From owner-freebsd-current  Mon Jun 14 21:21:45 1999
Delivered-To: freebsd-current@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2])
	by hub.freebsd.org (Postfix) with ESMTP id A524414DAE
	for <freebsd-current@FreeBSD.ORG>; Mon, 14 Jun 1999 21:21:43 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id VAA14439;
	Mon, 14 Jun 1999 21:21:43 -0700 (PDT)
	(envelope-from dillon)
Date: Mon, 14 Jun 1999 21:21:43 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <199906150421.VAA14439@apollo.backplane.com>
To: "David E. Cross" <crossd@cs.rpi.edu>,
	David Scheidt <dscheidt@enteract.com>,
	Chan Yiu Wah <c5666305@hkstar.com>, freebsd-current@FreeBSD.ORG
Subject: NFS vnode reference issues on server
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


:>     Ack, you may have opened up a can of worms here.  I don't even think
:>     that nfs_namei() does the right thing when it returns an error... it
:>     doesn't look like it clears the ndp->ni_vp either in some error cases.
:> 
:>     We are going to have to instrument the code - basically means NULLing
:>     out ni_vp and any local vnode pointer when the vnode in question is
:>     released so we can keep track of it and putting KASSERT()s in strategic
:>     places.  nfs_namei() in nfs/nfs_subs.c and just about all the subroutines
:>     defined in nfs/nfs_serv.c.
:
:OK, you hijacked my thread ... OK, I've done worse, but please, could
:you change the subject line?  We *do* still have a ctm outage here, it's
:clearing up (I hope) but I want feedback, and you've prevented it.
 
     Oops, didn't even notice.  Fixed.

     Ok, something for people following the code to look over if they have 
     the time.  This in nfs_subs.c, nfs_namei().  Question:  ndp->ni_vp 
     is non-NULL and appears to be referenced as of the time a badlink
     occurs, linklen is 0, or the link is too long.  Do we have to 
     release ndp->ni_vp and NULL it out in this case?  I believe so.

	nfs_namei(...) {
	    ...
                if (error) {
                badlink:
			>>>>>>>>>> release/NULL ndp->ni_vp ??? <<<<<<<<<
                        if (ndp->ni_pathlen > 1)
                                zfree(namei_zone, cp);
                        break;
                }
                linklen = MAXPATHLEN - auio.uio_resid;
                if (linklen == 0) {
                        error = ENOENT;
                        goto badlink;
                }
                if (linklen + ndp->ni_pathlen >= MAXPATHLEN) {
                        error = ENAMETOOLONG;
                        goto badlink;
                }


					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message