[Bug 228497] Kernel panic, NULL pointer dereference in nfsrv_checksequence

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri May 25 23:47:02 UTC 2018


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=228497

            Bug ID: 228497
           Summary: Kernel panic, NULL pointer dereference in
                    nfsrv_checksequence
           Product: Base System
           Version: 11.1-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: cryopie at gmail.com

Two FreeBSD 11.1 systems crashed within fifteen minutes of each other. 

Host1: (CPU: Intel(R) Core(TM) i3-4150 CPU @ 3.50GHz (3500.06-MHz K8-class
CPU)):

db:0:kdb.enter.default>  bt
Tracing pid 2291 tid 101254 td 0xfffff800526b5000
nfsrv_checksequence() at nfsrv_checksequence+0x208/frame 0xfffffe0860a85e20
nfsrvd_sequence() at nfsrvd_sequence+0x12a/frame 0xfffffe0860a85e70
nfsrvd_dorpc() at nfsrvd_dorpc+0xeed/frame 0xfffffe0860a86050
nfssvc_program() at nfssvc_program+0x5c0/frame 0xfffffe0860a86200
svc_run_internal() at svc_run_internal+0xcc9/frame 0xfffffe0860a86340
svc_run() at svc_run+0x161/frame 0xfffffe0860a86390
nfsrvd_nfsd() at nfsrvd_nfsd+0x236/frame 0xfffffe0860a86500
nfssvc_nfsd() at nfssvc_nfsd+0x1d9/frame 0xfffffe0860a86960
sys_nfssvc() at sys_nfssvc+0x9c/frame 0xfffffe0860a86980
amd64_syscall() at amd64_syscall+0xa4a/frame 0xfffffe0860a86ab0
Xfast_syscall() at Xfast_syscall+0xfb/frame 0xfffffe0860a86ab0
--- syscall (155, FreeBSD ELF64, sys_nfssvc), rip = 0x800871c9a, rsp =
0x7fffffffe518, rbp = 0x7fffffffe940 ---

May 25 17:53:00 Host1 current process          = 2291 (nfsd: master)
May 25 17:53:00 Host1 processor eflags = interrupt enabled, resume, IOPL = 0
May 25 17:53:00 Host1                  = DPL 0, pres 1, long 1, def32 0, gran 1
May 25 17:53:00 Host1 code segment             = base 0x0, limit 0xfffff, type
0x1b

-----

Host2: (CPU: Intel(R) Xeon(R) CPU E5-4650 0 @ 2.70GHz (2700.00-MHz K8-class
CPU)):

db:0:kdb.enter.default>  bt
Tracing pid 2001 tid 102447 td 0xfffff800a716d000
nfsrv_checksequence() at nfsrv_checksequence+0x208/frame 0xfffffe08629ca540
nfsrvd_sequence() at nfsrvd_sequence+0x12a/frame 0xfffffe08629ca590
nfsrvd_dorpc() at nfsrvd_dorpc+0xeed/frame 0xfffffe08629ca770
nfssvc_program() at nfssvc_program+0x5c0/frame 0xfffffe08629ca920
svc_run_internal() at svc_run_internal+0xcc9/frame 0xfffffe08629caa60
svc_thread_start() at svc_thread_start+0xb/frame 0xfffffe08629caa70
fork_exit() at fork_exit+0x85/frame 0xfffffe08629caab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe08629caab0
--- trap 0xc, rip = 0x800871c9a, rsp = 0x7fffffffe518, rbp = 0x7fffffffe940 ---

May 25 17:39:19 Host2 current process           = 2001 (nfsd: service)
May 25 17:39:19 Host2 processor eflags  = interrupt enabled, resume, IOPL = 0
May 25 17:39:19 Host2                   = DPL 0, pres 1, long 1, def32 0, gran
1
May 25 17:39:19 Host2 code segment              = base 0x0, limit 0xfffff, type
0x1b
May 25 17:39:19 Host2 frame pointer             = 0x28:0xfffffe08629ca540
May 25 17:39:19 Host2 stack pointer             = 0x28:0xfffffe08629ca4f0
May 25 17:39:19 Host2 instruction pointer       = 0x20:0xffffffff80980668
May 25 17:39:19 Host2 fault code                = supervisor read data, page
not present
May 25 17:39:19 Host2 fault virtual address     = 0x2f0
May 25 17:39:19 Host2 cpuid = 0; apic id = 00
May 25 17:39:19 Host2 Fatal trap 12: page fault while in kernel mode


Build: 
FreeBSD 11.1-STABLE #2 r321665+366f54a78b2(freenas/11.1-stable): Wed Mar 21
23:04:13 UTC 2018
   
root at gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas/_BE/os/sys/FreeNAS.amd64
amd64
FreeBSD clang version 5.0.0 (tags/RELEASE_500/final 312559) (based on LLVM
5.0.0svn)

--- 

Both machines run FreeNAS 11.1-U4. I don't know whether FreeNAS patches FreeBSD
kernel, but the function seemed like an unusual place to need a patch, and so I
decided to file a bug report here instead of at FreeNAS bug tracker. 

I was doing an 'mv foo bar/' via NFS on Host3 when the crash occurred. Both
'foo' and 'bar' are directories exported by Host2 and mounted as /mnt/foo and
/mnt/bar on Host3. Nothing explicit was being done on Host1. Both serve NFS to
half a dozen clients, all with default options (configured from FreeNAS GUI)
and neither server is under heavy load. All hosts are on the same subnet and
promiscuous mode is disabled on the switch.

The NFS client, Host3, is a Linux box (Linux 4.16.9-1-ARCH #1 SMP PREEMPT Thu
May 17 02:10:09 UTC 2018 x86_64 GNU/Linux). The NFS mount options are the
following: 

rw,relatime,vers=4.1,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.0.7.7,local_lock=none,addr=10.0.0.24,_netdev

I am unable to reproduce this but if it happens again I'll reboot with a debug
kernel. I don't see how this occurred in two different hosts more or less
simultaneously, given that they've been running without issue for weeks.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-bugs mailing list