Hi,
When rebooting the NFS client while the NFS file system is actively
used, the kernel crashes. The socket at 0xd73c2d9c is filled with
dead beef, so it is a use after free. It is an i386 kernel built
today.
bluhm
root@ot2:.../~# find /mount >/dev/null & sleep 5; reboot -q
[1] 9698
syncing disks... uvm_fault(0xd72afc7c, 0x1ff11000, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at sblock+0x12: movl 0x4(%eax),%eax
ddb{0}> trace
sblock(d73c2d9c,d73c2df0,1) at sblock+0x12
soreceive(d73c2d9c,0,f548d818,f548d884,0,f548d804,0) at soreceive+0x271
nfs_receive(d7471f7c,f548d87c,f548d884) at nfs_receive+0xb1
nfs_reply(d7471f7c) at nfs_reply+0x62
nfs_request(d6d1f3c4,10,f548d970) at nfs_request+0x24d
nfs_readdirrpc(d6d1f3c4,f548d9f8,d7499120,f548d9ec) at nfs_readdirrpc+0x1dc
nfs_readdir(f548dab0) at nfs_readdir+0x227
VOP_READDIR(d6d1f3c4,f548daf8,d7499120,f548daec) at VOP_READDIR+0x42
sys_getdents(d71372dc,f548db68,f548db60) at sys_getdents+0x118
syscall() at syscall+0x204
--- syscall (number 0) ---
end of kernel
0x78ef0480:
ddb{0}> ps
PID TID PPID UID S FLAGS WAIT COMMAND
47525 49437 73751 0 2 0x3 reboot
* 9698 299089 73751 0 7 0x100003 find
73751 193388 1 0 3 0x10008b pause ksh
26295 320696 1 0 3 0x100083 ttyin getty
62718 326479 1 0 3 0x100083 ttyin getty
6755 452271 1 0 3 0x100083 ttyin getty
62489 430851 1 0 3 0x100083 ttyin getty
13303 429205 1 0 3 0x100083 ttyin getty
97097 367369 1 0 3 0x100098 poll cron
38250 509671 1 99 3 0x100090 poll sndiod
367 406650 1 110 3 0x100090 poll sndiod
21810 404127 1 0 3 0x100090 kqread inetd
98071 120936 58301 95 3 0x100092 kqread smtpd
69756 87980 58301 103 3 0x100092 kqread smtpd
36661 383137 58301 95 3 0x100092 kqread smtpd
73070 332826 58301 95 3 0x100092 kqread smtpd
39972 98572 58301 95 3 0x100092 kqread smtpd
79819 455669 58301 95 3 0x100092 kqread smtpd
58301 220916 1 0 3 0x100080 kqread smtpd
45347 311418 1 0 3 0x80 select sshd
69335 244689 0 0 3 0x14200 acct acct
78078 383503 0 0 3 0x14280 nfsidl nfsio
67499 120783 0 0 3 0x14280 nfsidl nfsio
6389 67663 0 0 3 0x14280 nfsidl nfsio
96664 329282 0 0 3 0x14280 nfsidl nfsio
89233 98160 1 0 3 0x100080 poll ntpd
16545 425860 94501 83 3 0x100092 poll ntpd
94501 456716 1 83 3 0x100092 poll ntpd
89114 244638 64496 74 3 0x100092 bpf pflogd
64496 138057 1 0 3 0x80 netio pflogd
33873 3141 2011 73 2 0x100090 syslogd
2011 167758 1 0 3 0x100082 netio syslogd
14968 488435 1 77 3 0x100090 poll dhclient
20238 513767 1 0 3 0x80 poll dhclient
99266 92995 75879 115 3 0x100092 kqread slaacd
12302 94011 75879 115 3 0x100092 kqread slaacd
75879 477107 1 0 3 0x80 kqread slaacd
94668 139960 0 0 3 0x14200 pgzero zerothread
88879 391716 0 0 3 0x14200 aiodoned aiodoned
37996 199474 0 0 3 0x14200 syncer update
52467 413889 0 0 3 0x14200 cleaner cleaner
52168 367270 0 0 3 0x14200 reaper reaper
90849 369485 0 0 3 0x14200 pgdaemon pagedaemon
68700 48024 0 0 3 0x14200 bored crynlk
37778 144411 0 0 3 0x14200 bored crypto
31589 214320 0 0 3 0x14200 usbtsk usbtask
10880 448964 0 0 3 0x14200 usbatsk usbatsk
66170 108418 0 0 3 0x14200 bored sensors
86508 510965 0 0 3 0x40014200 acpi0 acpi0
41740 521514 0 0 7 0x40014200 idle1
42154 396729 0 0 2 0x14200 softnet
65803 465644 0 0 3 0x14200 bored systqmp
33651 52515 0 0 3 0x14200 bored systq
44323 189892 0 0 2 0x40014200 softclock
25032 280029 0 0 3 0x40014200 idle0
4614 206064 0 0 3 0x14200 kmalloc kmthread
1 57612 0 0 3 0x82 wait init
0 0 -1 0 3 0x10200 scheduler swapper
ddb{0}> x/x 0xd73c2d9c,10
0xd73c2d9c: 1ff118e7
0xd73c2da0: 7814c6e
0xd73c2da4: efff1133
0xd73c2da8: efff1133
0xd73c2dac: efff1133
0xd73c2db0: efff1133
0xd73c2db4: efff1133
0xd73c2db8: efff1133
0xd73c2dbc: efff1133
0xd73c2dc0: efff1133
0xd73c2dc4: efff1133
0xd73c2dc8: efff1133
0xd73c2dcc: efff1133
0xd73c2dd0: efff1133
0xd73c2dd4: efff1133
0xd73c2dd8: efff1133
ddb{0}> x/s version
version: OpenBSD 6.3-beta (GENERIC.MP) #2: Thu Mar 8 21:02:29 CET 2018\
012 [email protected]:/usr/src/sys/arch/i386/compile/GENERIC.MP\012
