Date: Mon, 8 Sep 1997 22:29:07 -0400 (EDT) From: Serge Pashenkov <serge@jbj.org> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: kern/4501: df on a stale file system panics Message-ID: <199709090229.WAA04878@serge.jbj.org> Resent-Message-ID: <199709090230.TAA25756@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 4501
>Category: kern
>Synopsis: df on a stale file system panics
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 8 19:30:01 PDT 1997
>Last-Modified:
>Originator: Serge Pashenkov
>Organization:
>Release: FreeBSD 2.2-STABLE i386
>Environment:
2.2 stable circa Sep 8
>Description:
on a server export something like /mnt with something mounted
there (floppy would be just fine),
mount it on 2.2 stable client,
unmount /mnt on the server.
Now, simple df panics the client.
>How-To-Repeat:
see description.
>Fix:
nfs_statfs() does not parse the packet quite right in case of a
stale file handle. Local variable register struct nfs_statfs *sfp;
is assigned 0 and never reassigned the real value, but still
gets used as a pointer later.
I'm not sure how to really fix the problem for I don't quite
frok nfsm_ macros, but following is a prop which just checks for
0 value of sfp. It fixes the panic, and actually I see no problems
with that, but probably right fix is in the nfsm_ ...
RCS file: /spare/ncvs/src/sys/nfs/nfs_vfsops.c,v
retrieving revision 1.30.2.4
diff -c -r1.30.2.4 nfs_vfsops.c
*** nfs_vfsops.c 1997/05/14 08:19:29 1.30.2.4
--- nfs_vfsops.c 1997/09/02 13:49:13
***************
*** 245,250 ****
--- 245,256 ----
nfsm_postop_attr(vp, retattr);
if (!error)
nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));
+
+ if (sfp == NULL) {
+ error = ESTALE;
+ goto nfsmout;
+ }
+
#ifdef __NetBSD__
#ifdef COMPAT_09
sbp->f_type = 2;
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709090229.WAA04878>