From owner-freebsd-bugs Mon Jun 3 13:40:16 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 40F7E37B407 for ; Mon, 3 Jun 2002 13:40:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g53Ke1A41631; Mon, 3 Jun 2002 13:40:01 -0700 (PDT) (envelope-from gnats) Received: from damon.com (damon.com [199.98.84.130]) by hub.freebsd.org (Postfix) with ESMTP id 61F2F37B400 for ; Mon, 3 Jun 2002 13:31:07 -0700 (PDT) Received: from damon.com (localhost [127.0.0.1]) by damon.com (8.12.3/8.12.3) with ESMTP id g53KV8GJ030908; Mon, 3 Jun 2002 15:31:08 -0500 (CDT) (envelope-from dap@damon.com) Received: (from dap@localhost) by damon.com (8.12.3/8.12.3/Submit) id g53KV8U5030907; Mon, 3 Jun 2002 15:31:08 -0500 (CDT) (envelope-from dap) Message-Id: <200206032031.g53KV8U5030907@damon.com> Date: Mon, 3 Jun 2002 15:31:08 -0500 (CDT) From: Damon Anton Permezel Reply-To: Damon Anton Permezel To: FreeBSD-gnats-submit@FreeBSD.org Cc: dap@damon.com X-Send-Pr-Version: 3.113 Subject: kern/38872: nfs code ignores possibility of MGET(M_WAIT) failure Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 38872 >Category: kern >Synopsis: nfs code ignores possibility of MGET(M_WAIT) failure >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jun 03 13:40:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Damon Anton Permezel >Release: FreeBSD 4.6-RC i386 >Organization: >Environment: System: FreeBSD damon.com 4.6-RC FreeBSD 4.6-RC #0: Sun Jun 2 13:52:20 CDT 2002 dap@damon.com:/usr/obj/usr/src/sys/GENERIC i386 >Description: When the system runs out of mbufs, NFS access can cause fault due to NULL mbuf pointer being dereferenced. >How-To-Repeat: Run out of mbufs. Use NFS. >Fix: Grep for all calls to MGET.*M_WAIT in the kernel, paying attention to the NFS code, and fix it so that it handles the NULL return case. As an example, I keep running into: (kgdb) where #0 nfsm_reqh (vp=0xc8b85180, procid=0x4, hsiz=0x48, bposp=0xc8e5ebec) at /usr/src/sys/nfs/nfs_subs.c:594 #1 0xc01e1a4d in nfs3_access_otw (vp=0xc8b85180, wmode=0x3f, p=0xc8dffbe0, cred=0xc0d57200) at /usr/src/sys/nfs/nfs_vnops.c:292 #2 0xc01e1f6f in nfs_access (ap=0xc8e5ecc4) at /usr/src/sys/nfs/nfs_vnops.c:392 #3 0xc01e4213 in nfs_lookup (ap=0xc8e5ed70) at vnode_if.h:247 #4 0xc018a099 in lookup (ndp=0xc8e5eec8) at vnode_if.h:52 #5 0xc0189b94 in namei (ndp=0xc8e5eec8) at /usr/src/sys/kern/vfs_lookup.c:153 #6 0xc01925a7 in vn_open (ndp=0xc8e5eec8, fmode=0x1, cmode=0x54c) at /usr/src/sys/kern/vfs_vnops.c:138 #7 0xc018e6b0 in open (p=0xc8dffbe0, uap=0xc8e5ef80) at /usr/src/sys/kern/vfs_syscalls.c:1028 #8 0xc02416a1 in syscall2 (frame={tf_fs = 0x2f, tf_es = 0x2f, tf_ds = 0x2f, tf_edi = 0x8185170, tf_esi = 0x105, tf_ebp = 0xbfbff75c, tf_isp = 0xc8e5efd4, tf_ebx = 0x0, tf_edx = 0x105, tf_ecx = 0x81ac844, tf_eax = 0x5, tf_trapno = 0x16, tf_err = 0x2, tf_eip = 0x282564e4, tf_cs = 0x1f, tf_eflags = 0x283, tf_esp = 0xbfbff720, tf_ss = 0x2f}) at /usr/src/sys/i386/i386/trap.c:1167 MGET(mb, M_WAIT, MT_DATA); if (hsiz >= MINCLSIZE) MCLGET(mb, M_WAIT); mb->m_len = 0; where `mb' is NULL and mmbfree is NULL. The function m_mballoc_wait() will only wait for mbuf_wait/hz seconds. This is a bit of a shock to me, as M_WAIT used to mean wait for the mbuf, not pause a bit and hope. Anyway, given that this is the current FreeBSD implementation, the NFS code should handle it. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message