freebsd-skq/sys/nfsclient
Bill Paul de38397ecf Fix a condition where nfs_statfs() can precipitate a panic. There is
code that says this:

        nfsm_request(vp, NFSPROC_FSSTAT, p, cred);
        if (v3)
                nfsm_postop_attr(vp, retattr);
        if (!error)
                nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));

The problem here is that if error != 0, nfsm_dissect() will not be
called, which leaves sfp == NULL. But nfs_statfs() does not bail out
at this point: it continues processing until it tries to dereference
sfp, which causes a panic. I was able to generate this crash under
the following conditions:

1) Set up a machine as an NFS server and NFS client, with amd running
   (using NIS maps). /usr/local is exported, though any exported fs
   can can be used to trigger the bug.
2) Log in as normal user, with home directory mounted from a SunOS 4.1.3
   NFS server via amd (along with a few other NFS filesystems from same
   machine).
3) Su to root and type the following:
   # mount localhost:/usr/local /mnt
   # df

To fix the panic, I changed the code to read:

        if (!error) {
                nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));
        } else
                goto nfsmout;

This is a bit kludgy in that nfsmout is a label defined by the nfsm_subs.h
macros, but these macros are themselves more than a little kludgy. This
stops the machine from crashing, but does not fix the overall bug: 'error'
somehow becomes 5 (EIO) when a statfs() is performed on the locally mounted
NFS filesystem. This seems to only happen the first time the filesystem
is accesed: on subsequent accesses, it seems to work fine again.

Now, I know there's no practical use in mounting a local filesystem
via NFS, but doing it shouldn't cause the system to melt down.
1997-06-27 19:10:46 +00:00
..
bootp_subr.c Move commonly used code into static functions in order to reduce kernel bloat. 1997-06-12 14:08:20 +00:00
krpc_subr.c Remove unused routines. 1997-06-12 14:03:16 +00:00
krpc.h Remove unused routines. 1997-06-12 14:03:16 +00:00
nfs_bio.c Avoid small synchronous writes when an application does lots of random-access 1997-06-25 08:35:41 +00:00
nfs_nfsiod.c Clear nfs_iodwant[myiod] when the nfsiod process exits due to a signal. 1997-06-25 21:07:26 +00:00
nfs_node.c Fix memory leak caused by the fact that the directory offset cookies and 1997-05-09 13:04:43 +00:00
nfs_socket.c Various fixes from NetBSD: 1997-06-03 17:22:47 +00:00
nfs_subs.c Fix various bugs in the locking protocol, allowing proper shared locks 1997-04-04 17:49:35 +00:00
nfs_vfsops.c Fix a condition where nfs_statfs() can precipitate a panic. There is 1997-06-27 19:10:46 +00:00
nfs_vnops.c Make nfs_lookup return a NULLVP on error so that DIAGNOSTIC kernels don't 1997-06-25 08:32:33 +00:00
nfs.h Various fixes from NetBSD: 1997-06-03 17:22:47 +00:00
nfsargs.h Various fixes from NetBSD: 1997-06-03 17:22:47 +00:00
nfsdiskless.h Use the old nfs arguments in the nfs_diskless structure, to be 1997-05-12 19:02:56 +00:00
nfsm_subs.h
nfsmount.h Fix a nasty hang connected with write gathering. Also add debug print 1997-05-10 16:12:03 +00:00
nfsnode.h Fix a few bugs with NFS and mmap caused by NFS' use of b_validoff 1997-05-19 14:36:56 +00:00
nfsstats.h Various fixes from NetBSD: 1997-06-03 17:22:47 +00:00