resume, IOPL= =3D 0 May 25 17:39:19 Host2 =3D DPL 0, pres 1, long 1, def32 0,= gran 1 May 25 17:39:19 Host2 code segment =3D base 0x0, limit 0xfffff= , type 0x1b May 25 17:39:19 Host2 frame pointer =3D 0x28:0xfffffe08629ca540 May 25 17:39:19 Host2 stack pointer =3D 0x28:0xfffffe08629ca4f0 May 25 17:39:19 Host2 instruction pointer =3D 0x20:0xffffffff80980668 May 25 17:39:19 Host2 fault code =3D supervisor read data, p= age not present May 25 17:39:19 Host2 fault virtual address =3D 0x2f0 May 25 17:39:19 Host2 cpuid =3D 0; apic id =3D 00 May 25 17:39:19 Host2 Fatal trap 12: page fault while in kernel mode Build:=20 FreeBSD 11.1-STABLE #2 r321665+366f54a78b2(freenas/11.1-stable): Wed Mar 21 23:04:13 UTC 2018 =20=20=20 root@gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas= /_BE/os/sys/FreeNAS.amd64 amd64 FreeBSD clang version 5.0.0 (tags/RELEASE_500/final 312559) (based on LLVM 5.0.0svn) ---=20 Both machines run FreeNAS 11.1-U4. I don't know whether FreeNAS patches Fre= eBSD kernel, but the function seemed like an unusual place to need a patch, and = so I decided to file a bug report here instead of at FreeNAS bug tracker.=20 I was doing an 'mv foo bar/' via NFS on Host3 when the crash occurred. Both 'foo' and 'bar' are directories exported by Host2 and mounted as /mnt/foo a= nd /mnt/bar on Host3. Nothing explicit was being done on Host1. Both serve NFS= to half a dozen clients, all with default options (configured from FreeNAS GUI) and neither server is under heavy load. All hosts are on the same subnet and promiscuous mode is disabled on the switch. The NFS client, Host3, is a Linux box (Linux 4.16.9-1-ARCH #1 SMP PREEMPT T= hu May 17 02:10:09 UTC 2018 x86_64 GNU/Linux). The NFS mount options are the following:=20 rw,relatime,vers=3D4.1,rsize=3D131072,wsize=3D131072,namlen=3D255,hard,prot= o=3Dtcp,timeo=3D600,retrans=3D2,sec=3Dsys,clientaddr=3D10.0.7.7,local_lock= =3Dnone,addr=3D10.0.0.24,_netdev I am unable to reproduce this but if it happens again I'll reboot with a de= bug kernel. I don't see how this occurred in two different hosts more or less simultaneously, given that they've been running without issue for weeks. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-228497-227>