Date: Sat, 08 May 2021 00:45:08 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255695] crash in NFSv4.1 server when processing a callback reply Message-ID: <bug-255695-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255695 Bug ID: 255695 Summary: crash in NFSv4.1 server when processing a callback reply Product: Base System Version: 12.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rmacklem@FreeBSD.org The following crash was reported in a FreeNAS12 server: > Fatal trap 12: page fault while in kernel mode > > cpuid =3D 1; apic id =3D 02 > > fault virtual address =3D 0x410 > > fault code =3D supervisor read data, page not present > > instruction pointer =3D 0x20:0xffffffff80aa4a57 > > stack pointer =3D 0x28:0xfffffe021f94f150 > > frame pointer =3D 0x28:0xfffffe021f94f1d0 > > code segment =3D base 0x0, limit 0xfffff, type 0x1b > > =3D DPL 0, pres 1, long 1, def32 0, gran 1 > > processor eflags =3D interrupt enabled, resume, IOPL =3D 0 > > current process =3D 4908 (nfsd: service) > > trap number =3D 12 > > panic: page fault > > cpuid =3D 1 > > time =3D 1619545070 > > KDB: stack backtrace: > > db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame > 0xfffffe021f94ee10 > vpanic() at vpanic+0x17b/frame 0xfffffe021f94ee60 > > panic() at panic+0x43/frame 0xfffffe021f94eec0 > > trap_fatal() at trap_fatal+0x391/frame 0xfffffe021f94ef20 > > trap_pfault() at trap_pfault+0x4f/frame 0xfffffe021f94ef70 > > trap() at trap+0x286/frame 0xfffffe021f94f080 > > calltrap() at calltrap+0x8/frame 0xfffffe021f94f080 > > --- trap 0xc, rip =3D 0xffffffff80aa4a57, rsp =3D 0xfffffe021f94f150, rbp= =3D > 0xfffffe021f94f1d0 --- > __mtx_lock_sleep() at __mtx_lock_sleep+0xd7/frame 0xfffffe021f94f1d0 > > clnt_bck_svccall() at clnt_bck_svccall+0x10a/frame 0xfffffe021f94f210 > > svc_vc_recv() at svc_vc_recv+0x1b2/frame 0xfffffe021f94f2e0 > > svc_run_internal() at svc_run_internal+0x377/frame 0xfffffe021f94f420 > > svc_thread_start() at svc_thread_start+0xb/frame 0xfffffe021f94f430 > > fork_exit() at fork_exit+0x7e/frame 0xfffffe021f94f470 > > fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe021f94f470 > > --- trap 0xc, rip =3D 0x8002e1b2a, rsp =3D 0x7fffffffe578, rbp =3D > 0x7fffffffe810 --- > KDB: enter: panic This crash in clnt_bck_svccall() appears to have occurred because the CLIENT structure for handling the callback RPCs has already been free'd. Freeing this CLIENT structure only occurs when the ClientID (not the same thing, despite the name similarity) has been destroyed. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-255695-227>