From nobody Mon May 31 15:43:56 2021
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id B8E09DF995C
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Mon, 31 May 2021 15:44:07 +0000 (UTC)
	(envelope-from dim@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Fv02b4bvQz3kyv;
	Mon, 31 May 2021 15:44:07 +0000 (UTC)
	(envelope-from dim@FreeBSD.org)
Received: from tensor.andric.com (tensor.andric.com [87.251.56.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "tensor.andric.com", Issuer "R3" (verified OK))
	(Authenticated sender: dim)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 63178FA1B;
	Mon, 31 May 2021 15:44:07 +0000 (UTC)
	(envelope-from dim@FreeBSD.org)
Received: from smtpclient.apple (unknown [IPv6:2001:470:7a58:0:65d3:dfba:f1bc:9672])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by tensor.andric.com (Postfix) with ESMTPSA id ECB0149DBB;
	Mon, 31 May 2021 17:44:05 +0200 (CEST)
From: Dimitry Andric <dim@FreeBSD.org>
Message-Id: <5A985368-32EF-4FD1-A325-0CC1600E90E0@FreeBSD.org>
Content-Type: multipart/signed;
	boundary="Apple-Mail=_160E9DA0-7FF3-42C8-A506-B1D6E015EE57";
	protocol="application/pgp-signature";
	micalg=pgp-sha1
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Subject: Re: Panics in recent NFS server
Date: Mon, 31 May 2021 17:43:56 +0200
In-Reply-To: <CAGudoHGsnMtwDRKoCYLio_SCm3HZdYU7qF=uCHEb0y_HS5m-Ng@mail.gmail.com>
Cc: FreeBSD Current <freebsd-current@freebsd.org>,
 Rick Macklem <rmacklem@freebsd.org>
To: Mateusz Guzik <mjguzik@gmail.com>
References: <EA017AF6-25C8-48FC-B52F-D83D9DD314AA@FreeBSD.org>
 <CAGudoHHd3QVT6mefMcELRKa7nPptjVuc=D-agoHUNY4pfOz8tg@mail.gmail.com>
 <CAGudoHGk0mrmiLHqhfvCA596kxZa8vD1ex+QOgLBE0vt+7OJrA@mail.gmail.com>
 <CAGudoHGsnMtwDRKoCYLio_SCm3HZdYU7qF=uCHEb0y_HS5m-Ng@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
X-ThisMailContainsUnwantedMimeParts: N


--Apple-Mail=_160E9DA0-7FF3-42C8-A506-B1D6E015EE57
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Yes, this works for me too. I first tried reverting
d81aefa8b7dd8cbeffeda541fca9962802404983, but this looked a bit more
sane. :)

-Dimitry

> On 31 May 2021, at 17:03, Mateusz Guzik <mjguzik@gmail.com> wrote:
>=20
> I reproduced the panic, things work for me with the patch below.
> However, there may be more to it so I'm going to ask Rick to weigh in.
> but short version is that length returned by nfsrv_parsename is off by
> one compared to copyinstr.
>=20
> diff --git a/sys/fs/nfsserver/nfs_nfsdsubs.c =
b/sys/fs/nfsserver/nfs_nfsdsubs.c
> index 2b6e17752544..8c7db36bbd05 100644
> --- a/sys/fs/nfsserver/nfs_nfsdsubs.c
> +++ b/sys/fs/nfsserver/nfs_nfsdsubs.c
> @@ -2065,7 +2065,7 @@ nfsrv_parsename(struct nfsrv_descript *nd, char
> *bufp, u_long *hashp,
>            }
>        }
>        *tocp =3D '\0';
> -       *outlenp =3D (size_t)outlen;
> +       *outlenp =3D (size_t)outlen + 1;
>        if (hashp !=3D NULL)
>                *hashp =3D hash;
> nfsmout:
>=20
>=20
> On 5/31/21, Mateusz Guzik <mjguzik@gmail.com> wrote:
>> On 5/31/21, Mateusz Guzik <mjguzik@gmail.com> wrote:
>>> It's probably my commit d81aefa8b7dd8cbeffeda541fca9962802404983 ,
>>> I'll look at this later.
>>=20
>> Well let me rephrase. While the panic was added in said commit, I
>> suspect the bug is on nfs side -- it has its own namei variant which =
I
>> suspect is managing ni_pathlen in a manner different than the
>> original, it just happens to not panic on kernels prior to the above
>> change.
>>=20
>>>=20
>>> On 5/31/21, Dimitry Andric <dim@freebsd.org> wrote:
>>>> Hi,
>>>>=20
>>>> I recently upgraded a -CURRENT NFS server from 2021-05-12 to today
>>>> (2021-05-31), and when the first NFS client attempted to connect, I =
got
>>>> this
>>>> panic:
>>>>=20
>>>> panic: lookup: expected nul at 0xfffff800104b3002; string [dim]
>>>>=20
>>>> cpuid =3D 0
>>>> time =3D 1622463863
>>>> KDB: stack backtrace:
>>>> db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame
>>>> 0xfffffe00747e89b0
>>>> vpanic() at vpanic+0x187/frame 0xfffffe00747e8a10
>>>> panic() at panic+0x43/frame 0xfffffe00747e8a70
>>>> lookup() at lookup+0xad2/frame 0xfffffe00747e8b10
>>>> nfsvno_namei() at nfsvno_namei+0x1a4/frame 0xfffffe00747e8bc0
>>>> nfsrvd_lookup() at nfsrvd_lookup+0x191/frame 0xfffffe00747e8eb0
>>>> nfsrvd_dorpc() at nfsrvd_dorpc+0xfab/frame 0xfffffe00747e90c0
>>>> nfssvc_program() at nfssvc_program+0x604/frame 0xfffffe00747e92a0
>>>> svc_run_internal() at svc_run_internal+0xa72/frame =
0xfffffe00747e93d0
>>>> svc_run() at svc_run+0x250/frame 0xfffffe00747e9430
>>>> nfsrvd_nfsd() at nfsrvd_nfsd+0x33c/frame 0xfffffe00747e9590
>>>> nfssvc_nfsd() at nfssvc_nfsd+0x473/frame 0xfffffe00747e9aa0
>>>> sys_nfssvc() at sys_nfssvc+0xc7/frame 0xfffffe00747e9ac0
>>>> amd64_syscall() at amd64_syscall+0x12e/frame 0xfffffe00747e9bf0
>>>> fast_syscall_common() at fast_syscall_common+0xf8/frame
>>>> 0xfffffe00747e9bf0
>>>> --- syscall (155, FreeBSD ELF64, sys_nfssvc), rip =3D 0x8011aa59a, =
rsp =3D
>>>> 0x7fffffffe4e8, rbp =3D 0x7fffffffe780 ---
>>>> KDB: enter: panic
>>>>=20
>>>> __curthread ()
>>>>    at =
/share/dim/src/freebsd/src-dim/sys/amd64/include/pcpu_aux.h:55
>>>> 55		__asm("movq %%gs:%P1,%0" : "=3Dr" (td) : "n" =
(offsetof(struct pcpu,
>>>> (kgdb) #0  __curthread ()
>>>>    at =
/share/dim/src/freebsd/src-dim/sys/amd64/include/pcpu_aux.h:55
>>>> #1  doadump (textdump=3Dtextdump@entry=3D0)
>>>>    at /share/dim/src/freebsd/src-dim/sys/kern/kern_shutdown.c:399
>>>> #2  0xffffffff804cca5a in db_dump (dummy=3D<optimized out>,
>>>>    dummy2=3D<unavailable>, dummy3=3D<unavailable>, =
dummy4=3D<unavailable>)
>>>>    at /share/dim/src/freebsd/src-dim/sys/ddb/db_command.c:575
>>>> #3  0xffffffff804cc912 in db_command (last_cmdp=3D<optimized out>,
>>>>    cmd_table=3D<optimized out>, dopager=3Ddopager@entry=3D1)
>>>>    at /share/dim/src/freebsd/src-dim/sys/ddb/db_command.c:482
>>>> #4  0xffffffff804cc58d in db_command_loop ()
>>>>    at /share/dim/src/freebsd/src-dim/sys/ddb/db_command.c:535
>>>> #5  0xffffffff804cfd06 in db_trap (type=3D<optimized out>, =
code=3D<optimized
>>>> out>)
>>>>    at /share/dim/src/freebsd/src-dim/sys/ddb/db_main.c:270
>>>> #6  0xffffffff80c69f17 in kdb_trap (type=3Dtype@entry=3D3,
>>>> code=3Dcode@entry=3D0,
>>>>    tf=3Dtf@entry=3D0xfffffe00747e88e0)
>>>>    at /share/dim/src/freebsd/src-dim/sys/kern/subr_kdb.c:727
>>>> #7  0xffffffff810d7aee in trap (frame=3D0xfffffe00747e88e0)
>>>>    at /share/dim/src/freebsd/src-dim/sys/amd64/amd64/trap.c:576
>>>> #8  <signal handler called>
>>>> #9  kdb_enter (why=3D0xffffffff812d3d27 "panic", msg=3D<optimized =
out>)
>>>>    at /share/dim/src/freebsd/src-dim/sys/kern/subr_kdb.c:506
>>>> #10 0xffffffff80c1d248 in vpanic (
>>>>    fmt=3D0xffffffff8129dfef "%s: expected nul at %p; string =
[%s]\n",
>>>>    ap=3D<optimized out>, ap@entry=3D0xfffffe00747e8a50)
>>>>    at /share/dim/src/freebsd/src-dim/sys/kern/kern_shutdown.c:907
>>>> #11 0xffffffff80c1cfd3 in panic (
>>>>    fmt=3D0xffffffff81e9b9c8 <cnputs_mtx> =
"=3D\t)\201\377\377\377\377")
>>>>    at /share/dim/src/freebsd/src-dim/sys/kern/kern_shutdown.c:843
>>>> #12 0xffffffff80cfa992 in lookup (ndp=3Dndp@entry=3D0xfffffe00747e8d9=
0)
>>>>    at /share/dim/src/freebsd/src-dim/sys/kern/vfs_lookup.c:919
>>>> #13 0xffffffff80b33f84 in nfsvno_namei =
(nd=3Dnd@entry=3D0xfffffe00747e9100,
>>>>    ndp=3Dndp@entry=3D0xfffffe00747e8d90, dp=3D<optimized out>,
>>>>    dp@entry=3D0xfffff80010544380, islocked=3D<optimized out>,
>>>> islocked@entry=3D0,
>>>>    exp=3Dexp@entry=3D0xfffffe00747e8fd8, =
p=3Dp@entry=3D0xfffffe00bbfa3000,
>>>>    retdirp=3D0xfffffe00747e8e78)
>>>>    at
>>>> /share/dim/src/freebsd/src-dim/sys/fs/nfsserver/nfs_nfsdport.c:597
>>>> #14 0xffffffff80b266a1 in nfsrvd_lookup (nd=3D0xfffffe00747e9100,
>>>>    isdgram=3D<optimized out>, dp=3D0xfffff80010544380,
>>>> vpp=3D0xfffffe00747e9010,
>>>>    fhp=3D0xfffffe00747e9074, exp=3D0xfffffe00747e8fd8)
>>>>    at
>>>> /share/dim/src/freebsd/src-dim/sys/fs/nfsserver/nfs_nfsdserv.c:607
>>>> #15 0xffffffff80b1073b in nfsrvd_compound (nd=3D0xfffffe00747e9100,
>>>> isdgram=3D0,
>>>>    tag=3D0xf <error: Cannot access memory at address 0xf>, =
taglen=3D6,
>>>>    minorvers=3D4294967294)
>>>>    at
>>>> =
/share/dim/src/freebsd/src-dim/sys/fs/nfsserver/nfs_nfsdsocket.c:1098
>>>> #16 nfsrvd_dorpc (nd=3Dnd@entry=3D0xfffffe00747e9100,
>>>> isdgram=3Disdgram@entry=3D0,
>>>>    tag=3D0xf <error: Cannot access memory at address 0xf>, =
taglen=3D6,
>>>>    minorvers=3D4294967294)
>>>>    at
>>>> =
/share/dim/src/freebsd/src-dim/sys/fs/nfsserver/nfs_nfsdsocket.c:626
>>>> #17 0xffffffff80b24c44 in nfs_proc (nd=3D0xfffffe00747e9100,
>>>>    xid=3D<optimized out>, xprt=3D0xfffff80003a14e00, rpp=3D<optimized=
 out>)
>>>>    at
>>>> /share/dim/src/freebsd/src-dim/sys/fs/nfsserver/nfs_nfsdkrpc.c:402
>>>> #18 nfssvc_program (rqst=3D0xfffff80010455800, =
xprt=3D0xfffff80003a14e00)
>>>>    at
>>>> /share/dim/src/freebsd/src-dim/sys/fs/nfsserver/nfs_nfsdkrpc.c:288
>>>> #19 0xffffffff80edead2 in svc_executereq (rqstp=3D0xfffff80010455800)=

>>>>    at /share/dim/src/freebsd/src-dim/sys/rpc/svc.c:1037
>>>> #20 svc_run_internal (grp=3D<optimized out>, =
grp@entry=3D0xfffff800100e6100,
>>>>    ismaster=3Dismaster@entry=3D1)
>>>>    at /share/dim/src/freebsd/src-dim/sys/rpc/svc.c:1313
>>>> #21 0xffffffff80eddf80 in svc_run (pool=3D<optimized out>)
>>>>    at /share/dim/src/freebsd/src-dim/sys/rpc/svc.c:1392
>>>> #22 0xffffffff80b251ec in nfsrvd_nfsd (td=3D<optimized out>,
>>>>    td@entry=3D0xfffffe00bbfa3000, =
args=3Dargs@entry=3D0xfffffe00747e9660)
>>>>    at
>>>> /share/dim/src/freebsd/src-dim/sys/fs/nfsserver/nfs_nfsdkrpc.c:561
>>>> #23 0xffffffff80b3ec93 in nfssvc_nfsd (td=3D0xfffffe00bbfa3000,
>>>>    uap=3D<optimized out>)
>>>>    at
>>>> /share/dim/src/freebsd/src-dim/sys/fs/nfsserver/nfs_nfsdport.c:3714
>>>> #24 0xffffffff80e6f647 in sys_nfssvc (td=3D0xfffffe00bbfa3000,
>>>>    uap=3D0xfffffe00bbfa33e8)
>>>>    at /share/dim/src/freebsd/src-dim/sys/nfs/nfs_nfssvc.c:111
>>>> #25 0xffffffff810d891e in syscallenter (td=3D<optimized out>)
>>>>    at
>>>> =
/share/dim/src/freebsd/src-dim/sys/amd64/amd64/../../kern/subr_syscall.c:1=
89
>>>> #26 amd64_syscall (td=3D0xfffffe00bbfa3000, traced=3D0)
>>>>    at /share/dim/src/freebsd/src-dim/sys/amd64/amd64/trap.c:1156
>>>> #27 <signal handler called>
>>>> #28 0x00000008011aa59a in ?? ()
>>>>=20
>>>> Is anybody seeing this too? :)
>>>>=20
>>>> I can probably bisect, but it'll take quite a while.
>>>>=20
>>>> -Dimitry
>>>>=20
>>>>=20
>>>=20
>>>=20
>>> --
>>> Mateusz Guzik <mjguzik gmail.com>
>>>=20
>>=20
>>=20
>> --
>> Mateusz Guzik <mjguzik gmail.com>
>>=20
>=20
>=20
> --
> Mateusz Guzik <mjguzik gmail.com>


--Apple-Mail=_160E9DA0-7FF3-42C8-A506-B1D6E015EE57
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.2

iF0EARECAB0WIQR6tGLSzjX8bUI5T82wXqMKLiCWowUCYLUEPQAKCRCwXqMKLiCW
o014AKCELs2nS5ckmCT+1XWWu70ye8xlAgCg7yVROdaFZf0XF92USYltTe2qrp4=
=8L0A
-----END PGP SIGNATURE-----

--Apple-Mail=_160E9DA0-7FF3-42C8-A506-B1D6E015EE57--