A customer reported a crash in nfs4_Compound_FreeOne(..). The same crash was seen multiple times. It is happening because "optabv4[opcode].free_res(res);" is used with "opcode=201845504" in nfs4_Compound_FreeOne(..).
(gdb) bt
#0 0x00007f6145c3559b in raise () from /lib64/libpthread.so.0
#1 0x0000000000455a64 in crash_handler (signo=11, info=0x7f60f1f71870, ctx=0x7f60f1f71740) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/MainNFSD/nfs_init.c:225
#2 <signal handler called>
#3 0x0000000000461a4f in nfs4_Compound_FreeOne (res=0x7f5d0c00b750) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/Protocols/NFS/nfs4_Compound.c:873
#4 0x0000000000461b9c in nfs4_Compound_Free (res=0x7f5ce435bde0) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/Protocols/NFS/nfs4_Compound.c:912
#5 0x00000000004f374e in nfs_dupreq_free_dupreq (dv=0x7f5ce42ceda0) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/RPCAL/nfs_dupreq.c:882
#6 0x00000000004f38cd in dupreq_entry_put (dv=0x7f5ce42ceda0) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/RPCAL/nfs_dupreq.c:913
#7 0x00000000004f5369 in nfs_dupreq_finish (req=0x7f5d000e6b18, res_nfs=0x7f5e640084b0) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/RPCAL/nfs_dupreq.c:1270
#8 0x000000000044d5ac in nfs_rpc_execute (reqdata=0x7f5d000e6af0) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/MainNFSD/nfs_worker_thread.c:1375
#9 0x000000000044dbc6 in worker_run (ctx=0x4275f90) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/MainNFSD/nfs_worker_thread.c:1593
#10 0x000000000050c1ab in fridgethr_start_routine (arg=0x4275f90) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/support/fridgethr.c:550
#11 0x00007f6145c2de25 in start_thread () from /lib64/libpthread.so.0
#12 0x00007f61452ecbad in clone () from /lib64/libc.so.6
(gdb) frame 3
#3 0x0000000000461a4f in nfs4_Compound_FreeOne (res=0x7f5d0c00b750) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/Protocols/NFS/nfs4_Compound.c:873
873 optabv4[opcode].free_res(res);
(gdb) p opcode
$47 = 201845504
(gdb) list
871 opcode = (res->resop != NFS4_OP_ILLEGAL)
872 ? res->resop : 0; /* opcode 0 for illegals */
873 optabv4[opcode].free_res(res);
(gdb) frame 4
#4 0x0000000000461b9c in nfs4_Compound_Free (res=0x7f5ce435bde0) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/Protocols/NFS/nfs4_Compound.c:912
912 nfs4_Compound_FreeOne(val);
(gdb) list -
905 for (i = 0; i < res->res_compound4.resarray.resarray_len; i++) {
906 nfs_resop4 *val = &res->res_compound4.resarray.resarray_val[i];
907
908 if (val) {
909 /* !val is an error case, but it can occur, so avoid
910 * indirect on NULL
911 */
(gdb) p i <-- when crash was seen res->res_compound4.resarray.resarray_val[1] was being handled
$50 = 1
(gdb) p res->res_compound4.resarray.resarray_val[0].resop <-- the opcode for previous operation was 0, this doesn't match with the opcode seen in the req argument, does this look strange ?
$51 = 0
(gdb) frame 8
#8 0x000000000044d5ac in nfs_rpc_execute (reqdata=0x7f5d000e6af0) at /usr/src/debug/nfs-ganesha-2.5.3-ibm036.16-0.1.1-Source/MainNFSD/nfs_worker_thread.c:1375
1375 dpq_status = nfs_dupreq_finish(&reqdata->r_u.req.svc, res_nfs);
(gdb) p arg_nfs->arg_compound4.argarray.argarray_val[0].argop
$52 = NFS4_OP_PUTFH
(gdb) p arg_nfs->arg_compound4.argarray.argarray_val[1].argop
$53 = NFS4_OP_GETATTR