From owner-freebsd-bugs@freebsd.org Thu Oct 25 06:28:41 2018 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 558BFFEE3D8 for ; Thu, 25 Oct 2018 06:28:41 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id DC02272F5B for ; Thu, 25 Oct 2018 06:28:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.ysv.freebsd.org (Postfix) id A14C6FEE3D7; Thu, 25 Oct 2018 06:28:40 +0000 (UTC) Delivered-To: bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7F8E9FEE3D6 for ; Thu, 25 Oct 2018 06:28:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.ysv.freebsd.org (mxrelay.ysv.freebsd.org [IPv6:2001:1900:2254:206a::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client CN "mxrelay.ysv.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1C9A472F5A for ; Thu, 25 Oct 2018 06:28:40 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.ysv.freebsd.org (Postfix) with ESMTPS id 4D639126DF for ; Thu, 25 Oct 2018 06:28:39 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id w9P6SdAH066512 for ; Thu, 25 Oct 2018 06:28:39 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id w9P6SdAn066498 for bugs@FreeBSD.org; Thu, 25 Oct 2018 06:28:39 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 232673] nfs client panic: nfs_advlock traps on doomed vnode via NFS_ISV4 Date: Thu, 25 Oct 2018 06:28:39 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: panic X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: rlibby@freebsd.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status keywords bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Oct 2018 06:28:41 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D232673 Bug ID: 232673 Summary: nfs client panic: nfs_advlock traps on doomed vnode via NFS_ISV4 Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Keywords: panic Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rlibby@freebsd.org We hit a panic where nfs_advlock() trapped trying to dereference the v_mount of a doomed vnode (during a race with forced unmount as part of a reboot). The dereference is part of the NFS_ISV4() macro, which nfs_advlock() appears to access outside of any locks and without any check for a doomed vnode. I think, but am not certain, that it is expected that we may enter VOP_ADVLOCK() with a doomed vnode. Given code context, it also seems like in that situation it is okay simply to return EBADF (i.e. that no additional work needs to be done e.g. to attempt to release an advisory lock). If both of these are true, then I think the fix may be straightforward: do an interlocked check for a doomed vnode, and either record the result of NFS_ISV4() under the interlock or continue to hold it up to the vnode lock calls. However, if it is true that it is valid for VOP_ADVLOCK() to be called with doomed vnodes, then I think unionfs_advlock() may have a similar bug. I did not audit all the others, but lf_advlock() does appear to have doomed vnode checks. panic @ time 1540421723.857, thread 0xfffff8022feae000: Fatal trap 12: page fault while in kernel mode cpuid =3D 4, TSC =3D 0x4cc4cc33bb8b6 Panic occurred in module kernel loaded at 0xffffffff80200000: Stack: -------------------------------------------------- kernel:trap_fatal+0xa4 kernel:trap_pfault+0x23f kernel:trap+0x308 kernel:nfs_advlock+0x30 kernel:VOP_ADVLOCK_APV+0xda kernel:closef+0x94 kernel:fdescfree_fds+0x94 kernel:fdescfree+0x366 kernel:exit1+0x564 kernel:sigexit+0xde8 kernel:postsig+0x3da kernel:ast+0x336 -------------------------------------------------- cpuid =3D 4; apic id =3D 04 fault virtual address =3D 0x280 fault code =3D supervisor read data, page not present instruction pointer =3D 0x20:0xffffffff804d7020 stack pointer =3D 0x28:0xfffffe1b9d128430 frame pointer =3D 0x28:0xfffffe1b9d128530 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 Registers: rax: fffff80232da9580 rbx: fffffe1b9d128578 rcx: 0000000000000000 rdx: 0000000000080000 rsi: fffffe1b9d128510 rdi: fffffe1b9d128578 rbp: fffffe1b9d128530 rsp: fffffe1b9d128430 r8: 0000000000000246 r9: 0000000000000016 r10: 0000000000010000 r11: 0000000000000001 r12: 0000000000000000 r13: fffff8027cb0e268 r14: fffff802b7150470 r15: fffff8022feae000 rflags: 0000000000010286 rip: ffffffff804d7020 trapno: 000000000000000c err: 0000000000000000 curthread: 0xfffff8022feae000 current process =3D 3316 (perl5.26.2) Stack Data from 0xfffffe1b9d128430: 0: fffff8083ffbcd18 fffff8026b5dd790 0000000000000000 fffff8083ffbcd00 fffffe1b9d128490 ffffffff805934d4 0000000000000001 fffff8026b5dd000 8: fffff8026b5ddf90 fffff802bc458000 fffff8083ffab3c0 fffff8026b5ddf90 fffffe1b9d1284c0 ffffffff80888d6f fffff8083ffab430 0000000000000000 16: fffff8026b5dd790 fffff8083ffab3c0 fffffe1b9d1284f0 ffffffff80885197 fffffe1b9d128500 ffffffff809a5805 fffff802b7150470 fffffe1b9d128580 24: ffffffff80b05870 fffff8022feae000 fffffe1b9d128530 ffffffff80d4fb60 fffffe1b9d128580 fffff8027cb0e268 fffffe1b9d128578 00000000ffffffff 32: fffffe1b9d128560 ffffffff809ac91b 0000000000000001 fffff802bc458000 fffff8027cb0e268 fffff8022feae000 fffffe1b9d1285f0 ffffffff8055d665 40: 0000000000000001 ffffffff80dd75d8 fffff802b7150470 fffff80232da9580 fffff80000000002 fffffe1b9d1285a8 fffffe1b00000040 0000000000000000 48: 0000000000000000 000000024882d200 fffff8004882d000 0000000000000001 fffff802bc458000 fffff8027cb0e268 0000000000000030 fffff802bc458080 56: fffffe1b9d128640 ffffffff8055d2c5 0000000000000100 fffff8022feae000 00000001bc458040 fffff802bc458040 fffff8004882d000 fffff8005afb9b18 Dumping stacks (40960 bytes) Tracing command init pid 1 tid 100002 td 0xfffff8001b776000 (CPU 0) cpustop_handler() at cpustop_handler+0x2e/frame 0xffffffff810df8d0 ipi_nmi_handler() at ipi_nmi_handler+0x4a/frame 0xffffffff810df8f0 trap() at trap+0x46/frame 0xffffffff810dfad0 nmi_calltrap() at nmi_calltrap+0x8/frame 0xffffffff810dfad0 --- trap 0x13, rip =3D 0xffffffff80614b97, rsp =3D 0xfffffe1977b92400, rbp = =3D 0xfffffe1977b92410 --- _isitmyx() at _isitmyx+0x77/frame 0xfffffe1977b92410 witness_checkorder() at witness_checkorder+0x2b9/frame 0xfffffe1977b92490 __mtx_lock_flags() at __mtx_lock_flags+0x9b/frame 0xfffffe1977b924e0 _vdrop() at _vdrop+0x169/frame 0xfffffe1977b92520 vputx() at vputx+0x23f/frame 0xfffffe1977b92580 vflush() at vflush+0x50e/frame 0xfffffe1977b926c0 nfs_unmount() at nfs_unmount+0x71/frame 0xfffffe1977b92710 dounmount() at dounmount+0x64a/frame 0xfffffe1977b92790 unmount_or_warn() at unmount_or_warn+0x40/frame 0xfffffe1977b927b0 vfs_unmountall() at vfs_unmountall+0x55/frame 0xfffffe1977b927d0 bufshutdown() at bufshutdown+0x3a0/frame 0xfffffe1977b92820 kern_reboot() at kern_reboot+0x197/frame 0xfffffe1977b92860 sys_reboot() at sys_reboot+0x3b5/frame 0xfffffe1977b928b0 amd64_syscall() at amd64_syscall+0x388/frame 0xfffffe1977b92ab0 fast_syscall_common() at fast_syscall_common+0x106/frame 0x7fffffffe860 (gdb) target remote localhost:8011 Remote debugging using localhost:8011 0xffffffff804d7020 in nfs_advlock (ap=3D0xfffffe1b9d128578) at /b/mnt/src/sys/fs/nfsclient/nfs_clvnops.c:3095 3095 /b/mnt/src/sys/fs/nfsclient/nfs_clvnops.c: No such file or director= y. (gdb) p vp=20 $1 =3D (struct vnode *) 0xfffff802b7150470 (gdb) p vp->v_mount $2 =3D (struct mount *) 0x0 (gdb) p vp->v_type $3 =3D VBAD --=20 You are receiving this mail because: You are the assignee for the bug.=