From owner-freebsd-bugs@freebsd.org Sat May 8 00:45:08 2021 Return-Path: Delivered-To: freebsd-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4FBF5641961 for ; Sat, 8 May 2021 00:45:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (mailman.nyi.freebsd.org [IPv6:2610:1c1:1:606c::50:13]) by mx1.freebsd.org (Postfix) with ESMTP id 4FcT9w1dLfz3nPx for ; Sat, 8 May 2021 00:45:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 360D3641D08; Sat, 8 May 2021 00:45:08 +0000 (UTC) Delivered-To: bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 35D47641D07 for ; Sat, 8 May 2021 00:45:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FcT9w0wdgz3nVf for ; Sat, 8 May 2021 00:45:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0E8911573D for ; Sat, 8 May 2021 00:45:08 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1480j7cY070357 for ; Sat, 8 May 2021 00:45:07 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1480j7xr070356 for bugs@FreeBSD.org; Sat, 8 May 2021 00:45:07 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 255695] crash in NFSv4.1 server when processing a callback reply Date: Sat, 08 May 2021 00:45:08 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 12.2-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rmacklem@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 May 2021 00:45:08 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D255695 Bug ID: 255695 Summary: crash in NFSv4.1 server when processing a callback reply Product: Base System Version: 12.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rmacklem@FreeBSD.org The following crash was reported in a FreeNAS12 server: > Fatal trap 12: page fault while in kernel mode > > cpuid =3D 1; apic id =3D 02 > > fault virtual address =3D 0x410 > > fault code =3D supervisor read data, page not present > > instruction pointer =3D 0x20:0xffffffff80aa4a57 > > stack pointer =3D 0x28:0xfffffe021f94f150 > > frame pointer =3D 0x28:0xfffffe021f94f1d0 > > code segment =3D base 0x0, limit 0xfffff, type 0x1b > > =3D DPL 0, pres 1, long 1, def32 0, gran 1 > > processor eflags =3D interrupt enabled, resume, IOPL =3D 0 > > current process =3D 4908 (nfsd: service) > > trap number =3D 12 > > panic: page fault > > cpuid =3D 1 > > time =3D 1619545070 > > KDB: stack backtrace: > > db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame > 0xfffffe021f94ee10 > vpanic() at vpanic+0x17b/frame 0xfffffe021f94ee60 > > panic() at panic+0x43/frame 0xfffffe021f94eec0 > > trap_fatal() at trap_fatal+0x391/frame 0xfffffe021f94ef20 > > trap_pfault() at trap_pfault+0x4f/frame 0xfffffe021f94ef70 > > trap() at trap+0x286/frame 0xfffffe021f94f080 > > calltrap() at calltrap+0x8/frame 0xfffffe021f94f080 > > --- trap 0xc, rip =3D 0xffffffff80aa4a57, rsp =3D 0xfffffe021f94f150, rbp= =3D > 0xfffffe021f94f1d0 --- > __mtx_lock_sleep() at __mtx_lock_sleep+0xd7/frame 0xfffffe021f94f1d0 > > clnt_bck_svccall() at clnt_bck_svccall+0x10a/frame 0xfffffe021f94f210 > > svc_vc_recv() at svc_vc_recv+0x1b2/frame 0xfffffe021f94f2e0 > > svc_run_internal() at svc_run_internal+0x377/frame 0xfffffe021f94f420 > > svc_thread_start() at svc_thread_start+0xb/frame 0xfffffe021f94f430 > > fork_exit() at fork_exit+0x7e/frame 0xfffffe021f94f470 > > fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe021f94f470 > > --- trap 0xc, rip =3D 0x8002e1b2a, rsp =3D 0x7fffffffe578, rbp =3D > 0x7fffffffe810 --- > KDB: enter: panic This crash in clnt_bck_svccall() appears to have occurred because the CLIENT structure for handling the callback RPCs has already been free'd. Freeing this CLIENT structure only occurs when the ClientID (not the same thing, despite the name similarity) has been destroyed. --=20 You are receiving this mail because: You are the assignee for the bug.=